oss-sec mailing list archives

Re: CVE Request - SWI-Prolog / pl (X < 6.2.5): Multiple (stack-based) buffer overflows in patch canonisation code and when expanding file-names with long paths

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 03 Jan 2013 11:38:39 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/03/2013 08:32 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

SWI-Prolog upstream has released [2] 6.2.5 / 6.3.7 versions, 
correcting the following two security flaws:

* Issue #1 (from [2]): ======================= * FIXED: Possible
buffer overrun in patch canonisation code. Pushes pointers on an
automatic array without checking for overflow.  Can be used for DoS
attacks. Will be extremely hard to make it execute arbitrary code.

Relevant upstream patch: [1]
http://www.swi-prolog.org/git/pl.git/commitdiff/a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c

 References: [2]
https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html

[3] https://bugzilla.redhat.com/show_bug.cgi?id=891577

Please use CVE-2012-6089  for this issue.

* Issue #2 - from [2]: ====================== * SECURITY: Possible
buffer overflows when expanding file-names with long paths.
Affects expand_file_name/2.  Can lead to crashes (DoS attacks) and
possibly execution of arbitrary code if an attacker can control the
names of the files searched for, e.g., if expand_file_name/2 is
used in a directory to which an attacker can upload files for which
he can control the name.

Relevant upstream patch: [4]
http://www.swi-prolog.org/git/pl.git/commitdiff/b2c88972e7515ada025e97e7d3ce3e34f81cf33e

 References: [5]
https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html

[6] https://bugzilla.redhat.com/show_bug.cgi?id=891577

Please use CVE-2012-6090 for this issue.

Could you allocate CVE ids for these? (iilc two should be enough)


Done, thanks!


Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ5dAvAAoJEBYNRVNeJnmTsLkP/RuQEHZexgB64pBN/plCIZ4f
Es0joWv/R1U2t+n/6h/8+PsDxUGiH7i7Nf9ifUY03Mu5jMooyZxf70SGE5zSA7R/
cq4u07HkQSCnQnu0mFNxORue4+Yh2Wz526J232pvELSgUnKQcuS/CeCD15RB35ee
kmxmzfOLyGB+C7DjjmUksN5NGREXwO9u2ptR5Yb6BmYQVBtwW440Pf0cxtnIngn7
zOQBcWabE5Kh5jpImnyw1d9j3xs6SYPPwJxL8l9/SYsCTrU6y6wP6ObMmIJ6Zqel
wDCKQ7skw/EY8vWZOnBoJWH85qwkkwkM7xmpPQpLJepuIWTduaLPOCxeuWktDT++
//lcAOaiHnGxbTUz+hQmo92gOgzWklo5ee8sWctXftROnRB0pYTnrdj7mRGuBw++
/0dyy2P0SYZS5X3X3WZW0Rtwu2hvaXsmtXSGJkvD96JKQ/awQokj4xqoSqt3WtZA
H1MLNHmQF7VVxG3jXGpLx3t19v6DqtmRSoAj+NFDtP42/c9PEEKWdGQCT90hMeml
X9L8QTFlazTtAqbzsU9il3hpJ0kUPu5LX0/cii1SH6EIUuZoT8xHpfm1l8oMzYgv
ZoHnjf6Z5yg6Vkv71j4AU5AmObA9DRBzu7TU7K8JY4NC9PhrRfz8Vv0ZFnGCjmID
ByjwBKjHYV92HEylaVw5
=d2im
-----END PGP SIGNATURE-----

Current thread:

CVE Request - SWI-Prolog / pl (X < 6.2.5): Multiple (stack-based) buffer overflows in patch canonisation code and when expanding file-names with long paths Jan Lieskovsky (Jan 03)
- Re: CVE Request - SWI-Prolog / pl (X < 6.2.5): Multiple (stack-based) buffer overflows in patch canonisation code and when expanding file-names with long paths Kurt Seifried (Jan 03)