Re: Re: CVE Request: DoS in OpenSMTPD TLS Support

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2013 09:00 PM, Jason A. Donenfeld wrote:
> On Sat, May 18, 2013 at 6:16 PM, Gilles Chehade <gilles () poolp org>
> wrote:
> > Not too nice to send a CVE request without ANY coordination with
> > us ...
>
> Sorry about that. I was in the midst of bumping packages in gentoo
> to the snapshot where you had fixed the issue, when I figured it
> might be wise to also get the issue tracked with a CVE asap. Sorry
> for jumping the gun.

For future reference you can get CVEs privately, although if you're
not the official upstream this means there is a greater chance of
duplicates (and thus of me saying "no, make a public request). So if
you want to do this a possible compromise is to email me and the
upstream and if upstream replies that it's ok then I'd probably go ahead.

> > Just for the record, you contacted us today reporting a bug which
> > could be memory corruption and you didn't know if it could be
> > exploited.
>
> The quote was "I haven't looked into why this happens or if memory 
> corruption / code execution is a possibility, but at the very
> least, it's a nasty DoS."
>
> > The snapshot mail, commit log and diffs makes the issue obvious
>
> Which is why I figured it was already a public issue, and
> therefore not an issue to track it with a CVE. But apologies,
> nonetheless, for jumping the gun. I'll coordinate with you more
> closely in the future.

Agreed, generally with public source code commits fixing an issue we
consider it public and in general I would assign a CVE publicly,
otherwise it gets to complicated to track/ensure embargoes/etc.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRmF0xAAoJEBYNRVNeJnmTvA4QAKJycT59hLMA+eod7hSmBiJi
dIsSCe/g+m+TKZS0Vyx18+jh5+WDOBNvQXo+I9KD0tYs/s7zLfJymJcENRjqHJyG
AutefIb+XqM+pVMh2FABe17unG94zWAlKSndjbPiK7X0yaSBnzUG3vAMA1ctCsfx
N/HhlpG3VcJD9W+Ogt5gn333dTqcAJM9DE+dep86Ytk1DFe0IMBK0+sWRBtOmX/T
xqVPsTPqjmO+GSTfJdLOEivLaUg0lvVdVziNvQ/lK8BNQX1WKOn8XLMqHCibLfd7
GDQYprXZyoAa3KRpLp6gIedK5QI1tk3vk08mhuzitafDaUFf2Nyt4wG2aWCRToDe
uUXf9mAf5vfBhEmcxGwlrTIDUWL5HNw2KyMzQK/C1+TpJrSvpHz2ffTn5+biTZeV
dmi3pFgJOWPKJ5vQk8kKkCM4T0drf/PWMDe02ZFpfYB2iOes+Y8M5i7b7888nqVV
Xa2cjiBqi0yTrVQr6OxNotqeesCi3WK0I6o9D5IalaiVMXtC1h3M9xElFjjulkMZ
YOxykuRrQMK8LyYBLndt40gBrh3oaqDT0lWu8lkhLqLF+g12YtBz4uBENT++renh
nKSW5ZQYIfnG58hN9+xkmB/fZ4kZAGeEd0G8NVaCj/DXw4jD6VZls+6AJC551/La
6Ml9HMWFdxKrUmj6fP9f
=81ky
-----END PGP SIGNATURE-----