oss-sec mailing list archives

Re: root-project/root: Heap buffer overflow in TKey::Streamer / TBasket::ReadBasketBuffers


From: Matt Christie <mattacusspartacus () gmail com>
Date: Sun, 24 May 2026 14:37:14 -0400

Hi,

Don't usually reply/post here, but I work with ROOT on a regular basis and
they have a preferred route for reporting vulnerabilities.

https://github.com/root-project/root?tab=security-ov-file#readme

Ideally you'd also come to them with a patch, but this is asking a lot when
working in ROOT.

On the note of delayed posting, I was under the assumption that things
should ideally only be posted to oss-security after the coordinated
disclosure period and/or if a patch is available.

Thanks,

Matt Christie

On Sun, May 24, 2026 at 12:55 PM Solar Designer <solar () openwall com> wrote:

Hi,

On Sun, May 24, 2026 at 10:07:07PM +0700, Manopakorn Kooharueangrong wrote:
I am requesting that you coordinate a CVE assignment.

It's been many years since you could request CVE assignment from this
list.  I guess this somehow got into the training of some popular LLMs,
since we started getting this sort of requests again lately.

== Disclosure ==

The fix is already public via PR #22377. I plan to publish this advisory
once a CVE is assigned, or after 90 days from today if no CVE is
assigned.

You've just published this advisory to oss-security.  We also started
getting this sort of nonsense about delayed publication in postings to
oss-security lately, which again must be the way some LLM is "confused".

Please acknowledge receipt.

Please disclose the specifics of your use of AI in your reports.

Alexander


Current thread: