Additional Security issues
Mark Doliner
mark at kingant.net
Wed Feb 6 04:02:03 EST 2013
On Tue, Feb 5, 2013 at 2:11 PM, Daniel Atallah <daniel.atallah at gmail.com> wrote:
> * CID 732103 - Fix non-NUL terminated buffer during oscar direct
> connection negotiation.
> ** I think this one is pretty severe - my patch is certainly not ideal
This is bad and we should fix it (your patch seems ok to me), but I
don't think it's a security problem because the local user must have
agreed to join the Direct IM session with the remote user. I believe
we generally don't request CVE in cases like this.
> * CID 731954, 731953, 731952, 731951, 731950 UPnP buffer overflows
> ** This is pretty severe too the particular concerning value here is
> line 790 - setting the IP from the http response
I didn't look at this one too carefully, but your patch looks
reasonable to me. The danger from this one is limited quite a bit, I
think, because an attacker must be on the same local network as the
victim, right? Regardless, I can request a CVE for this when I email
packagers about the others.
> * CID 731949 - normalizing a really long sametime username overflows buffer
> ** Not sure if this is possible to trigger over the wire - I'm not
> familiar enough with sametime
The fix looks good to me. I also don't know if it's possible. This
isn't a write-buffer-overflow, right? If the id is longer than 4096
bytes then the string won't be null terminated which could lead to a
crash. This seems unlikely to me, but probably possible by a
malicious server? I think we've agreed we should request a CVE in
cases like this (even though this specific instance seems really minor
to me).
More information about the security
mailing list