> Done. I'll update this thread when MITRE replies. Assigned CVE-2019-16159
On Mon, Sep 9, 2019 at 10:07 AM Daniel McCarney <[email protected]> wrote: > > > If you could, i would be glad. > > Done. I'll update this thread when MITRE replies. > > Thanks again Ondrej, > > On Sun, Sep 8, 2019 at 9:56 PM Ondrej Zajicek <[email protected]> wrote: > > > > On Sun, Sep 08, 2019 at 05:54:35PM -0400, Daniel McCarney wrote: > > > Hi Ondrej, > > > > > > Thanks for the quick response. > > > > > > > Unfortunately it has been included in released versions 1.6.7 and 2.0.5. > > > > > > Bummer, apologies for missing that. Do you want to request a CVE or > > > should I? > > > > If you could, i would be glad. > > > > > > > While I believe 7ff34ca2 introduced the ability to overflow a stack > > > buffer it > > > seems to me the original RFC 8203 support hasn't been correctly verifying > > > shutdown communication `msg_len` since support was added in BIRD 2 > > > versions >= > > > 2.0.0 and BIRD 1 versions >= 1.6.4. Details to follow. > > > > I think that the incorrect check in the original code also allows this > > stack overflow, as a properly packed 255B message would trigger the first > > condition but not the second, so would be accepted. > > > > Therefore, the stack overflow could happen on BIRD 1 versions >= 1.6.4 > > and BIRD 2 versions >= 2.0.0. > > > > > > The bugfix patches are: > > 1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x) > > 8388f5a7e14108a1458fea35bfbb5a453e2c563c (2.0.x) > > > > -- > > Elen sila lumenn' omentielvo > > > > Ondrej 'Santiago' Zajicek (email: [email protected]) > > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) > > "To err is human -- to blame it on a computer is even more so."
