Control: severity -1 normal Control: tags -1 - security Hello Salvatore,
Thank you for bring this CVE entry for my attention. Unfortunately I find that the entry contains a factual error and a judgement I disagree with (see below). On 10.02.2018 11:21, Salvatore Bonaccorso wrote: > [...] > CVE-2018-1000052[0]: > | fmtlib version prior to version 4.1.0 (before commit > | 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption > | (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that > | can result in Denial of Service. This attack appear to be exploitable > | via Specifying an invalid format specifier in the fmt::print() > | function results in a SIGSEGV (memory corruption, invalid write). This > | vulnerability appears to have been fixed in after commit > | 8cf30aa2be256eba07bb1cefb998c52326e846e7. Firstly, the crash in question happens when using a specially-crated format string. Just like for C-style printf(), application developers should not pass untrusted input as a first argument to formatting functions. For well-written applications using fmtlib, there is no exposure and therefore I disagree with labelling this bug as security vulnerability or DoS. One can argue that the library advertises itself as a safe prompts to think the library shall handle gracefully any junk in the format string. It ideally should, but failing to so still wouldn't IMO constitute a vulnerability, but simply a normal-severity bug. Secondly, the upstream commit 8cf30aa2be is not included in the upstream version 4.1.0 (unlike the entry indicates). 4.1.0 was released in January 2018, and the fix was committed in February 2018. Therefore, only next minor or patch release will contain the fix. I am not planning to cherry-pick the fix before that. Regards, -- Eugene V. Lyubimkin aka JackYF C++ GNU/Linux userspace developer, Debian Developer
