Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker
Commits: 84eb3bca by Hugo Lefeuvre at 2018-09-15T14:57:18Z 389-ds-base: mark CVE-2018-14638 not affected CVE-2018-14638: two cloned pblocks share the same password policy, and under certain circumstances the clone might be freed, consequently freeing the shared password policy. Later, when the original password policy is freed, it tries to free the password policy a second time thus resulting in double free, crash and other undefined behavior. It seems that this vulnerability first appeared in 74c666b83e3e1789c2ef3f7935c327bd7555193e (after 1.3.6.3), which introduced the concept of cloning blocks and 407d7d9de7e9c4db1e4c1f5a1a98890f2474c477 (after 1.3.7.0), which refactored the pblock to a tree-like structure. It is not completely clear to me when exactly the vulnerability first appeared, but it is almost certain that the Jessie version (1.3.3.5) is not affected since affected concepts are not present at all. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -5721,6 +5721,7 @@ CVE-2018-14639 RESERVED CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ...) - 389-ds-base <unfixed> (bug #908859) + [jessie] - 389-ds-base <not-affected> (Vulnerable code not present) NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73 CVE-2018-14637 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits