https://bugzilla.novell.com/show_bug.cgi?id=647493
https://bugzilla.novell.com/show_bug.cgi?id=647493#c0 Summary: CVE-2007-5197 not actually fixed, BigInteger unsafe code overflow remains in all versions incl git master Classification: Mono Product: Mono: Class Libraries Version: SVN Platform: x86-64 OS/Version: Ubuntu Status: NEW Severity: Normal Priority: P5 - None Component: Mono.Security AssignedTo: [email protected] ReportedBy: [email protected] QAContact: [email protected] Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Ubuntu/10.10 Chromium/6.0.472.63 Chrome/6.0.472.63 Safari/534.3 At some point in the past, some wires were crossed. As a result, http://www.mono-project.com/Vulnerabilities#BigInteger_unsafe_code_overflow reports that CVE-2007-5197 was fixed in Mono 1.2.5.1 - it was actually FOUND in 1.2.5.1, and has never been fixed upstream. Pretty much every distro out there has simply been patching it downstream since 2007. It should probably get fixed. Reproducible: Always Steps to Reproduce: 1. Use upstream Mono 2. Be insecure Fix is in http://git.debian.org/?p=pkg-mono/packages/mono.git;a=commitdiff;h=252840544847bf18c954ec3e07590dbad375a392 or any number of other downstream distro patch databases -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
