Done. I'll update this thread when MITRE replies.
Assigned CVE-2019-16159 On Mon, Sep 9, 2019 at 10:07 AM Daniel McCarney <cpu@letsencrypt.org> wrote:
If you could, i would be glad.
Done. I'll update this thread when MITRE replies.
Thanks again Ondrej,
On Sun, Sep 8, 2019 at 9:56 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Sun, Sep 08, 2019 at 05:54:35PM -0400, Daniel McCarney wrote:
Hi Ondrej,
Thanks for the quick response.
Unfortunately it has been included in released versions 1.6.7 and 2.0.5.
Bummer, apologies for missing that. Do you want to request a CVE or should I?
If you could, i would be glad.
While I believe 7ff34ca2 introduced the ability to overflow a stack buffer it seems to me the original RFC 8203 support hasn't been correctly verifying shutdown communication `msg_len` since support was added in BIRD 2 versions >= 2.0.0 and BIRD 1 versions >= 1.6.4. Details to follow.
I think that the incorrect check in the original code also allows this stack overflow, as a properly packed 255B message would trigger the first condition but not the second, so would be accepted.
Therefore, the stack overflow could happen on BIRD 1 versions >= 1.6.4 and BIRD 2 versions >= 2.0.0.
The bugfix patches are: 1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x) 8388f5a7e14108a1458fea35bfbb5a453e2c563c (2.0.x)
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."