Re: c-ares buffer overflow

To: Touko Korpela <touko.korpela@iki.fi>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: c-ares buffer overflow
From: Touko Korpela <touko.korpela@iki.fi>
Date: Sun, 27 May 2012 13:40:03 +0300
Message-id: <[🔎] 20120527104003.GA24060@tiikeri.vuoristo.local>
In-reply-to: <[🔎] 20120524121133.GA4576@lisko>
References: <[🔎] 20120524121133.GA4576@lisko>

On Thu, May 24, 2012 at 03:11:33PM +0300, Touko Korpela wrote:
> https://raw.github.com/bagder/c-ares/cares-1_8_0/RELEASE-NOTES
> /usr/share/doc/libc-ares2/changelog.gz
> 
> c-ares version 1.8 fixes buffer overflow and other memory issues
> Should this be added to tracker and check if CVE number is allocated?

Upstream homepage is http://c-ares.haxx.se/
Here is what Daniel Stenberg said about this when I asked about it:
(I didn't join their closed mailing list just to send one message)

> Are those memory safety bugs (buffer overrun, memcpy issue) security
> issue?
> If so, send information to oss-security mailing list and ask for CVE
> number
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security
>

And I would prefer if you sent it to the list!

The answer to your question is that no, we haven't considered any fixed
problem to be that important. You're welcome to investigate and help us
double-check this.

Reply to:

References:
- c-ares buffer overflow
  - From: Touko Korpela <touko.korpela@iki.fi>

Prev by Date: Bug#674737: marked as done (security-tracker: DSA-2479-1 vs. tracker)
Next by Date: External check
Previous by thread: c-ares buffer overflow
Next by thread: Bug#674737: security-tracker: DSA-2479-1 vs. tracker
Index(es):
- Date
- Thread