|
From: Thomas D. <wh...@ge...> - 2016-11-22 20:08:52
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, current trunk still contains minilzo v2.06 in svn://svn.valgrind.org/valgrind/trunk/coregrind/m_debuginfo which is vulnerable to CVE-2014-4607. Would it be possible to update minilzo with the next version? - -- Regards, Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0 iQJ8BAEBCgBmBQJYNKXCXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzM0M1ODQ4MkM0MDIyOTJEMkUzQzVDMDY5 NzA5RjkwQzNDOTZGRkM4AAoJEJcJ+Qw8lv/IMJMQAJnqxWa6TCzdud+B+Tq+zy/x mn+QmzpUY25BZ/q/O6UQrTS3vBOgxpIeoEyQ5R+YbJvpj04gne39B4TuLlgch7hv tTXgWMy1tD7QXwGY+xsPr+f+37TaRmVJoxqXOE7SUm2ow2crtm5yrnXuyTrWSiAh AZIFHHZ3kd0Y1TtBcWm5rFFhycD0QZFiAkTogBgIFmrKvosD/SMXYXyhoIUsmkLz a30cz5B7DdFtcOWBoS6vLhfS4u2iTbSuvRj9wwUJzCb+RxyPnbHqM7BVR54QYkBP dN3HaHX7BytGG9RdYAK7YqJfZ2yEUf8ieQh+r/7/UFgewGGqjf6XajHukPccppNC Dgore/Z4i4j3e/2NMtUf/S7bHlvVME6dL6ffCVM0X9wDl8UBhs+wk+mZumI4yagy /cOf8i/8yGDEePpiyTumPLnU66GRGI9qOvsaZQFDelMZULYHrdy6wzTa1ZADwhgs t3AetRtACncHvZr97vf/kg7+4j5R37gKsPCTpFmCeNpSeurcC0in5hnkVSp3mwtI 265oiX1fz6JtN8qOL0iYqqlHW4hzqbsbc3vk5XrEX2SuxzEnCOd89y5Fvlg/b07T SBBi9LL637SqSZBjggHY6X6LU1FcWl+Fg6HMGt2J8a1r3yYDHwtlTPNv7Oc845qy IUlzCfoc/zdKropGdVLU =DXbl -----END PGP SIGNATURE----- |
|
From: Philippe W. <phi...@sk...> - 2016-11-22 20:58:38
|
On Tue, 2016-11-22 at 21:08 +0100, Thomas Deutschmann wrote: > Hi, > > current trunk still contains minilzo v2.06 in > > svn://svn.valgrind.org/valgrind/trunk/coregrind/m_debuginfo > > which is vulnerable to CVE-2014-4607. Would it be possible to update > minilzo with the next version? For sure, it would be good to update this library. However, I am not too sure to understand the vulnerability in the case of valgrind: this minilzo is used to read the debug info of the executable or libraries being valgrind-ed. If an attacker is persuading someone to use valgrind on an executable or with a library containing some specially crafted debuginfo, the attacker might as well just put what is needed in the executable or library itself, without going through the effort to exploit this integer overflow via the debuginfo of the executable/lib. Or is there an attack path that is possible via this minilzo 'only' ? Philippe |
|
From: Thomas D. <wh...@ge...> - 2016-11-23 14:48:19
Attachments:
signature.asc
|
Hi, On 2016-11-22 22:00, Philippe Waroquiers wrote: > For sure, it would be good to update this library. > > However, I am not too sure to understand the vulnerability in the case > of valgrind: this minilzo is used to read the debug info of the > executable or libraries being valgrind-ed. > > If an attacker is persuading someone to use valgrind on an executable > or with a library containing some specially crafted debuginfo, > the attacker might as well just put what is needed in the executable > or library itself, without going through the effort to exploit > this integer overflow via the debuginfo of the executable/lib. > > Or is there an attack path that is possible via this minilzo 'only' ? I am not sure if you can get hit by this if you are only analyzing a given core dump, Anyways, the rating for valgrind should be very low. So I am only asking if you (the valgrind project) can update the 3rd party library with the next regular update so that we (the distributions) can get you from the lists of packages shipping the vulnerable lib. Nothing more. :) Thanks! -- Regards, Thomas |