'Re: [oss-security] CVE Request -- dtach: Memory portion (random stack data) disclosure to the client'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- dtach: Memory portion (random stack data) disclosure to the client
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-06-29 3:14:11
Message-ID: 4FED1D83.1000805 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2012 03:58 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> a portion of memory (random stack data) disclosure flaw was found
> in the way dtach, a simple program emulating the detach feature of
> screen, performed client connection termination under certain
> circumstances. A remote attacker could use this flaw to potentially
> obtain sensitive information by issuing a specially-crafted dtach
> client connection close request.
> 
> Upstream ticket: [1] 
> http://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357
>
> 
> 
> Preliminary proposed patch: [2] 
> http://sourceforge.net/tracker/download.php?group_id=36489&atid=417357&file_id=441195&aid=3517812
>
> 
> 
> References: [3]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625302 [4]
> https://bugzilla.redhat.com/show_bug.cgi?id=812551 [5]
> https://bugzilla.redhat.com/show_bug.cgi?id=835849
> 
> Could you allocate a CVE id for this issue?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2012-3368 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP7R2DAAoJEBYNRVNeJnmT7uIP/2gnoIsX8SAs4q0Dlvtbdu2y
apxeoM8Rk1rg9bUaVvMRnzIX4YGnbmdwaOT3uttXyMeYByCgfJcFoW0MhhNvs2C5
iZ09i2m78wR8QLp6+6BBo7FR6n+uKqyDz2bWc9QeqpxzAH2kar+gKmtEd8XfstOp
Up6VHi9TYrNs02KsIObsZci3RJAIwihahQmv/8rXYKD0ktyQ+nV7geDHg+VhSxvE
nHascnJgDxeC/pSiSw9szUCAczsZ+4ngGMVhkPuMXIknSj0tqwEPRJIM2U2X/s+z
fVUJKaZY5cSJFKYcyvubJzwyq7c1hNrEtaLBqQjuSQ9GJLkKYQUmXuErC0vJPWkh
8n/jEke++OrrIzd6DVua6f2WX0d6DCJdDbg1fg4BqMV7Sj6/XH7/+n56DHyKyAsg
a8A14lSOUPeae3t8C5E8xuuPpsAZoNSTclOIy7zl8o2Qtl83bhVfLmAYmOqq1T41
XWmjK5YzrkcrZ9H/Q4gM+e1hgwMuaOLMkxv9E4DT8W8/e3/IkjIZ9MsELS9Tllio
4msi/MqnEmlro/doDuSI7FVHv1uBO7JNRG0+l1nMs7DRX2VIr1D7Wj9ivpVWAOtY
dGlhB9vQQi4FD++NT11KpL8FTGTqZo5nG7hU3dsV7j0Kn7PxAWitl6x2qgNzfUx2
4lWKs3wgmKa1AN+yvwPi
=5A2p
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic