ZInflate issue, bug 414, CVE coming down the pipe...

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ZInflate issue, bug 414, CVE coming down the pipe...

Jeffrey Walton-3
Hi Everyone,

This is in reference to https://github.com/weidai11/cryptopp/issues/414 and https://groups.google.com/forum/#!topic/cryptopp-users/7uF-luR5B8Q.

We talked with László Böszörményi, who is our Debain maintainer. He felt this could be a security bug so we are going to ask for a CVE to track it.

The fix is available at https://github.com/weidai11/cryptopp/commit/07dbcc3d9644.

I have not asked for one yet because I'm still testing some classes. Once we finish the round of testing, we will batch them and ask for CVEs for all of them (if there are more of them).

Jeff

--
--
You received this message because you are subscribed to the "Crypto++ Users" Google Group.
To unsubscribe, send an email to [hidden email].
More information about Crypto++ and this group is available at http://www.cryptopp.com.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ZInflate issue, bug 414, CVE coming down the pipe...

Jeffrey Walton-3

This is in reference to <a href="https://github.com/weidai11/cryptopp/issues/414" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fweidai11%2Fcryptopp%2Fissues%2F414\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFl6o9YgdnZrbLftynK2_L7vrgOEA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fweidai11%2Fcryptopp%2Fissues%2F414\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFl6o9YgdnZrbLftynK2_L7vrgOEA&#39;;return true;">https://github.com/weidai11/cryptopp/issues/414 and <a href="https://groups.google.com/forum/#!topic/cryptopp-users/7uF-luR5B8Q" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/cryptopp-users/7uF-luR5B8Q&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/cryptopp-users/7uF-luR5B8Q&#39;;return true;">https://groups.google.com/forum/#!topic/cryptopp-users/7uF-luR5B8Q.

We talked with László Böszörményi, who is our Debain maintainer. He felt this could be a security bug so we are going to ask for a CVE to track it.

This issue has been assigned CVE-2017-9434 (thanks @carnil).

Jeff

--
--
You received this message because you are subscribed to the "Crypto++ Users" Google Group.
To unsubscribe, send an email to [hidden email].
More information about Crypto++ and this group is available at http://www.cryptopp.com.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Loading...