Open carnil opened 5 years ago
No. That's new to me. Thank you for the heads up.
On Thu, Sep 12, 2019 at 4:57 PM carnil notifications@github.com wrote:
Hi
Apparently there were a couple of CVEs assigned for issues found in py-lmdb, those are CVE-2019-16224, CVE-2019-16225, CVE-2019-16226, CVE-2019-16227 and CVE-2019-16228. Where you notified about those?
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16224
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16225
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16226
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16227
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16228
Reproducers and details are available from the above CVE references.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jnwatson/py-lmdb/issues/210?email_source=notifications&email_token=AA3URJ4BWCYLTESE46HFIUDQJKULHA5CNFSM4IWJRLWKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HLC7MJQ, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3URJ6ZKKALVLWBH4DDBHTQJKULHANCNFSM4IWJRLWA .
All these submissions are invalid. First, this only has to do with upstream C lmdb code, so really should be filed against that. However, I won't waste their time with that because these are all about lack of parameter checking on internal, static, non-exported functions. These aren't defects and they aren't vulnerabilities.
@carnil just curious if you followed this any more, I looked upstream and didn't see any fixes mention. Just curious if you found them fixed in upstream but with a non-obvious commit log.
@Kevinrp01 no I'm not aware of any so far, but see the response from @jnwatson
There is an alleged exploit: https://github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20memcpy%20illegal%20dst
After taking a second look and actually trying the above exploit, I take back everything I said before. This looks like real vulns (but not exploits, but could be turned into exploits fairly easily). Still, this isn't in py-lmdb but in the upstream lmdb library.
These exploits need to be converted into pure C lmdb code and reported upstream.
Hi
Apparently there were a couple of CVEs assigned for issues found in py-lmdb, those are CVE-2019-16224, CVE-2019-16225, CVE-2019-16226, CVE-2019-16227 and CVE-2019-16228. Where you notified about those?
Reproducers and details are available from the above CVE references.