CVE-2019-16224, CVE-2019-16225, CVE-2019-16226, CVE-2019-16227 and CVE-2019-16228

[carnil]

Hi

Apparently there were a couple of CVEs assigned for issues found in py-lmdb, those are CVE-2019-16224, CVE-2019-16225, CVE-2019-16226, CVE-2019-16227 and CVE-2019-16228. Where you notified about those?

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16224
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16225
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16226
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16227
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16228

Reproducers and details are available from the above CVE references.

[jnwatson]

No. That's new to me. Thank you for the heads up.

On Thu, Sep 12, 2019 at 4:57 PM carnil notifications@github.com wrote:

Hi

Apparently there were a couple of CVEs assigned for issues found in py-lmdb, those are CVE-2019-16224, CVE-2019-16225, CVE-2019-16226, CVE-2019-16227 and CVE-2019-16228. Where you notified about those?

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16224
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16225
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16226
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16227
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16228

Reproducers and details are available from the above CVE references.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jnwatson/py-lmdb/issues/210?email_source=notifications&email_token=AA3URJ4BWCYLTESE46HFIUDQJKULHA5CNFSM4IWJRLWKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HLC7MJQ, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3URJ6ZKKALVLWBH4DDBHTQJKULHANCNFSM4IWJRLWA .

[jnwatson]

All these submissions are invalid. First, this only has to do with upstream C lmdb code, so really should be filed against that. However, I won't waste their time with that because these are all about lack of parameter checking on internal, static, non-exported functions. These aren't defects and they aren't vulnerabilities.

[krpatter-intc]

@carnil just curious if you followed this any more, I looked upstream and didn't see any fixes mention. Just curious if you found them fixed in upstream but with a non-obvious commit log.

[carnil]

@Kevinrp01 no I'm not aware of any so far, but see the response from @jnwatson

[douglasawh]

There is an alleged exploit: https://github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20memcpy%20illegal%20dst

[jnwatson]

After taking a second look and actually trying the above exploit, I take back everything I said before. This looks like real vulns (but not exploits, but could be turned into exploits fairly easily). Still, this isn't in py-lmdb but in the upstream lmdb library.

These exploits need to be converted into pure C lmdb code and reported upstream.