petterreinholdtsen
commented
3 years ago https://bugs.debian.org/987959 is the background for my question.
Open petterreinholdtsen opened 3 years ago
petterreinholdtsen
commented
3 years ago https://bugs.debian.org/987959 is the background for my question.
merces
commented
3 years ago Hi @petterreinholdtsen. This looks like a security issue, you're right. However, we haven't assigned any CVE to it. @jweyrich do you have more details here since you were the one fixing the bug?
jweyrich
commented
3 years ago No security issue was reported for this case. At least not that I'm aware of. But yes, theoretically, a malformed binary could cause arbitrary code execution - I didn't try it though. IRC, we detected the issue during one of our Discord sessions.
petterreinholdtsen
commented
2 years ago Should a CVE be requested for this issue?
merces
commented
2 years ago I'd be fine with that, yes. Should we work on it ourselves or you do it, @petterreinholdtsen ?
Thanks.
petterreinholdtsen
commented
2 years ago [Fernando Mercês]
I'd be fine with that, yes. Should we work on it ourselves or you do it, @petterreinholdtsen ?
I do not have any source of CVEs myself, my approach would be to talk to the Debian security team to ask for their help, as I am involved in Debian. No idea if that is a better option than your ideas. I suspect it is better that you, who know the source and issue, do it.
-- Happy hacking Petter Reinholdtsen
carnil
commented
2 years ago [Fernando Mercês] I'd be fine with that, yes. Should we work on it ourselves or you do it, @petterreinholdtsen ? I do not have any source of CVEs myself, my approach would be to talk to the Debian security team to ask for their help, as I am involved in Debian. No idea if that is a better option than your ideas. I suspect it is better that you, who know the source and issue, do it. … -- Happy hacking Petter Reinholdtsen
If a CVE is warranted for the issue, please do request a CVE directly via https://cveform.mitre.org.
merces
commented
2 years ago Hi @carnil, thanks for pointing that out. ;)
Hi @petterreinholdtsen , we're now in the process of finding someone to takeover this project alongside with pev, because we don't have the time to work on them anymore. I truly appreciate your understanding as I didn't want to see pev being kicked out from Debian repos. I hope to find a new maintainer that will take care of this and other issues.
Thanks, Fernando
petterreinholdtsen
commented
2 years ago [Fernando Mercês]
Hi @petterreinholdtsen , we're now in the process of finding someone to takeover this project alongside with pev, because we don't have the time to work on them anymore.
Thank you for not forgetting this issue. For the record, I am not volunteering to take over libpe and pev. Way too many other tasks on my plate. :)
-- Happy hacking Petter Reinholdtsen
Dear developer. The fix in 5737a97c57be175333fc0c6f51bb2cdd7101c17e was just brought to my attention, and it made me wonder if the issue can cause a security issue with specially created PE binaries. Is the fix security related, and if so, is there a CVE assigned to the issue?