Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
MOSS/Secure Open Source/Completed: Difference between revisions
Jump to navigation
Jump to search
Add links to audit reports and validation logs
(Initial version of audit list) |
(Add links to audit reports and validation logs) |
||
| Line 14: | Line 14: | ||
The critical vulnerability was a stack buffer overflow which could have led to arbitrary code execution when compiling untrusted regular expressions. | The critical vulnerability was a stack buffer overflow which could have led to arbitrary code execution when compiling untrusted regular expressions. | ||
* Audit report | * [[Media:Pcre-report.pdf|Audit report]] | ||
* Fix and validation log | * [https://docs.google.com/document/d/1FEGCOGPWt9lVsuFsER9EmkkTU-LIH9ggtWSDhgvwr0Q/edit Fix and validation log] | ||
==libjpeg-turbo== | ==libjpeg-turbo== | ||
| Line 29: | Line 29: | ||
The high vulnerability was an out-of-bounds read. It is unclear exactly how exploitable it was. However, more interesting were the two medium vulnerabilities, which were initially reported as DoS bugs in the libjpeg-turbo library but on further investigation were found to be issues with the JPEG standard itself. These issues were reproduced across multiple JPEG implementations, can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself. We have written up these issues in a separate report, along with our suggestions as to how applications using JPEG can mitigate them in their own code. | The high vulnerability was an out-of-bounds read. It is unclear exactly how exploitable it was. However, more interesting were the two medium vulnerabilities, which were initially reported as DoS bugs in the libjpeg-turbo library but on further investigation were found to be issues with the JPEG standard itself. These issues were reproduced across multiple JPEG implementations, can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself. We have written up these issues in a separate report, along with our suggestions as to how applications using JPEG can mitigate them in their own code. | ||
* Audit report | * [[Media:Libjpeg-turbo-report.pdf|Audit report]] | ||
* Fix and validation log | * [https://docs.google.com/document/d/1uxETuTL7_tVgE8EB49RhxxHuCyDIbcsS9fHNimBixm4/edit Fix and validation log] | ||
* Special report on issues in the JPEG standard | * [https://docs.google.com/document/d/17exDyGr2txYJ5Ntv4Q8B3MnLSvbcSfs5dje_xuDZPNA/edit Special report on issues in the JPEG standard] | ||
==phpMyAdmin== | ==phpMyAdmin== | ||
| Line 45: | Line 45: | ||
NCC Group found no serious issues in this codebase. | NCC Group found no serious issues in this codebase. | ||
* Audit report | * [[Media:Phpmyadmin-report.pdf|Audit report]] | ||
* Fix and validation log | * [https://docs.google.com/document/d/1mrKwVKkcC22JeYIcXQeTNbq_kjTLlMIfHAxdffFMDXk/edit Fix and validation log] | ||