Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2025
• 262
• 99
• –
• –
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: vulnerabilities in busybox tar and cpio toolsDemi Marie Obenour (Apr 25)
SPF won’t be a problem so long as the message is DKIM-signed.

gmail.com now has p=quarantine, so this is already starting to cause
problems even there. I think it is best to either rewrite the From
header unless there is a DKIM signature and it is kept intact, or
bounce the message instructing the user to add [oss-security] to the
Subject themselves.

Re: CVE-2024-56431: libtheora: incorrect bitwise shift in huffdec.cSolar Designer (Apr 25)
The above link is to a wrong PoC, I think you meant this one:

https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC

This doesn't look like a security issue, so the CVE should be rejected
unless there's justification.

Just how would "an incorrect bitwise shift" result in "an application
crash"? In a build with UbSan, sure. In a production build, it would
not, unless the resulting incorrect...

Re: Trailing dot in Cygwin filenames [was: failed to clone iptables,ipset,nftables]Jan Engelhardt (Apr 25)
There is some prior record -
https://github.com/libgit2/libgit2/issues/6968

"foo" and "foo." are equivalent in DOS, and there is a normalization
phase from "foo." to "foo". This carried forward into contemporary
Windows cmd.exe, explorer.exe (File Explorer), the usual file access
APIs.

echo abc >x
echo def >y.

creates "y" not "y." in cmd.

But Cygwin does...

CVE-2024-56431: libtheora: incorrect bitwise shift in huffdec.cxiaolin (Apr 25)
Severity: 
- moderate

Affected versions:
- libtheora through 1.2.0

Fixed software:
- v1.2.0

Description:
A flaw was found in Theora (libtheora). An incorrect bitwise shift may be triggered via specially-crafted input,
potentially resulting in an application crash.

-------------------------------------------------------------
References:
https://github.com/advisories/GHSA-8xp8-gmmj-xc8w...

CVE-2024-56430: openfhe: OpenFHE through 1.2.3 has a NULL pointer dereference bugxiaolin (Apr 25)
Severity: 
- moderate

Affected versions:
- libtheora through 1.2.3

Fixed software:
- v1.2.3

Description:
This issue involves a NULL pointer dereference in the BinFHEContext::EvalFloor function within the
lib/binfhe-base-scheme.cpp file.
potentially resulting in an application crash by triggering the dereference of a NULL pointer.

For more information
-------------------------------------------------------------...

Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer OverflowJacob Bachmeyer (Apr 25)
On a guess that the same message fragment is used for both reads and
writes, how about "stack-bound-violation" instead of
"stack-buffer-overflow"?  It is even the same length.

-- Jacob

Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer OverflowSolar Designer (Apr 24)
Yes, this may very well be the main cause of this trend. Is someone
reading this in a position to change the wording in AddressSanitizer?
For example, it could have "stack out-of-bounds read" in place of
"stack-buffer-overflow" above.

Alexander

Re: vulnerabilities in busybox tar and cpio toolsSolar Designer (Apr 24)
This was a special case - DKIM-breaking message body modification
shouldn't normally happen here.

However, the list is indeed not DMARC-compatible: we insert
[oss-security] into the Subject when it's not already near the beginning
of that header (may break DKIM), and we relay messages from the list
server's IP address (may be against the From header domain's SPF,
although recipient servers may look at envelope-from instead,...

Re: vulnerabilities in busybox tar and cpio toolsDemi Marie Obenour (Apr 24)
This message was marked as spam by GMail. The ARC-Authentication-Results
header indicates that the mailing list is not configured in a DMARC-compatible
way. Specifically, the mailing list did not rewrite the From: header but did
modify the message body, so the DKIM signature check failed.

Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert()Qualys Security Advisory (Apr 24)
Hi Solar, all,

Sorry for the late reply, and thank you very much for looking into this
and for asking all the good questions! What follows is mainly based on
scrappy notes from January, but hopefully it will still be useful.

There are probably two reasons that can explain all these differences:

1/ Difference between our command-line POC loop and a self-contained C
program: on the command line, the kernel limits the size of an argument...

Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer OverflowJakub Wilk (Apr 24)
* Solar Designer <solar () openwall com>, 2025-04-24 20:32:

Part of the problem may be that AddressSanitizer uses this unforuntate
terminology; you get something like this:

==7802==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xf5f00021 at pc 0xf79c113e bp 0xfff496e8 sp
0xfff492c4
READ of size 2 at 0xf5f00021 thread T0

Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer OverflowSolar Designer (Apr 24)
Hi,

Thank you for bringing this to oss-security! As I also communicated
privately, as a moderator I had to repair this message's content prior
to approving it because the text/plain section was garbled to the point
of being unreadable. This is why the delay (message received April 22,
approved April 24). However, I did not edit any of the content beyond
making it look right in text/plain, so I post this follow-up instead:

This reads...

CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer Overflow田世林 (Apr 24)
A heap buffer overflow vulnerability exists in `QTextMarkdownImporter`.
When parsing the front matter of a Markdown file, the code assumes that
more characters (e.g., a newline) will be present in the input after
finding the closing marker `---`. However, if the input stream ends with
the `----` delimiter and lacks a trailing newline, calling
`QStringView::sliced()` will attempt to access characters beyond the end
of the string, causing the...

Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio toolsIan Norton (Apr 24)
I re-posted the patch for CVE-2025-46394 to https://lists.busybox.net/pipermail/busybox/2025-April/091461.html

I was sceptical about the isatty() call but it was requested by others on the list

Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio toolsIan Norton (Apr 24)
On Wednesday 23 April 2025 at 17:04 Jakub Wilk <jwilk () jwilk net> wrote

Yes, that looks better, but it is still an opt-in. Users would need to compile
Busybox with the FEATURE_PATH_TRAVERSAL_PROTECTION feature enabled.

More Lists

Dozens of other network security lists are archived at SecLists.Org.