[Rpm-maint] [rpm-software-management/rpm] Fix CVE-2021-20248 (#1692)

Panu Matilainen notifications at github.com
Mon Jun 14 07:27:17 UTC 2021


Not this again :unamused: This is like fourth attempt at the same thing, some rejected and some accepted and then reverted due to regressions.

An integer overflow (undefined behavior or not) is not a security issue in itself. The danger comes from assuming a particular behavior when that happens, and as I explained in https://github.com/rpm-software-management/rpm/pull/1502#issuecomment-762165341 we need to validate the range of the resulting integer *no matter what*. Which we do. I'm going to have this CVE revoked.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1692#issuecomment-860451528
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210614/e67eaf38/attachment.html>


More information about the Rpm-maint mailing list