On 01/03/2013 08:32 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > SWI-Prolog upstream has released [2] 6.2.5 / 6.3.7 versions, > correcting the following two security flaws: > > * Issue #1 (from [2]): ======================= * FIXED: Possible > buffer overrun in patch canonisation code. Pushes pointers on an > automatic array without checking for overflow. Can be used for DoS > attacks. Will be extremely hard to make it execute arbitrary code. > > Relevant upstream patch: [1] > http://www.swi-prolog.org/git/pl.git/commitdiff/a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c > > References: [2] > https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html > > [3] https://bugzilla.redhat.com/show_bug.cgi?id=891577 Please use CVE-2012-6089 for this issue. > * Issue #2 - from [2]: ====================== * SECURITY: Possible > buffer overflows when expanding file-names with long paths. > Affects expand_file_name/2. Can lead to crashes (DoS attacks) and > possibly execution of arbitrary code if an attacker can control the > names of the files searched for, e.g., if expand_file_name/2 is > used in a directory to which an attacker can upload files for which > he can control the name. > > Relevant upstream patch: [4] > http://www.swi-prolog.org/git/pl.git/commitdiff/b2c88972e7515ada025e97e7d3ce3e34f81cf33e > > References: [5] > https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html > > [6] https://bugzilla.redhat.com/show_bug.cgi?id=891577 Please use CVE-2012-6090 for this issue. > Could you allocate CVE ids for these? (iilc two should be enough) Done, thanks! > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team >
Do we have this packages ? i found nothing related to swi-prolog
You are right, the package was never imported.
Status: NEW => RESOLVEDResolution: (none) => INVALID