CVE needed for the recently fixed signed integer overflow in SafeInt #11
Description
First, thanks a lot for the work on this library - I appreciate it and the fact that it was released by Microsoft under a permissive license.
Second, thanks for fixing the reported issue quickly. That is much appreciated too!
Now that the fix is public I can post this in the ordinary issue tracker. This will allow others to chime in too.
Background
On November 14, 2019 I submitted a bug report privately regarding a signed integer overflow I identified in SafeInt while auditing safe integer libraries for potential use in the Bitcoin Core project.
The bug report was sent to Microsoft Security Response Center (MSRC, id: VULN-012305) and to the project maintainer.
The fix was committed to master November 15, 2019. That is one day after it was reported: such great turnaround times are very rare. Thanks!
This was the proof of concept I sent in the bug report:
$ git clone https://github.com/dcleblanc/SafeInt
$ cd SafeInt
$ git rev-parse HEAD
67e5e5932df3b15239154035fddee4e569c97695
$ cat > safeint-poc.cpp
#include "SafeInt.hpp"
#include <cstdint>
int main() {
uint16_t i = 46341, j = 46341, k = 0;
SafeMultiply(i, j, k);
}
$ g++-8 -ftrapv -o safeint-poc safeint-poc.cpp && ./safeint-poc
Aborted (core dumped)
$ clang++-8 -ftrapv -o safeint-poc safeint-poc.cpp && ./safeint-poc
Illegal instruction (core dumped)
$ clang++-8 -fsanitize=undefined -o safeint-poc safeint-poc.cpp && ./safeint-poc
SafeInt.hpp:1836:45: runtime error: signed integer overflow: 46341 * 46341 cannot be represented in type 'int'
Documentation for SafeMultiply:
SafeMultiply:
Multiplies two numbers together in a way that protects against overflow.template<typename T, typename U> inline bool SafeMultiply (T t, U u, T& result) throw ();
CVE request
As a user of the SafeInt library I would like an issue like this to get assigned a CVE.
A CVE assignment allows me as a user to more easily make an informed decision about needing to upgrade to the fixed version or not.
As I understand it Microsoft is an assigning CNA (CVE Numbering Authority): can MSRC assign a CVE for this issue?
Thanks!