-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new IPAddressBitsDivision leads to infinite loop #118
Comments
That IPAddressBitsDivision contructor takes the arguments: The bitCount indicates the size of the division. The defaultRadix indicates the radix to use when printing the division. So yes, as you have shown here, supplying a radix of -1 results in an infinite loop. That is because of the function AddressDivisionBase.getDigitCount which does not work with a radix of -1 or 1, it will have an infinite loop with those arguments. Theoretically, a radix can be negative, but in practice radices are generally 2 or larger. There is no check in this library for a radix less than 2, but a radix less than 2 is an invalid argument that makes no logical sense. In this library, a radix should be 2 or larger, not negative, and not 1. So you can certainly fix your code here by avoiding calling any function with such a radix. In a future release I can add a check to ensure that an exception is thrown when a radix is supplied that is not 2 or larger. I can also add a check in the bitcount argument, which should also not be negative, since that makes no sense as well. |
Thanks for your reply, sir!👍 |
@seancfoley For awareness, it seems that https://nvd.nist.gov/vuln/detail/CVE-2023-50570 has been raised for this issue (and of course as a result, the library is getting flagged). The issue, however, isn't very critical IMHO, and hasn't yet been a assigned a CVSS score. I think it's debatable if this should be raised as a CVE at all, instead of just a bug. |
@rturner-edjuster I have become aware, and I agree with your assessment. |
@rturner-edjuster Not only that, I consider this bug very minor, something never encountered in production code anywhere. That is because it makes no logical sense to pass in a radix less than 2 for an address division. It is simply not a valid argument, and nobody would see it as a valid argument. It doesn't strike me as a vulnerability at all, nor as a bug that needs any urgent attention. Anyway, thanks for the notification. |
@seancfoley I reached out to GitHub, and they suggest reaching out to Mitre to reject the CVE:
The https://cveform.mitre.org/ form allows you to send a request to update a CVE, with rejection being one of the types of updates available. See: github/advisory-database#3279 (comment) |
Thanks @mike-jumper for the suggestion, I have submitted the request to mitre (CVE Request 1586075). |
Any update on the request to withdraw? |
There was no update to the mitre request. However, I noticed that on mitre and nist the vuln is now listed as disputed. The NIST page says "It is awaiting reanalysis". I will be doing a new release of IPAddress in the next two to three weeks. |
Fixed in version 5.4.1. Closing. |
Regarding the CVE record - so this is not not considered a security issue? |
@noren95 I do not consider it a security issue, and I don't see how it could be characterized as such. |
IPAddress version: 5.1.0
I have these code that can't finished in time:
Is it a potential bug?
The text was updated successfully, but these errors were encountered: