You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to request GitHub Security Advisory / GitHub Advisory Database handling guidance, and where appropriate advisory entries, for two vulnerabilities I disclosed recently.
Heap buffer overflow / native memory corruption in the package’s native code path.
Relevant CWE IDs
- CWE-122: Heap-based Buffer Overflow
- CWE-787: Out-of-bounds Write
- CWE-190: Integer Overflow or Wraparound
- CWE-131: Incorrect Calculation of Buffer Size
- CWE-680: Integer Overflow to Buffer Overflow, as a chain description
Status
Unfixed / no maintainer response so far.
Disclosure attempts
I attempted to contact the maintainers through available channels, including GitHub and email. The repository does not appear to have a usable private security reporting pipeline enabled, and I did not receive a maintainer response.
A public GitHub issue was opened after attempted private/coordinated contact failed:
I am happy to provide reviewers with any additional technical details required, including affected version ranges, reproduction material, crash traces, sanitizer output, fix references, and the maintainer contact timeline. If preferred, I can also submit two separate pull requests to the GitHub Advisory Database repository if that is the preferred path.
Summary
I would like to request GitHub Security Advisory / GitHub Advisory Database handling guidance, and where appropriate advisory entries, for two vulnerabilities I disclosed recently.
There are two separate cases:
canvas/node-canvasv.3.2.3 https://www.npmjs.com/package/canvaspsycopg2- fixed denial of service issue affecting the Python package. CWE-190, CWE-835 psycopg2 INTERVAL typecaster infinite loop / client-side DoS psycopg/psycopg2#1835psycopg2Issue has been fixed in version 2.9.12 following the disclosureCase 1:
canvas/node-canvasPackage
canvasAutomattic/node-canvasVulnerability class
Heap buffer overflow / native memory corruption in the package’s native code path.
Relevant CWE IDs
Status
Unfixed / no maintainer response so far.
Disclosure attempts
I attempted to contact the maintainers through available channels, including GitHub and email. The repository does not appear to have a usable private security reporting pipeline enabled, and I did not receive a maintainer response.
A public GitHub issue was opened after attempted private/coordinated contact failed:
Case 2:
psycopg2Package
psycopg2psycopg/psycopg2Report: psycopg/psycopg2#1835
Patch: psycopg/psycopg2#1836
Vulnerability class
Denial of service.
Suggested CWE
I am happy to provide reviewers with any additional technical details required, including affected version ranges, reproduction material, crash traces, sanitizer output, fix references, and the maintainer contact timeline. If preferred, I can also submit two separate pull requests to the GitHub Advisory Database repository if that is the preferred path.
Thank you for your assistance with this.