Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 349569 (CVE-2010-5111) - <net-analyzer/echoping-6.0.2_p434 - Buffer Overflow Vulnerabilities (CVE-2010-5111)
Summary: <net-analyzer/echoping-6.0.2_p434 - Buffer Overflow Vulnerabilities (CVE-2010...
Status: RESOLVED FIXED
Alias: CVE-2010-5111
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/42619/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-24 04:42 UTC by Tim Sammut (RETIRED)
Modified: 2014-06-06 12:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-12-24 04:42:17 UTC
From the Secunia advisory at $URL:

Description
Some vulnerabilities have been discovered in echoping, which can be exploited by malicious people to potentially compromise a user's system.

1) A boundary error exists within the "TLS_readline()" function in readline.c, which can be exploited to overflow a global buffer by sending an overly long encrypted HTTP reply to echoping.

Successful exploitation requires that echoping is compiled with GNU TLS support.

2) A boundary error exists within the "SSL_readline()" function in readline.c, which can be exploited to overflow a global buffer by sending an overly long encrypted HTTP reply to echoping.

Successful exploitation requires that echoping is compiled with SSL support.

The vulnerabilities are confirmed in version 6.0.2. Other versions may also be affected.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-24 17:02:08 UTC
Looks like [1] which has a patch attached.


[1] http://sourceforge.net/tracker/?func=detail&aid=3137686&group_id=4581&atid=104581
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 04:33:11 UTC
@maintainers: ping, patching would be nice.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-03 14:09:24 UTC
I'm preparing a new ebuild based on an SVN snapshot.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-03 14:56:10 UTC
Arch teams, please test and mark stable:
=net-analyzer/echoping-6.0.2_p434
Targeted stable KEYWORDS : amd64 x86
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-04 12:47:14 UTC
amd64 stable
Comment 6 Myckel Habets 2013-09-09 09:48:43 UTC
Builds and runs fine on x86. Please mark stable for x86.
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-14 10:21:59 UTC
x86 stable
Comment 8 Sergey Popov gentoo-dev 2013-10-17 11:47:24 UTC
Thanks for you work. GLSA request filed.
Comment 9 Sergey Popov gentoo-dev 2013-10-28 11:27:07 UTC
CVE number was reassigned - now this is CVE-2010-5111

Confirmation - http://www.openwall.com/lists/oss-security/2013/10/21/9
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-06-06 12:56:52 UTC
This issue was resolved and addressed in
 GLSA 201406-07 at http://security.gentoo.org/glsa/glsa-201406-07.xml
by GLSA coordinator Sergey Popov (pinkbyte).