Summary: | <net-libs/openslp-2.0.0-r3 : Denial of Service Vulnerability (CVE-2012-4428) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | Keywords: | PATCH |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/50130/ | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 595542 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2012-09-13 16:26:17 UTC
I was going to file a separate "version bump" bug, but after finding this one, it seems more efficient to just add that information here. Openslp 2.0.0 was recently released (first release in more than eight years), which likely will have a solution for this problem. I've added 2.0.0 to the tree, however I cannot test it at all, so NO KEYWORDS. Will need full re-keywording. Debian patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=27;filename=CVE-2012-4428.patch;att=1;bug=687597 . @maintainers, Please patch and confirm that 2.0.0 is no longer affected. Request stabilization in this bug when ready. @ Maintainer(s): According to https://sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a/log/?path=/openslp/common/slp_compare.c upstream has never patch SLPContainsStringList function which contains the vulnerability. So please pick-up Debian's version and report upstream. Strangely this issue was never addressed in 2.0.0 (not even in the upstream hg repository). I've forward-ported the patch (one chunk needed adapting since someone creatively re-arranged {brack{}ets}, one chunk isn't needed anymore since the code has been independently rewritten). Added in net-libs/openslp-2.0.0-r3. Added to an existing GLSA Request. Nothing to do for printing here anymore. This issue was resolved and addressed in GLSA 201707-05 at https://security.gentoo.org/glsa/201707-05 by GLSA coordinator Thomas Deutschmann (whissi). |