Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 550124 (CVE-2015-4054)

Summary: <dev-db/pgbouncer-1.5.5: DoS/remote crash: invalid packet order causes lookup of NULL pointer (CVE-2015-4054)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bug, bugs, pgsql-bugs, proxy-maint, titanofold
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/05/21/2
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 600184    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-05-22 07:13:50 UTC 
From ${URL} :

PgBouncer, a lightweight connection pooler for PostgreSQL, fixed the
following issue with the 1.5.5 release:

> Fix remote crash - invalid packet order causes lookup of NULL
> pointer. Not exploitable, just DoS.

https://pgbouncer.github.io/2015/04/pgbouncer-1-5-5/

The issue was reported in
https://github.com/pgbouncer/pgbouncer/issues/42 and fixed in master
with
https://github.com/pgbouncer/pgbouncer/commit/edab5be6665b9e8de66c25ba527509b229468573
and in the stable-1.5 branch with
https://github.com/pgbouncer/pgbouncer/commit/74d6e5f7de5ec736f71204b7b422af7380c19ac5



@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Marcin Mirosław 2016-09-14 09:33:28 UTC 
Pgbouncer-1.6.1 fixes CVE-2015-6817 [1] "authentication bypass".

[1] - https://security-tracker.debian.org/tracker/CVE-2015-6817
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-09-16 21:33:23 UTC 
(In reply to Marcin Mirosław from comment #1)
> Pgbouncer-1.6.1 fixes CVE-2015-6817 [1] "authentication bypass".
> 
> [1] - https://security-tracker.debian.org/tracker/CVE-2015-6817

That is a different Bug - This one is 2015-4054. It does not look like CVE-2015-6817 was filed.

Maintainers is the stable version for this bug CVE-2015-4054 in tree?
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:14:12 UTC 
Any stabilization effort should go into new sec bug 600184.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 13:31:14 UTC 
Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:25:25 UTC 
This issue was resolved and addressed in
 GLSA 201701-24 at https://security.gentoo.org/glsa/201701-24
by GLSA coordinator Aaron Bauman (b-man).