Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 583396 (CVE-2016-4912)

Summary: <net-libs/openslp-2.0.0-r2: null pointer dereference
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/05/18/1
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 595542    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-05-18 10:31:06 UTC
From ${URL} :

The following flaw was reported to us by Yuguang Cai. Basically return
value from malloc isnt checked, in _xrealloc function. This can be
triggered remotely by sending a large number of request, which could
possibly lead malloc to fail at one point, causing crash via null
pointer deref.

Because of the way memory works on modern linux systems, this one seems
to be difficult to exploit, so i am wondering if a CVE id should really
be assigned to this issue.

Details at:
https://bugzilla.redhat.com/show_bug.cgi?id=1329295



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-02-18 13:03:29 UTC
commit a5ebb986de32e702fece9392cc511a6e2d31f08a
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Date:   Sat Feb 18 14:01:53 2017 +0100

    net-libs/openslp: EAPI bump, add Fedora patch for CVE 2016-4912
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1

 net-libs/openslp/files/openslp-2.0.0-CVE-2016-4912.patch | 15 +++++++++++++++
 net-libs/openslp/openslp-2.0.0-r2.ebuild                 | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)


Added the patch from Fedora. 

Since 2.0.0 is only freshly rekeyworded we should probably wait a bit now.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 19:17:06 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Thomas Deutschmann gentoo-dev 2017-06-03 22:29:55 UTC
Added to an existing GLSA.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-06-09 23:24:33 UTC
Nothing to do for printing here anymore.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:35:29 UTC
This issue was resolved and addressed in
 GLSA 201707-05 at https://security.gentoo.org/glsa/201707-05
by GLSA coordinator Thomas Deutschmann (whissi).