Bug 85347

Summary:	net-libs/openslp: Buffer Overflow Vulnerabilities
Product:	Gentoo Security	Reporter:	Luke Macken (RETIRED) <lewk>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	liquidx
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://secunia.com/advisories/14561/
Whiteboard:	B1 [glsa]
Package list:		Runtime testing required:	---

Description Luke Macken (RETIRED) gentoo-dev

2005-03-15 07:18:37 UTC

Description:
SUSE Security Team has reported some vulnerabilities in OpenSLP, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to various boundary errors and can be exploited to cause buffer overflows via specially crafted SLP packets.

Successful exploitation may allow execution of arbitrary code.

Solution:
Update to version 1.2.1.
http://sourceforge.net/project/showfiles.php?group_id=1730

Provided and/or discovered by:
SUSE Security Team

Original Advisory:
http://www.novell.com/linux/security/advisories/2005_15_openslp.html

Comment 1 Luke Macken (RETIRED) gentoo-dev

2005-03-15 07:20:36 UTC

*** Bug 83685 has been marked as a duplicate of this bug. ***

Comment 2 Luke Macken (RETIRED) gentoo-dev

2005-03-15 07:28:53 UTC

No metadata for this package.  liquidx, you have bumped this package in the past.  Please update to 1.2.1.

Comment 3 Alastair Tse (RETIRED) gentoo-dev

2005-03-16 01:38:59 UTC

updated to 1.2.1 and stable for x86. added metadata.xml as well.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-03-16 01:46:56 UTC

Arches, please test and mark stable

Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-03-16 10:27:04 UTC

Stable on ppc.

Comment 6 Markus Rothe (RETIRED) gentoo-dev

2005-03-16 11:45:18 UTC

stable on ppc64

Comment 7 Bryan Østergaard (RETIRED) gentoo-dev

2005-03-16 14:23:56 UTC

Stable on alpha.

Comment 8 Hardave Riar (RETIRED) gentoo-dev

2005-03-17 01:42:32 UTC

Stable on mips.

Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev

2005-03-17 07:31:22 UTC

sparc stable.

Comment 10 Jan Brinkmann (RETIRED) gentoo-dev

2005-03-17 11:23:55 UTC

openslp 1.2.1 fails for me in src_test, i.e. with FEATURES="maketest" enabled:

http://dev.gentoo.org/~luckyduck/misc/openslp-maketest.txt

not stable on amd64 for the moment, what todo about that?

Comment 11 Danny van Dyk (RETIRED) gentoo-dev

2005-03-17 20:45:14 UTC

Neither the version of net-libs/openslp in the tree nor SUSE's openslp-1.1.5 pass
make check on amd64. I masked the slp USE flag and package.mask'ed net-libs/openslp for all amd64 profiles. All openslp packages are now marked
"-amd64" as well.

Comment 12 Alastair Tse (RETIRED) gentoo-dev

2005-03-18 03:42:16 UTC

err, actually the tests fail on x86 as well. i don't run with maketest because too many packages have broken tests anyway. i'm disabling the tests for both 1.0.11 and 1.2.1, so you can mark amd64 back on those if you like.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2005-03-20 06:43:16 UTC

If it works and the tests incorrectly report failure, then maybe it could be marked amd64-stable as in "doesn't work worse than what was the latest stable version before"...

Other option: we can list amd64 as not having any fix for this and advise amd64 users to remove the package. amd64 team, your choice.

Comment 14 Jan Brinkmann (RETIRED) gentoo-dev

2005-03-20 07:22:11 UTC

stable on amd64, where the tests are disabled =)

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2005-03-20 13:44:32 UTC

GLSA 200503-25
arm/hppa/ia64/s390 should mark stable to benefit from GLSA

Comment 16 René Nussbaumer (RETIRED) gentoo-dev

2005-06-26 06:54:39 UTC

Stable on hppa