Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 360061 (CVE-2010-3609) - <net-libs/openslp-2.0.0: Denial of Service Vulnerability (CVE-2010-3609)
Summary: <net-libs/openslp-2.0.0: Denial of Service Vulnerability (CVE-2010-3609)
Status: RESOLVED FIXED
Alias: CVE-2010-3609
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://openslp.svn.sourceforge.net/vi...
Whiteboard: B3 [glsa cve]
Keywords: PATCH
: CVE-2015-5155 (view as bug list)
Depends on: CVE-2016-7567
Blocks:
  Show dependency tree
 
Reported: 2011-03-23 06:16 UTC by Tim Sammut (RETIRED)
Modified: 2017-07-08 12:35 UTC (History)
2 users (show)

See Also:
Package list:
=net-libs/openslp-2.0.0-r4
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-23 06:16:21 UTC
From the US-CERT Vulnerability Note at http://www.kb.cert.org/vuls/id/393783:

I. Description
Service Location Protocol is an IETF standards track protocol that provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks. The OpenSLP project is an effort to develop an open-source implementation of Service Location Protocol. When OpenSLP parses a SLP packet containing malformed extensions the extensions parser will enter an infinite loop causing a denial-of-service condition.

If an attacker creates a packet containing a "next extension offset" pointing to itself or to a previous extension, the extension's parser will enter an infinite loop consuming 100% of the CPU.

II. Impact
A remote unauthenticated attacker may be able to create a denial-of-service condition. 

The upstream fix is at $URL.
Comment 1 Andreas K. Hüttel gentoo-dev 2012-01-22 21:45:31 UTC
This applies to openslp-2.0.0_betaXXX (not sure), which we dont even have in portage yet. 

The patched file is not present in our openslp-1.2.1.

No 2.0.0 release has been made so far.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-01-23 07:18:41 UTC
Ok, thank you. Resolving this as INVALID.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-01-21 16:46:47 UTC
*** Bug 560694 has been marked as a duplicate of this bug. ***
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-01-21 16:48:22 UTC
Re-opening, affected version is now in repository.
Comment 5 Andreas K. Hüttel gentoo-dev 2017-02-19 17:39:58 UTC
(In reply to Thomas Deutschmann from comment #4)
> Re-opening, affected version is now in repository.

We never had an affected version. This was fixed already in the 2.0.0 release.

Nothing to do here.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-02-21 14:08:37 UTC
(In reply to Andreas K. Hüttel from comment #5)
> (In reply to Thomas Deutschmann from comment #4)
> > Re-opening, affected version is now in repository.
> 
> We never had an affected version. This was fixed already in the 2.0.0
> release.
> 
> Nothing to do here.

On x86 arch (stable):

> # emerge -p net-libs/openslp
> 
> These are the packages that would be merged, in order:
> 
> Calculating dependencies... done!
> [ebuild  N     ] net-libs/openslp-1.2.1-r3::gentoo  866 KiB

From https://bugzilla.redhat.com/show_bug.cgi?id=684294#c2:

> I think the openslp package versions, as shipped with Fedora release
> of 13 and 14, and as present within EPEL-5 repository is affected by this
> flaw too (just the particular code doesn't live in slp_v2message.c as in
> upstream v2.0.beta1 openslp version, but rather in slp_message.c and
> particular affected routine is called:
> 
>  868 int ParseExtension(SLPBuffer buffer, SLPMessage message)
> 
> in Fedora's / EPEL's openslp v1.2.1 upstream based versions).
> 
> So under my opinion, the proposed upstream patch from above comment
> should be backported to address this issue in these versions too.

So we either need to backport the fix to our 1.2.1 version or stabilize =net-libs/openslp-2.0.0-r4 for example.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-21 02:47:45 UTC
Added to an existing GLSA Request.
Comment 8 Andreas K. Hüttel gentoo-dev 2017-06-09 23:10:53 UTC
Nothing to do for printing here anymore.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:35:12 UTC
This issue was resolved and addressed in
 GLSA 201707-05 at https://security.gentoo.org/glsa/201707-05
by GLSA coordinator Thomas Deutschmann (whissi).