Quoting the ChangeLog from net-analyzer/sflowtool-3.20: April-8-2010 3.15 - add host-sflow structure decodes - add more wifi-sflow structure decodes - fix bug/overrun vulnerability in getData32 - thanks to Sven Eshenberg Seems to be this code: @@ -1361,14 +1365,23 @@ -----------------___________________________------------------ */ +static u_int32_t getData32_nobswap(SFSample *sample) { + u_int32_t ans = *(sample->datap)++; + // make sure we didn't run off the end of the datagram. Thanks to + // Sven Eschenberg for spotting a bug/overrun-vulnerabilty that was here before. + if((u_char *)sample->datap > sample->endp) SFABORT(sample, SF_ABORT_EOS); + return ans; +} + static u_int32_t getData32(SFSample *sample) { - if((u_char *)sample->datap >= sample->endp) SFABORT(sample, SF_ABORT_EOS); - return ntohl(*(sample->datap)++); + return ntohl(getData32_nobswap(sample)); } -static u_int32_t getData32_nobswap(SFSample *sample) { - if((u_char *)sample->datap >= sample->endp) SFABORT(sample, SF_ABORT_EOS); - return *(sample->datap)++; +static float getFloat(SFSample *sample) { + float fl; + u_int32_t reg = getData32(sample); + memcpy(&fl, ®, 4); + return fl; } Needless, to say, this is fixed in 3.20, which is in the tree.
Thanks for the bug, Jeroen. Arches, please test and mark stable: =net-analyzer/sflowtool-3.20 Target keywords : "ppc x86"
x86 stable
ppc done; closing as last arch
(In reply to comment #3) > ppc done; closing as last arch "Note: Please do not mark this bug as resolved after bumping or stabilizing. The Security Team will take care of that. Thanks."
Thanks, folks. ;) GLSA request filed.
Current stable version in tree is 3.27, as it's unaffected, maybe this bug should be closed?
(In reply to comment #6) > Current stable version in tree is 3.27, as it's unaffected, maybe this bug > should be closed? security@ has its ways.
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).
