Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 595542 (CVE-2016-7567) - <net-libs/openslp-2.0.0-r4 : Memory Corruption
Summary: <net-libs/openslp-2.0.0-r4 : Memory Corruption
Status: RESOLVED FIXED
Alias: CVE-2016-7567
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2010-3609 CVE-2012-4428 CVE-2016-4912
  Show dependency tree
 
Reported: 2016-09-29 14:17 UTC by Agostino Sarubbo
Modified: 2017-07-08 12:35 UTC (History)
0 users

See Also:
Package list:
=net-libs/openslp-2.0.0-r4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-29 14:17:18 UTC
From ${URL} :

The following commit fixes a memory corruption bug that I reported in OpenSLP:

https://sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a/

Below are the details of the issue:

static int SLPFoldWhiteSpace(size_t len, char * str)
{
      char * p = str, * ep = str + len;
      while (p < ep)
      {
            if (isspace(*p))
            {
                char * ws2p = ++p;
                while (isspace(*p))
                     p++;
                len -= p - ws2p;
                memmove(ws2p, p, ep - p);

The outer while loop checks for p < ep, but lack of bound check in
inner while loop could result in p > ep. This will result in passing a
very large 'size_t len' (ep - p) parameter for memmove().



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel gentoo-dev 2017-02-19 16:55:24 UTC
commit d9daa618c8a85908978180048f86c08c7a4dc85d
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Date:   Sun Feb 19 17:48:34 2017 +0100

    net-libs/openslp: Add patch for CVE-2016-7567, bug 595542
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1

 net-libs/openslp/files/openslp-2.0.0-CVE-2016-7567.patch | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 net-libs/openslp/openslp-2.0.0-r4.ebuild                 | 44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 138 insertions(+)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-30 18:39:35 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Andreas K. Hüttel gentoo-dev 2017-04-30 19:23:24 UTC
Arches please stabilize net-libs/openslp-2.0.0-r4
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-01 13:37:15 UTC
amd64 stable
Comment 5 Jeroen Roovers gentoo-dev 2017-05-04 07:11:27 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2017-05-04 15:55:33 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-05-04 20:00:44 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-12 14:55:27 UTC
sparc stable
Comment 9 Tobias Klausmann gentoo-dev 2017-05-12 17:59:14 UTC
Stable on alpha.
Comment 10 Michael Weber (RETIRED) gentoo-dev 2017-05-13 19:56:44 UTC
ppc ppc64 stable.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-21 02:46:53 UTC
New GLSA Request filed.

ia64 is nto a security supported arch, proceeding with the rest of the process
ia64 please finish stabilization or drop from stable.
Comment 12 Sergei Trofimovich gentoo-dev 2017-06-04 20:17:56 UTC
ia64 stable

Last arch is done.
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-06-04 20:22:13 UTC
@ Maintainer(s): Please cleanup and drop <net-libs/openslp-2.0.0-r4!
Comment 14 Andreas K. Hüttel gentoo-dev 2017-06-09 23:25:04 UTC
Cleanup done. Nothing to do for printing here anymore.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:35:37 UTC
This issue was resolved and addressed in
 GLSA 201707-05 at https://security.gentoo.org/glsa/201707-05
by GLSA coordinator Thomas Deutschmann (whissi).