632656 – dev-python/ovs: multiple memory leaks while parsing malformed OpenFlow group mod messages

Bug 632656 - dev-python/ovs: multiple memory leaks while parsing malformed OpenFlow group mod messages

Summary: dev-python/ovs: multiple memory leaks while parsing malformed OpenFlow group ...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C4 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2017-10-01 20:46 UTC by Aleksandr Wagner (Kivak)
Modified:	2017-10-04 03:50 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-10-01 20:46:14 UTC

CVE-2017-14970 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14970):

In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. 

References:

https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html
https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html

@Maintainer(s): Please provide an updated ebuild, thank you.

Comment 1 Aleksandr Wagner (Kivak) 2017-10-04 00:28:56 UTC

@ Maintainer(s): Please confirm that this package is vulnerable. Bug 633420 for the package net-misc/openvswitch might also be vulnerable.

Comment 2 Matthew Thode ( prometheanfire ) archtester

2017-10-04 00:43:25 UTC

don't think this applies, this is just the python library.

https://github.com/openvswitch/ovs/tree/v2.8.1/python