An issue was discovered in amqp_handle_input in amqp_connection.c in
rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory
corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could
return a malicious frame header that leads to a smaller target_size value
than needed. This condition is then carried on to a memcpy function that
copies too much data into a heap buffer.
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <firstname.lastname@example.org>
AuthorDate: 2019-12-26 15:14:28 +0000
Commit: Thomas Deutschmann <email@example.com>
CommitDate: 2019-12-26 15:14:28 +0000
net-libs/rabbitmq-c: security cleanup
Package-Manager: Portage-2.3.83, Repoman-2.3.20
Signed-off-by: Thomas Deutschmann <firstname.lastname@example.org>
net-libs/rabbitmq-c/Manifest | 1 -
net-libs/rabbitmq-c/rabbitmq-c-0.9.0.ebuild | 55 -----------------------------
2 files changed, 56 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202003-07 at https://security.gentoo.org/glsa/202003-07
by GLSA coordinator Thomas Deutschmann (whissi).