From Vendor-Sec: I've had a look at the openslp code (some service-location protol implementation). Attached is the audit log and a patch for these issues made by our maintainer. The strcat() overflow in libslp/libslp_network.c is already fixed in another diff as I was told so it is missing in the patch. Issue is not public, if anyone of you also ships this we should make a timeline.
Created attachment 52386 [details] openslp-1.1.5.AUD
Created attachment 52387 [details, diff] openslp.audit.diff
Package: net-libs/openslp Maintainer: Error (Missing metadata.xml) Existing keywords and pkg version. openslp-1.0.11: ppc s390 x86 ppc64 arm sparc alpha ia64 mips hppa amd64 The following people have been involved with this package in the past. 2 kumba@gentoo.org 2 gmsoft@gentoo.org 1 woodchip@gentoo.org 1 verwilst@gentoo.org 1 tgall@gentoo.org 1 seemant@gentoo.org 1 randy@gentoo.org 1 raker@gentoo.org 1 manson@gentoo.org 1 liquidx@gentoo.org 1 gustavoz@gentoo.org 1 gbevin@gentoo.org 1 eradicator@gentoo.org 1 darkspecter@gentoo.org 1 cselkirk@gentoo.org 1 agriffis@gentoo.or
I've had a quick look at the diff and the source code. Specifical sldp_outgoing.c and sldp_incoming.c both trust the value in peek to allocate a buffer. Pretty sure that can be abused for a heap overflow and be exploitable on systems without chunk-protection malloc patches. If this needs a serious review please let me know, I've spent very little time on it.
Now public, but we should probably open a new bug for this if it applies to us.
Closing confidential bug. *** This bug has been marked as a duplicate of 85347 ***
