Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 85347 - net-libs/openslp: Buffer Overflow Vulnerabilities
Summary: net-libs/openslp: Buffer Overflow Vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
: 83685 (view as bug list)
Depends on:
Reported: 2005-03-15 07:18 UTC by Luke Macken (RETIRED)
Modified: 2005-08-15 22:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2005-03-15 07:18:37 UTC
SUSE Security Team has reported some vulnerabilities in OpenSLP, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to various boundary errors and can be exploited to cause buffer overflows via specially crafted SLP packets.

Successful exploitation may allow execution of arbitrary code.

Update to version 1.2.1.

Provided and/or discovered by:
SUSE Security Team

Original Advisory:
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-03-15 07:20:36 UTC
*** Bug 83685 has been marked as a duplicate of this bug. ***
Comment 2 Luke Macken (RETIRED) gentoo-dev 2005-03-15 07:28:53 UTC
No metadata for this package.  liquidx, you have bumped this package in the past.  Please update to 1.2.1.
Comment 3 Alastair Tse (RETIRED) gentoo-dev 2005-03-16 01:38:59 UTC
updated to 1.2.1 and stable for x86. added metadata.xml as well.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-16 01:46:56 UTC
Arches, please test and mark stable
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-16 10:27:04 UTC
Stable on ppc.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-03-16 11:45:18 UTC
stable on ppc64
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-16 14:23:56 UTC
Stable on alpha.
Comment 8 Hardave Riar (RETIRED) gentoo-dev 2005-03-17 01:42:32 UTC
Stable on mips.
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-17 07:31:22 UTC
sparc stable.
Comment 10 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-17 11:23:55 UTC
openslp 1.2.1 fails for me in src_test, i.e. with FEATURES="maketest" enabled:

not stable on amd64 for the moment, what todo about that?
Comment 11 Danny van Dyk (RETIRED) gentoo-dev 2005-03-17 20:45:14 UTC
Neither the version of net-libs/openslp in the tree nor SUSE's openslp-1.1.5 pass
make check on amd64. I masked the slp USE flag and package.mask'ed net-libs/openslp for all amd64 profiles. All openslp packages are now marked
"-amd64" as well.
Comment 12 Alastair Tse (RETIRED) gentoo-dev 2005-03-18 03:42:16 UTC
err, actually the tests fail on x86 as well. i don't run with maketest because too many packages have broken tests anyway. i'm disabling the tests for both 1.0.11 and 1.2.1, so you can mark amd64 back on those if you like.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-03-20 06:43:16 UTC
If it works and the tests incorrectly report failure, then maybe it could be marked amd64-stable as in "doesn't work worse than what was the latest stable version before"...

Other option: we can list amd64 as not having any fix for this and advise amd64 users to remove the package. amd64 team, your choice.
Comment 14 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-20 07:22:11 UTC
stable on amd64, where the tests are disabled =)
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-03-20 13:44:32 UTC
GLSA 200503-25
arm/hppa/ia64/s390 should mark stable to benefit from GLSA
Comment 16 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 06:54:39 UTC
Stable on hppa