Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498546 (CVE-2013-7298) - dev-libs/cxxtools : remote Denial of Service (CVE-2013-7298)
Summary: dev-libs/cxxtools : remote Denial of Service (CVE-2013-7298)
Status: RESOLVED FIXED
Alias: CVE-2013-7298
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [cleanup/glsa?]
Keywords:
Depends on:
Blocks: 423697
  Show dependency tree
 
Reported: 2014-01-19 11:47 UTC by Agostino Sarubbo
Modified: 2016-05-16 18:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-19 11:47:14 UTC
From ${URL} :

Affected software: cxxtools
Description: By sending a crafted HTTP query parameter containing two
percent signs in a row, URL parsing would enter an infinite recursive
loop, leading to a crash. This allows a remote attacker to DOS the
server.
Affected versions: current releases (<= 2.2)
Fixed in version: 2.2.1
Fix: https://github.com/maekitalo/cxxtools/commit/142bb2589dc184709857c08c1e10570947c444e3
Release notes: http://www.tntnet.org/download/cxxtools-2.2.1/Releasenotes-2.2.1.markdown
Reported by: Julian Wiesener



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Joerg Bornkessel (RETIRED) gentoo-dev 2014-01-20 19:16:57 UTC
bumped to cxxtools-2.2.1

stabilizing is not needed, previus versions run on ~ARCH in all attached arches

anyway, i will add it to my ToDo list for stabilisation due the 30 day period

thanks for reporting this...
Comment 2 Sergey Popov gentoo-dev 2014-01-23 08:03:17 UTC
(In reply to Joerg Bornkessel from comment #1)
> bumped to cxxtools-2.2.1
> 
> stabilizing is not needed, previus versions run on ~ARCH in all attached
> arches
> 
> anyway, i will add it to my ToDo list for stabilisation due the 30 day period
> 
> thanks for reporting this...

This is not multislot package, so we actually HAVE previous version(even if it's previous major version) in stable. And thus - it requires stabilization.

So, question - is it ready for it or no? You do not have to wait 30 days, cause it's security issue, but you should check if there some breakages that major version could bring in stable tree(as usual).
Comment 3 Joerg Bornkessel (RETIRED) gentoo-dev 2014-01-23 21:39:15 UTC
stable amd64 x86 done
cleanup old cxxtools-2.x
major release cxxtools-1.4.8 is still in the tree,
because of unresolved ARCH dependency in dev-libs/tntnet

###

I think there is also a securety problem on 
dev-libs/tntnet
reported here --> http://www.tntnet.org/download/tntnet-2.2.1/Releasenotes-2.2.1.html


- racing condition may result in a pthread unlock error
- in some circumstances request headers are not cleared correctly and hence 
  may occur in subsequent requests again
- changing the root dir of tntnet did not work

iam added for now the 
dev-libs/tntnet-2.2.1

please let me know, if we need also a stabilization

the result from this would be, we could remove all old major releases from
dev-libs/tntnet
dev-libs/cxxtools
Comment 4 Pacho Ramos gentoo-dev 2014-06-09 11:35:17 UTC
The old cxxtools version doesn't even build for me currently :(
Comment 5 Pacho Ramos gentoo-dev 2014-06-09 11:44:08 UTC
Stabilizing:
dev-libs/tntnet-2.2.1
dev-libs/cxxtools-2.2.1

Will fix all issues
Comment 6 Joerg Bornkessel (RETIRED) gentoo-dev 2014-06-11 19:03:00 UTC
(In reply to Pacho Ramos from comment #5)
> Stabilizing:
> dev-libs/tntnet-2.2.1
> dev-libs/cxxtools-2.2.1
> 
> Will fix all issues

both packages are stable now on amd64, x86 ....
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 17:09:53 UTC
CVE-2013-7298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7298):
  query_params.cpp in cxxtools before 2.2.1 allows remote attackers to cause a
  denial of service (infinite recursion and crash) via an HTTP query that
  contains %% (double percent) characters.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-03-01 13:57:09 UTC
@maintainers, please remove vulnerable version (1.4.8) from tree as the previous dependency issue was resolved.
Comment 9 Joerg Bornkessel (RETIRED) gentoo-dev 2016-05-16 18:52:51 UTC
cleanup old,

done...