Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 583396 (CVE-2016-4912) - <net-libs/openslp-2.0.0-r2: null pointer dereference
Summary: <net-libs/openslp-2.0.0-r2: null pointer dereference
Alias: CVE-2016-4912
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on: CVE-2016-7567
  Show dependency tree
Reported: 2016-05-18 10:31 UTC by Agostino Sarubbo
Modified: 2017-07-08 12:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-18 10:31:06 UTC
From ${URL} :

The following flaw was reported to us by Yuguang Cai. Basically return
value from malloc isnt checked, in _xrealloc function. This can be
triggered remotely by sending a large number of request, which could
possibly lead malloc to fail at one point, causing crash via null
pointer deref.

Because of the way memory works on modern linux systems, this one seems
to be difficult to exploit, so i am wondering if a CVE id should really
be assigned to this issue.

Details at:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-02-18 13:03:29 UTC
commit a5ebb986de32e702fece9392cc511a6e2d31f08a
Author: Andreas K. Hüttel <>
Date:   Sat Feb 18 14:01:53 2017 +0100

    net-libs/openslp: EAPI bump, add Fedora patch for CVE 2016-4912
    Package-Manager: Portage-2.3.3, Repoman-2.3.1

 net-libs/openslp/files/openslp-2.0.0-CVE-2016-4912.patch | 15 +++++++++++++++
 net-libs/openslp/openslp-2.0.0-r2.ebuild                 | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)

Added the patch from Fedora. 

Since 2.0.0 is only freshly rekeyworded we should probably wait a bit now.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 19:17:06 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Thomas Deutschmann gentoo-dev 2017-06-03 22:29:55 UTC
Added to an existing GLSA.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-06-09 23:24:33 UTC
Nothing to do for printing here anymore.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:35:29 UTC
This issue was resolved and addressed in
 GLSA 201707-05 at
by GLSA coordinator Thomas Deutschmann (whissi).