Bug ID 1022918
Summary VUL-1: libevent: stack/buffer overflow in evutil_parse_sockaddr_port()
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Ref: http://seclists.org/oss-sec/2017/q1/250
==============================================
Libevent 2.1.6 fixed three bugs that may have security implications.

2) libevent (stack) buffer overflow in evutil_parse_sockaddr_port()
------
in evutil.c:

1798     char buf[128];
...
...
1809     cp = strchr(ip_as_string, ':');
1810     if (*ip_as_string == '[') {
1811         int len;
1812         if (!(cp = strchr(ip_as_string, ']'))) {
1813             return -1;
1814         }
1815         len = (int) ( cp-(ip_as_string + 1) );
1816         if (len > (int)sizeof(buf)-1) {
1817             return -1;
1818         }
1819         memcpy(buf, ip_as_string+1, len);

Length between '[' and ']' is cast to signed 32 bit integer on line
1815. Is the length is more than 2<<31 (INT_MAX), len will hold a
negative value. Consequently, it will pass the check at line 1816.
Segfault happens at line 1819.
[...]
azat closed this in 329acc1 on Feb 1, 2016
------
https://github.com/libevent/libevent/issues/318
==============================================

(open-)SUSE: https://software.opensuse.org/package/libevent :

TW: 2.0.22
42.(1|2): 2.0.21

SLE12-SP2 seems not shipping libevent.

You are receiving this mail because: