http://bugzilla.opensuse.org/show_bug.cgi?id=1022918 Bug ID: 1022918 Summary: VUL-1: libevent: stack/buffer overflow in evutil_parse_sockaddr_port() Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/250 ============================================== Libevent 2.1.6 fixed three bugs that may have security implications. 2) libevent (stack) buffer overflow in evutil_parse_sockaddr_port() ------ in evutil.c: 1798 char buf[128]; ... ... 1809 cp = strchr(ip_as_string, ':'); 1810 if (*ip_as_string == '[') { 1811 int len; 1812 if (!(cp = strchr(ip_as_string, ']'))) { 1813 return -1; 1814 } 1815 len = (int) ( cp-(ip_as_string + 1) ); 1816 if (len > (int)sizeof(buf)-1) { 1817 return -1; 1818 } 1819 memcpy(buf, ip_as_string+1, len); Length between '[' and ']' is cast to signed 32 bit integer on line 1815. Is the length is more than 2<<31 (INT_MAX), len will hold a negative value. Consequently, it will pass the check at line 1816. Segfault happens at line 1819. [...] azat closed this in 329acc1 on Feb 1, 2016 ------ https://github.com/libevent/libevent/issues/318 ============================================== (open-)SUSE: https://software.opensuse.org/package/libevent : TW: 2.0.22 42.(1|2): 2.0.21 SLE12-SP2 seems not shipping libevent. -- You are receiving this mail because: You are on the CC list for the bug.