oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Bugs fixed in libevent 2.1.6

From: Leo Famulari <leo () famulari name>
Date: Tue, 31 Jan 2017 14:05:50 -0500
Libevent 2.1.6 fixed three bugs that may have security implications. Can
you assign CVE IDs as appropriate?

Below I quote from the upstream bug reports:

1) libevent dns remote stack overread vulnerability
------
the name_parse() function in libevent's DNS code is vulnerable to a
buffer overread.

971         if (cp != name_out) {
972             if (cp + 1 >= end) return -1;
973             *cp++ = '.';
974         }
975         if (cp + label_len >= end) return -1;
976         memcpy(cp, packet + j, label_len);
977         cp += label_len;
978         j += label_len;

No check is made against length before the memcpy occurs.
[...]
azat closed this in 96f64a0 on Feb 1, 2016
------
https://github.com/libevent/libevent/issues/317

2) libevent (stack) buffer overflow in evutil_parse_sockaddr_port()
------
in evutil.c:

1798     char buf[128];
...
...
1809     cp = strchr(ip_as_string, ':');
1810     if (*ip_as_string == '[') {
1811         int len;
1812         if (!(cp = strchr(ip_as_string, ']'))) {
1813             return -1;
1814         }
1815         len = (int) ( cp-(ip_as_string + 1) );
1816         if (len > (int)sizeof(buf)-1) {
1817             return -1;
1818         }
1819         memcpy(buf, ip_as_string+1, len);

Length between '[' and ']' is cast to signed 32 bit integer on line
1815. Is the length is more than 2<<31 (INT_MAX), len will hold a
negative value. Consequently, it will pass the check at line 1816.
Segfault happens at line 1819.
[...]
azat closed this in 329acc1 on Feb 1, 2016
------
https://github.com/libevent/libevent/issues/318

3) out-of-bounds read in search_make_new()
------
The DNS code of Libevent contains this rather obvious OOB read:

3122 static char *
3123 search_make_new(const struct search_state *const state, int n, const char *const base_name) {
3124     const size_t base_len = strlen(base_name);
3125     const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;

If the length of base_name is 0, then line 3125 reads 1 byte before the
buffer. This will trigger a crash on ASAN-protected builds.
[...]
azat closed this in ec65c42 on Mar 24, 2016
------
https://github.com/libevent/libevent/issues/332

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: