Bug 14970

Summary: libevent new security issue CVE-2014-6272
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/628611/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: libevent-2.0.21-5.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-06 22:19:02 CET 
Debian has issued an advisory today (January 6):
https://www.debian.org/security/2015/dsa-3119

The issue is fixed upstream in 2.0.22:
http://archives.seul.org/libevent/users/Jan-2015/msg00012.html

Freeze push requested for Cauldron.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated libevent packages fix security vulnerability:

Andrew Bartlett of Catalyst reported a defect affecting certain applications
using the Libevent evbuffer API. This defect leaves applications which pass
insanely large inputs to evbuffers open to a possible heap overflow or
infinite loop. In order to exploit this flaw, an attacker needs to be able to
find a way to provoke the program into trying to make a buffer chunk larger
than what will fit into a single size_t or off_t (CVE-2014-6272).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6272
https://www.debian.org/security/2015/dsa-3119
========================

Updated packages in core/updates_testing:
========================
libevent5-2.0.21-5.1.mga4
libevent-devel-2.0.21-5.1.mga4

from libevent-2.0.21-5.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-07 01:25:32 CET

Severity: normal => major

Comment 1 Herman Viaene 2015-01-07 13:42:27 CET 
MGA4-64 on HP Probook 6555b KDE
No installation issues.
libevent is required a.o. by firefox. Is submitting this comment enough to OK it?

CC: (none) => herman.viaene

Comment 2 Herman Viaene 2015-01-07 13:43:30 CET 
OK 64 bit unless other PoC comes up.

Whiteboard: (none) => MGA4-64-OK

Comment 3 Herman Viaene 2015-01-07 13:47:51 CET 
MGA4-32 on AcerD620 Xfce.
No installation issues. Same test as Comment 1.
Herman Viaene 2015-01-07 13:48:10 CET

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 4 claire robinson 2015-01-07 14:05:15 CET 
If its not generating any errors Herman, yes. There are also thunderbird, iceape, tor and transmission which use it. You could possibly show the library being loaded using strace.
Comment 5 Herman Viaene 2015-01-07 15:19:21 CET 
No errors have occured. Using strace now to check this update.
Comment 6 Herman Viaene 2015-01-07 15:22:10 CET 
libevent5.so is called twice, thus should be OK.
Comment 7 claire robinson 2015-01-07 15:37:40 CET 
Well done Herman.

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-01-07 16:15:40 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0009.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED