14970 – libevent new security issue CVE-2014-6272

Bug 14970 - libevent new security issue CVE-2014-6272

Summary: libevent new security issue CVE-2014-6272

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/628611/
Whiteboard:	has_procedure advisory MGA4-64-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-01-06 22:19 CET by David Walser
Modified:	2015-01-07 16:15 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	libevent-2.0.21-5.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-01-06 22:19:02 CET

Debian has issued an advisory today (January 6):
https://www.debian.org/security/2015/dsa-3119

The issue is fixed upstream in 2.0.22:
http://archives.seul.org/libevent/users/Jan-2015/msg00012.html

Freeze push requested for Cauldron.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated libevent packages fix security vulnerability:

Andrew Bartlett of Catalyst reported a defect affecting certain applications
using the Libevent evbuffer API. This defect leaves applications which pass
insanely large inputs to evbuffers open to a possible heap overflow or
infinite loop. In order to exploit this flaw, an attacker needs to be able to
find a way to provoke the program into trying to make a buffer chunk larger
than what will fit into a single size_t or off_t (CVE-2014-6272).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6272
https://www.debian.org/security/2015/dsa-3119
========================

Updated packages in core/updates_testing:
========================
libevent5-2.0.21-5.1.mga4
libevent-devel-2.0.21-5.1.mga4

from libevent-2.0.21-5.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2015-01-07 01:25:32 CET

Severity: normal => major

Comment 1 Herman Viaene 2015-01-07 13:42:27 CET

MGA4-64 on HP Probook 6555b KDE
No installation issues.
libevent is required a.o. by firefox. Is submitting this comment enough to OK it?

CC: (none) => herman.viaene

Comment 2 Herman Viaene 2015-01-07 13:43:30 CET

OK 64 bit unless other PoC comes up.

Whiteboard: (none) => MGA4-64-OK

Comment 3 Herman Viaene 2015-01-07 13:47:51 CET

MGA4-32 on AcerD620 Xfce.
No installation issues. Same test as Comment 1.

Herman Viaene 2015-01-07 13:48:10 CET

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 4 claire robinson 2015-01-07 14:05:15 CET

If its not generating any errors Herman, yes. There are also thunderbird, iceape, tor and transmission which use it. You could possibly show the library being loaded using strace.

Comment 5 Herman Viaene 2015-01-07 15:19:21 CET

No errors have occured. Using strace now to check this update.

Comment 6 Herman Viaene 2015-01-07 15:22:10 CET

libevent5.so is called twice, thus should be OK.

Comment 7 claire robinson 2015-01-07 15:37:40 CET

Well done Herman.

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-01-07 16:15:40 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0009.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.