Bugzilla – Bug 1022919
VUL-1: CVE-2016-10197: libevent: out-of-bounds read in search_make_new()
Last modified: 2018-01-29 23:36:22 UTC
Ref: http://seclists.org/oss-sec/2017/q1/250 ============================================== Libevent 2.1.6 fixed three bugs that may have security implications. 3) out-of-bounds read in search_make_new() ------ The DNS code of Libevent contains this rather obvious OOB read: 3122 static char * 3123 search_make_new(const struct search_state *const state, int n, const char *const base_name) { 3124 const size_t base_len = strlen(base_name); 3125 const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1; If the length of base_name is 0, then line 3125 reads 1 byte before the buffer. This will trigger a crash on ASAN-protected builds. [...] azat closed this in ec65c42 on Mar 24, 2016 ------ https://github.com/libevent/libevent/issues/332 ============================================== (open-)SUSE: https://software.opensuse.org/package/libevent : TW: 2.0.22 42.(1|2): 2.0.21 SLE12-SP2 seems not shipping libevent.
bugbot adjusting priority
[affected] SUSE:SLE-12:Update/libevent/libevent-2.0.21-stable/evdns.c:3110 ./SUSE:SLE-11:Update/libevent/libevent-1.4.5-stable/evdns.c:2453 [not affected] function not contained in SLE-10-SP3
Created attachment 712798 [details] source code to trigger the issue
Created attachment 712799 [details] data file for PoC source code
QA reproducer: The PoC files are from the upstream bug: https://github.com/libevent/libevent/issues/332 You need to place the source code from attachment 712798 [details] and the resolv.conf file from attachment 712799 [details] into the same directory. I've tested this on openSUSE Leap 42.2. libevent-devel needs to be installed. Compile the poc.c like follows: gcc poc.c -o resolv_poc `pkg-config --cflags --libs libevent` Then run the program with valgrind: valgrind ./resolv_poc This will give you an "Invalid read of size 1" if the issue is still existing.
SUSE-SU-2018:0200-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1022917,1022918,1022919 CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Server 12-SP3 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Server 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE CaaS Platform ALL (src): libevent-2.0.21-6.3.1
openSUSE-SU-2018:0220-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1022917,1022918,1022919 CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197 Sources used: openSUSE Leap 42.3 (src): libevent-2.0.21-10.1 openSUSE Leap 42.2 (src): libevent-2.0.21-7.3.1
released
SUSE-SU-2018:0263-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1022917,1022918,1022919 CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libevent-1.4.5-24.24.3.1 SUSE Linux Enterprise Server 11-SP4 (src): libevent-1.4.5-24.24.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libevent-1.4.5-24.24.3.1