Bug 1022919 - (CVE-2016-10197) VUL-1: CVE-2016-10197: libevent: out-of-bounds read in search_make_new()
(CVE-2016-10197)
VUL-1: CVE-2016-10197: libevent: out-of-bounds read in search_make_new()
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-10197:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-31 23:39 UTC by Mikhail Kasimov
Modified: 2018-01-29 23:36 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
source code to trigger the issue (4.12 KB, text/x-c)
2017-02-03 15:02 UTC, Matthias Gerstner
Details
data file for PoC source code (32 bytes, text/plain)
2017-02-03 15:03 UTC, Matthias Gerstner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-31 23:39:50 UTC
Ref: http://seclists.org/oss-sec/2017/q1/250
==============================================
Libevent 2.1.6 fixed three bugs that may have security implications.

3) out-of-bounds read in search_make_new()
------
The DNS code of Libevent contains this rather obvious OOB read:

3122 static char *
3123 search_make_new(const struct search_state *const state, int n, const char *const base_name) {
3124     const size_t base_len = strlen(base_name);
3125     const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;

If the length of base_name is 0, then line 3125 reads 1 byte before the
buffer. This will trigger a crash on ASAN-protected builds.
[...]
azat closed this in ec65c42 on Mar 24, 2016
------
https://github.com/libevent/libevent/issues/332
==============================================

(open-)SUSE: https://software.opensuse.org/package/libevent :

TW: 2.0.22
42.(1|2): 2.0.21

SLE12-SP2 seems not shipping libevent.
Comment 1 Swamp Workflow Management 2017-02-01 23:00:38 UTC
bugbot adjusting priority
Comment 2 Matthias Gerstner 2017-02-03 14:50:19 UTC
[affected]

SUSE:SLE-12:Update/libevent/libevent-2.0.21-stable/evdns.c:3110
./SUSE:SLE-11:Update/libevent/libevent-1.4.5-stable/evdns.c:2453

[not affected]

function not contained in SLE-10-SP3
Comment 3 Matthias Gerstner 2017-02-03 15:02:31 UTC
Created attachment 712798 [details]
source code to trigger the issue
Comment 4 Matthias Gerstner 2017-02-03 15:03:05 UTC
Created attachment 712799 [details]
data file for PoC source code
Comment 5 Matthias Gerstner 2017-02-03 15:06:06 UTC
QA reproducer:

The PoC files are from the upstream bug:

  https://github.com/libevent/libevent/issues/332

You need to place the source code from attachment 712798 [details] and the resolv.conf
file from attachment 712799 [details] into the same directory. I've tested this on
openSUSE Leap 42.2. libevent-devel needs to be installed.

Compile the poc.c like follows:

  gcc poc.c -o resolv_poc `pkg-config --cflags --libs libevent`

Then run the program with valgrind:

  valgrind ./resolv_poc

This will give you an "Invalid read of size 1" if the issue is still existing.
Comment 8 Swamp Workflow Management 2018-01-24 20:16:31 UTC
SUSE-SU-2018:0200-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022917,1022918,1022919
CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libevent-2.0.21-6.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libevent-2.0.21-6.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libevent-2.0.21-6.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libevent-2.0.21-6.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    libevent-2.0.21-6.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libevent-2.0.21-6.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libevent-2.0.21-6.3.1
SUSE CaaS Platform ALL (src):    libevent-2.0.21-6.3.1
Comment 9 Swamp Workflow Management 2018-01-25 23:07:24 UTC
openSUSE-SU-2018:0220-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022917,1022918,1022919
CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197
Sources used:
openSUSE Leap 42.3 (src):    libevent-2.0.21-10.1
openSUSE Leap 42.2 (src):    libevent-2.0.21-7.3.1
Comment 10 Marcus Meissner 2018-01-29 16:53:57 UTC
released
Comment 11 Swamp Workflow Management 2018-01-29 17:09:27 UTC
SUSE-SU-2018:0263-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022917,1022918,1022919
CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libevent-1.4.5-24.24.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    libevent-1.4.5-24.24.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libevent-1.4.5-24.24.3.1