Bugzilla – Bug 775013
VUL-1: CVE-2012-3421: pcp: event-driven programming flaw blocks pmcd from responding to other legitimate requests
Last modified: 2013-01-24 17:53:49 UTC
There has recently been a DoS flaw reported in pcp that could be exploited by unauthenticated remote attackers. Note: ----- This issue is embargoed until the 15th of August 2012. Please keep details inside SUSE and don't use the open build service to prepare patched pkgs.
Original quote from the mail: "A denial of service flaw in pmcd (the PCP (Performance Co-Pilot) performance metrics collector daemon) due to incorrect event-driven programming. Because the pduread() function in libpcp performs a select locally, waiting for more client data, an unauthenticated remote attacker could send individual bytes one by one, avoiding the timeout, and blocking pmcd in order to prevent it from responding to other legitimate requests."
The SWAMPID for this issue is 48666. This issue was rated as important. Please submit fixed packages until 2012-08-16. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
openSUSE-SU-2012:1036-1: An update that fixes four vulnerabilities is now available. Category: security (low) Bug References: 775009,775010,775011,775013 CVE References: CVE-2012-3418,CVE-2012-3419,CVE-2012-3420,CVE-2012-3421 Sources used: openSUSE 12.1 (src): pcp-3.6.5-5.4.1
openSUSE-SU-2012:1079-1: An update that fixes four vulnerabilities is now available. Category: security (low) Bug References: 775009,775010,775011,775013 CVE References: CVE-2012-3418,CVE-2012-3419,CVE-2012-3420,CVE-2012-3421 Sources used: openSUSE 12.2 (src): pcp-3.6.5-9.9.1
openSUSE-SU-2012:1081-1: An update that fixes four vulnerabilities is now available. Category: security (low) Bug References: 775009,775010,775011,775013 CVE References: CVE-2012-3418,CVE-2012-3419,CVE-2012-3420,CVE-2012-3421 Sources used: openSUSE 11.4 (src): pcp-3.6.5-140.1
This is an autogenerated message for OBS integration: This bug (775013) was mentioned in https://build.opensuse.org/request/show/133233 Evergreen:11.2 / pcp
This is an autogenerated message for OBS integration: This bug (775013) was mentioned in https://build.opensuse.org/request/show/133595 Evergreen:11.2 / pcp
Remaining issues are tracked in bnc#775009.
Update released for: libpcp3, pcp, pcp-debuginfo, pcp-debugsource, pcp-devel, pcp-import-iostat2pcp, pcp-import-mrtg2pcp, pcp-import-sar2pcp, pcp-import-sheet2pcp, perl-PCP-LogImport, perl-PCP-LogSummary, perl-PCP-MMV, perl-PCP-PMDA, permissions, permissions-debuginfo Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: libpcp3, pcp, pcp-debuginfo, pcp-devel, pcp-import-iostat2pcp, pcp-import-mrtg2pcp, pcp-import-sar2pcp, pcp-import-sheet2pcp, perl-PCP-LogImport, perl-PCP-LogSummary, perl-PCP-MMV, perl-PCP-PMDA, permissions Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: libpcp3, pcp, pcp-debuginfo, pcp-devel, pcp-import-iostat2pcp, pcp-import-mrtg2pcp, pcp-import-sar2pcp, pcp-import-sheet2pcp, perl-PCP-LogImport, perl-PCP-LogSummary, perl-PCP-MMV, perl-PCP-PMDA, permissions Products: SLE-SERVER 10-SP3-TERADATA (x86_64)