embargoed, via security@suse.de

From: Nick Mathewson <nickm@freehaven.net>
Date: Wed, 17 Sep 2014 21:39:57 -0400
Subject: [security@suse.de] [Not for general release] Advisory wrt Libevent versions (CVE-2014-6272)

Hello, SUSE team.

(I'm also sending this to Fedora, Ubuntu, and Debian.)

Here is a not-yet-released advisory for a security issue in the Libevent
library, along with patches for the Libevent 1.4 series and the Libevent
2.0 and 2.1 series.  Please do not circulate it outside of your team yet.

I am sending it to you, along with my proposed patches, for a heads-up.
I expect to do an announcement when I release updated Libevent
versions -- I expect to do that on Monday, but it could be earlier or
later depending on what feedback I get.

This is CVE-2014-6272.

Please let me know if you have any questions or comments, whether the
patches look stupid, whether I seem to have missed something obvious,
etc.  Please prune your CC lists as appropriate and don't spam groups
that don't want to be spammed.
----------------------------------------------------------------------


CVE-2014-6272

SUMMARY:
    A defect in the Libevent evbuffer API leaves some programs
    open to possible heap overflow.  Most programs will not be affected,
    but just in case, we're recommending that you patch or upgrade your
    Libevent.

    Thanks to Andrew Bartlett for reporting this issue.

WHICH PROGRAMS ARE AFFECTED:
    Any program that does *not* use the evbuffer API is *not* affected.
    (A program uses the evbuffer API if it calls any functions that
    begin with evbuffer_, bufferevent_, evhttp_, or evrpc_).

    A program _may_ be affected if it uses Libevent 1.4 and one of these
    functions:
         * evbuffer_add()
         * evbuffer_expand()
         * bufferevent_write()
    Not all such programs are vulnerable! The attacker additionally needs to
    be able to find a way to provoke the program into trying to make a buffer
    larger than will fit into a single size_t.

    A program _may_ be affected if it uses Libevent 2.0 or later and one of
    these functions:
         * evbuffer_add()
         * evbuffer_prepend()
         * evbuffer_expand()
         * exbuffer_reserve_space()
         * evbuffer_read()
    Not all such programs are vulnerable! The attacker additionally
    needs to be able to find a way to provoke the program into trying to
    make a buffer chunk larger than will fit into a single size_t.

    I've used some tools to search for programs like this, and didn't
    find any glaring examples, but my exploit-generation skills are not
    the greatest, and I well could have missed something.

    You should probably just upgrade Libevent if you're using the
    evbuffer interface.

WHAT TO DO:

  - Upgrade to the latest versions of Libevent.  They are Libevent
    1.4.15-stable, Libevent 2.0.22-stable, and Libevent
    2.1.5-alpha. (These are not yet released as of this writing.)

  - Alternatively, if you cannot upgrade, apply one of the attached
    patches to an older version of libevent.

  - Alternatively, if you use your operating system's package for
    Libevent, wait for your distribution to upgrade.

NOTES FOR LIBEVENT PROGRAMMERS:

  - Some non-security bugs related to unsigned integer overflow remain;
    they'll get fixed in the 2.1 series.

ACKNOWLEDGMENTS:

  Thanks to Andrew Bartlett for reporting this issue.

  Thanks to Yawning, Peter Palfrader, and Mark Ellzey for advice.
  Thanks to the Debian Security Team for getting me a CVE number.