Bug 897243 - (CVE-2014-6272) VUL-0: CVE-2014-6272: libevent: heap overflows
(CVE-2014-6272)
VUL-0: CVE-2014-6272: libevent: heap overflows
Status: RESOLVED FIXED
: CVE-2015-6525 947373 961400 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Meissner
Security Team bot
maint:released:sle10-sp3:59233 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-18 06:45 UTC by Marcus Meissner
Modified: 2018-01-12 13:36 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
libevent_14.diff (2.11 KB, patch)
2014-09-18 06:47 UTC, Marcus Meissner
Details | Diff
libevent_20.diff (6.54 KB, patch)
2014-09-18 06:48 UTC, Marcus Meissner
Details | Diff
libevent_21.diff (7.15 KB, patch)
2014-09-18 06:48 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-18 06:45:51 UTC
embargoed, via security@suse.de

From: Nick Mathewson <nickm@freehaven.net>
Date: Wed, 17 Sep 2014 21:39:57 -0400
Subject: [security@suse.de] [Not for general release] Advisory wrt Libevent versions (CVE-2014-6272)

Hello, SUSE team.

(I'm also sending this to Fedora, Ubuntu, and Debian.)

Here is a not-yet-released advisory for a security issue in the Libevent
library, along with patches for the Libevent 1.4 series and the Libevent
2.0 and 2.1 series.  Please do not circulate it outside of your team yet.

I am sending it to you, along with my proposed patches, for a heads-up.
I expect to do an announcement when I release updated Libevent
versions -- I expect to do that on Monday, but it could be earlier or
later depending on what feedback I get.

This is CVE-2014-6272.

Please let me know if you have any questions or comments, whether the
patches look stupid, whether I seem to have missed something obvious,
etc.  Please prune your CC lists as appropriate and don't spam groups
that don't want to be spammed.
----------------------------------------------------------------------


CVE-2014-6272

SUMMARY:
    A defect in the Libevent evbuffer API leaves some programs
    open to possible heap overflow.  Most programs will not be affected,
    but just in case, we're recommending that you patch or upgrade your
    Libevent.

    Thanks to Andrew Bartlett for reporting this issue.

WHICH PROGRAMS ARE AFFECTED:
    Any program that does *not* use the evbuffer API is *not* affected.
    (A program uses the evbuffer API if it calls any functions that
    begin with evbuffer_, bufferevent_, evhttp_, or evrpc_).

    A program _may_ be affected if it uses Libevent 1.4 and one of these
    functions:
         * evbuffer_add()
         * evbuffer_expand()
         * bufferevent_write()
    Not all such programs are vulnerable! The attacker additionally needs to
    be able to find a way to provoke the program into trying to make a buffer
    larger than will fit into a single size_t.

    A program _may_ be affected if it uses Libevent 2.0 or later and one of
    these functions:
         * evbuffer_add()
         * evbuffer_prepend()
         * evbuffer_expand()
         * exbuffer_reserve_space()
         * evbuffer_read()
    Not all such programs are vulnerable! The attacker additionally
    needs to be able to find a way to provoke the program into trying to
    make a buffer chunk larger than will fit into a single size_t.

    I've used some tools to search for programs like this, and didn't
    find any glaring examples, but my exploit-generation skills are not
    the greatest, and I well could have missed something.

    You should probably just upgrade Libevent if you're using the
    evbuffer interface.

WHAT TO DO:

  - Upgrade to the latest versions of Libevent.  They are Libevent
    1.4.15-stable, Libevent 2.0.22-stable, and Libevent
    2.1.5-alpha. (These are not yet released as of this writing.)

  - Alternatively, if you cannot upgrade, apply one of the attached
    patches to an older version of libevent.

  - Alternatively, if you use your operating system's package for
    Libevent, wait for your distribution to upgrade.

NOTES FOR LIBEVENT PROGRAMMERS:

  - Some non-security bugs related to unsigned integer overflow remain;
    they'll get fixed in the 2.1 series.

ACKNOWLEDGMENTS:

  Thanks to Andrew Bartlett for reporting this issue.

  Thanks to Yawning, Peter Palfrader, and Mark Ellzey for advice.
  Thanks to the Debian Security Team for getting me a CVE number.
Comment 1 Marcus Meissner 2014-09-18 06:47:54 UTC
Created attachment 606787 [details]
libevent_14.diff
Comment 2 Marcus Meissner 2014-09-18 06:48:21 UTC
Created attachment 606788 [details]
libevent_20.diff

2.0 diff
Comment 3 Marcus Meissner 2014-09-18 06:48:48 UTC
Created attachment 606789 [details]
libevent_21.diff

2.1 diff
Comment 4 Swamp Workflow Management 2014-09-18 22:00:12 UTC
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2014-09-19 09:12:13 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-10-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58993
Comment 6 SMASH SMASH 2014-09-19 09:15:12 UTC
Affected packages:

SLE-10-SP3-TERADATA: libevent
SLE-11-SP3: libevent
SLE-11-SP3-PRODUCTS: libevent
SLE-11-SP3-UPTU: libevent
Comment 11 Swamp Workflow Management 2014-10-11 01:04:52 UTC
SUSE-SU-2014:1283-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 897243
CVE References: CVE-2014-6272
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libevent-1.4.5-24.24.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libevent-1.4.5-24.24.1
SUSE Linux Enterprise Server 11 SP3 (src):    libevent-1.4.5-24.24.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libevent-1.4.5-24.24.1
Comment 16 Marcus Meissner 2015-01-15 15:09:47 UTC
fixed in SLES 12 GA.

submitted opensuse 13.1, 13.2.

factory update as soon as the tarballs work :/
Comment 17 Swamp Workflow Management 2015-01-23 19:06:48 UTC
openSUSE-SU-2015:0132-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 897243
CVE References: CVE-2014-6272
Sources used:
openSUSE 13.2 (src):    libevent-2.0.21-4.4.1
openSUSE 13.1 (src):    libevent-2.0.21-2.4.1
Comment 18 Leonardo Chiquitto 2015-11-24 21:51:12 UTC
*** Bug 947373 has been marked as a duplicate of this bug. ***
Comment 19 Leonardo Chiquitto 2016-02-22 20:59:11 UTC
*** Bug 961400 has been marked as a duplicate of this bug. ***
Comment 20 Karol Babioch 2018-01-12 13:36:55 UTC
*** Bug 943011 has been marked as a duplicate of this bug. ***