Bug 965810 - (CVE-2016-1526) VUL-0: CVE-2016-1526: graphite2: DoS
(CVE-2016-1526)
VUL-0: CVE-2016-1526: graphite2: DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/161685/
CVSSv2:SUSE:CVE-2016-1526:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-09 09:24 UTC by Sebastian Krahmer
Modified: 2016-06-08 12:25 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch against 1.3.1 (4.03 KB, patch)
2016-03-03 15:04 UTC, Petr Gajdos
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-02-09 23:01:06 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2016-02-15 13:39:16 UTC
This bug is probably related to second part of 'Denial of Service'. Which commit is supposed to fix this issue?

Thank you
Comment 16 Marcus Meissner 2016-03-03 09:53:53 UTC
Only gr_feature_ref* pfeatureref is ever passed out, but there is never defined how gr_feature_ref is built of, so it is only ever used as a pointer.


-> is ok to change size internally.


The rest also just seem to change internal details, not exposed apis.
Comment 17 Marcus Meissner 2016-03-03 10:08:45 UTC
for a versipon update we would need to look at the diff again.
Comment 18 Petr Gajdos 2016-03-03 15:04:30 UTC
Created attachment 667659 [details]
patch against 1.3.1

Four of these seven commits from comment 5 was already in 1.3.1.
Comment 22 Bernhard Wiedemann 2016-03-07 11:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (965810) was mentioned in
https://build.opensuse.org/request/show/367416 13.2 / graphite2
Comment 23 Petr Gajdos 2016-03-07 13:18:05 UTC
Packages submitted.
Comment 24 Swamp Workflow Management 2016-03-15 20:12:46 UTC
SUSE-SU-2016:0779-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Software Development Kit 12 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Server 12-SP1 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Server 12 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Desktop 12 (src):    graphite2-1.3.1-6.1
Comment 25 Swamp Workflow Management 2016-03-16 18:13:47 UTC
openSUSE-SU-2016:0791-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965806,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1522,CVE-2016-1523,CVE-2016-1526
Sources used:
openSUSE 13.2 (src):    graphite2-1.2.4-2.4.1
Comment 26 Marcus Meissner 2016-03-18 14:20:14 UTC
released
Comment 27 Swamp Workflow Management 2016-03-24 14:09:06 UTC
openSUSE-SU-2016:0875-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526
Sources used:
openSUSE Leap 42.1 (src):    graphite2-1.3.1-3.1