Bugzilla – Bug 1022918
VUL-1: CVE-2016-10196: libevent: stack/buffer overflow in evutil_parse_sockaddr_port()
Last modified: 2022-02-13 11:24:09 UTC
Ref: http://seclists.org/oss-sec/2017/q1/250 ============================================== Libevent 2.1.6 fixed three bugs that may have security implications. 2) libevent (stack) buffer overflow in evutil_parse_sockaddr_port() ------ in evutil.c: 1798 char buf[128]; ... ... 1809 cp = strchr(ip_as_string, ':'); 1810 if (*ip_as_string == '[') { 1811 int len; 1812 if (!(cp = strchr(ip_as_string, ']'))) { 1813 return -1; 1814 } 1815 len = (int) ( cp-(ip_as_string + 1) ); 1816 if (len > (int)sizeof(buf)-1) { 1817 return -1; 1818 } 1819 memcpy(buf, ip_as_string+1, len); Length between '[' and ']' is cast to signed 32 bit integer on line 1815. Is the length is more than 2<<31 (INT_MAX), len will hold a negative value. Consequently, it will pass the check at line 1816. Segfault happens at line 1819. [...] azat closed this in 329acc1 on Feb 1, 2016 ------ https://github.com/libevent/libevent/issues/318 ============================================== (open-)SUSE: https://software.opensuse.org/package/libevent : TW: 2.0.22 42.(1|2): 2.0.21 SLE12-SP2 seems not shipping libevent.
bugbot adjusting priority
[affected] SUSE:SLE-12:Update/libevent/libevent-2.0.21-stable/evutil.c:1811 in SLE-11 the function in question is not existing but where the function is called today in SLE-12 there is a similar issue in SLE-11: SUSE:SLE-11:Update/libevent/libevent-1.4.5-stable/evdns.c:2143,2155 [not affected] SLE-10-SP3 does not contain the function or any port variables, not affected.
Created attachment 712807 [details] PoC program to trigger this issue
QA reproducer: I've provided an adjusted PoC program in attachment 712807 [details]. I've tested this on openSUSE Leap 42.2, libevent-devel is required to be installed. Compile as follows: gcc -o port_poc port_poc.c `pkg-config --cflags --libs libevent` Running the program caused a SIGABRT for me when the issue was still present. Note, however, that this PoC allocated 2 GB of heap memory, so running it on a small machine in regards to memory might fail for other reasons.
SUSE-SU-2018:0200-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1022917,1022918,1022919 CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Server 12-SP3 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Server 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libevent-2.0.21-6.3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libevent-2.0.21-6.3.1 SUSE CaaS Platform ALL (src): libevent-2.0.21-6.3.1
openSUSE-SU-2018:0220-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1022917,1022918,1022919 CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197 Sources used: openSUSE Leap 42.3 (src): libevent-2.0.21-10.1 openSUSE Leap 42.2 (src): libevent-2.0.21-7.3.1
released
SUSE-SU-2018:0263-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1022917,1022918,1022919 CVE References: CVE-2016-10195,CVE-2016-10196,CVE-2016-10197 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libevent-1.4.5-24.24.3.1 SUSE Linux Enterprise Server 11-SP4 (src): libevent-1.4.5-24.24.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libevent-1.4.5-24.24.3.1