[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[Libevent-users] Advisory: integer overflow in evbuffers for Libevent <= 1.4.14b,2.0.21,2.1.4-alpha [CVE-2014-6272]
- To: libevent-users@xxxxxxxxxxxxx
- Subject: [Libevent-users] Advisory: integer overflow in evbuffers for Libevent <= 1.4.14b,2.0.21,2.1.4-alpha [CVE-2014-6272]
- From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
- Date: Mon, 5 Jan 2015 10:27:49 -0500
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: libevent-users-outgoing@xxxxxxxx
- Delivered-to: libevent-users@xxxxxxxx
- Delivery-date: Mon, 05 Jan 2015 10:27:53 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=MGTPr/Vi7WdIh0/kzTTiLagL7QeiX73kehZ1eCCTgRk=; b=VrTejOcQsTzPl5pHvAd6fSOtcfiedBxKQ0MmqeDI2JeSibBJNbl9mqVE+OWbsKj/BM gVC1CxZwS+SDTwgFYrNB/bKeTBhOZWL1n5ILC77WMzZhh388RQuRrmS27U5K/lUiKXXL XoM/Ko9W3Ns/Jw43Qu6h7s0Q5jpnmbukWtnLfp1Fsp98uCOT5fmQrcVx/LrMnlW5wOCY HiaTaIXZH0LT1yaMBmWqQ4XNeWQFXWs8cu0y2Oz10GtC13xqq0MS+qwtcRvHeNazQL4Y /h9wiTG9zrIm87DOAyksB1BMTAuMsiGqQbMmHEw9GEaWZWKyetfCCXoUQW8E3um6PLU0 gTNw==
- Reply-to: libevent-users@xxxxxxxxxxxxx
- Sender: owner-libevent-users@xxxxxxxxxxxxx
(If my email mangles this message, you can get the original signed
version at http://www.wangafu.net/~nickm/volatile/advisory.txt.asc )
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-6272
SUMMARY:
A defect in the Libevent evbuffer API leaves some programs
that pass insanely large inputs to evbuffers open to a
possible heap overflow or infinite loop.
Most programs will not be affected, but just in case, we're
recommending that you patch or upgrade your Libevent.
Thanks to Andrew Bartlett of Catalyst (catalyst.net.nz) for
reporting this issue.
WHICH PROGRAMS ARE AFFECTED:
Any program that does *not* use the evbuffer API is *not*
affected. (A program uses the evbuffer API if it calls any
functions that begin with evbuffer_, bufferevent_, evhttp_, or
evrpc_).
A program _may_ be affected if it uses Libevent 1.4 and one of these
functions, or a function that calls it:
* evbuffer_add()
* evbuffer_expand()
* bufferevent_write()
Not all such programs are vulnerable! The attacker
additionally needs to be able to find a way to provoke the
program into trying to make a buffer larger than will fit into
a single size_t. (For example, if the buffer's current size
is X, the attacker needs to provoke the program into calling
evbuffer_add() or evbuffer_expand() with an argument size
above SIZE_MAX-X. Most programs don't let an attacker do
this.)
A program _may_ be affected if it uses Libevent 2.0 or later
and one of these functions, or a function that calls it:
* evbuffer_add()
* evbuffer_prepend()
* evbuffer_expand()
* exbuffer_reserve_space()
* evbuffer_read()
Not all such programs are vulnerable! The attacker
additionally needs to be able to find a way to provoke the
program into trying to make a buffer chunk larger than will
fit into a single size_t or off_t. (For example, if the last
chunk of the buffer's current size is X, the attacker needs to
provoke the program into calling evbuffer_add() or another
function with an argument size above SIZE_MAX-X or
OFF_MAX-X. Most programs don't let an attacker do this.)
I've used some tools to search for programs like this, and
didn't find any glaring examples, but my exploit-generation
skills are not the greatest, and I well could have missed
something. My colleagues have looked some too, and didn't find
anything that was actually exploitable to cause a heap
overflow.
Still, you should probably just upgrade Libevent if you're using
the evbuffer interface.
WHAT TO DO:
- Upgrade to the latest versions of Libevent. They are Libevent
1.4.15-stable, Libevent 2.0.22-stable, and Libevent
2.1.5-beta. They should be on the website soon. Until then,
you can go directly to
https://sourceforge.net/projects/levent/files/libevent/
- Alternatively, if you cannot upgrade, apply one of these
commits to your older version of Libevent:
7b21c4eabf1f3946d3f63cce1319c490caab8ecf for 1.4
20d6d4458bee5d88bda1511c225c25b2d3198d6c for 2.0
841ecbd96105c84ac2e7c9594aeadbcc6fb38bc4 for 2.1
- Alternatively, if you use your operating system's package for
Libevent, wait for your distribution to upgrade.
NOTES FOR LIBEVENT PROGRAMMERS:
- Some non-security bugs related to unsigned integer overflow
remain; they'll get fixed in the 2.1 series.
ACKNOWLEDGMENTS:
Thanks to Andrew Bartlett of Catalyst (catalyst.net.nz) for
reporting this issue.
Thanks to Yawning, Peter Palfrader, Mark Ellzey, Thomas Hoger,
and Adam Langley for advice and analysis. Thanks to the Debian
Security Team for getting me a CVE number.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGVAwUBVKqs8ZEDl9iNKTGaAQK4ggv/RKwBNlP5993cZ9YPuo8e9ehJB8PeiO7c
z+jQNyuGK/kcKk0YLny3bbEOQ3Hkajm0SixLxeJw86NXfltcBCinJzjSSRZOElzv
+q4J4jUEAfpEn4bL1Y6nfLkzw0pJQVVcIrHIfOZ9hFK/FcBmHeYtX+nwy5dfQdJX
N74UJidTQMQBmUsZvyqVUupNd7bDnnTgkqzEUl+CeaLvdbi/iRZ1gACP4Zpuwlu+
j+dsC2K8k0mKqecQA9yUZUJuUWG1wZ5UHTzFC73lXpyQxzbVyK3N2G5KnrVQnvMi
S+dTcoR4yx4va4vOJJkghdakY1S1WSf2D2d7TTUZVGImtsUYooKNGXOj47E9N9ac
e2lMbP9iLZoFmhEuu7JTRDLcwx33fyBJsUSAzxgCSDGGkb6qUdUeMIjKxsHjTOI7
4I9e3ofHnBnjQuu05+AUgilHb7iXD6xmv8qovx6/BzmzpGJ9lycJbgC1KSn808Rl
G4sZJqt9NZ6M9eAuCLZDgF2iHmcJpfyR
=o6X/
-----END PGP SIGNATURE-----
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users in the body.