Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 Apr 2014 16:45:26 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: possible miniupnpc buffer overflow

Good morning,

It was pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=1085618 that miniupnpc
version 1.9 fixes a possible buffer overflow:

https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9

I am not familiar with the code but it may be just a crash, with an
invalid read here (on line 131):

129                         /* parse header lines */
130                         for(i = 0; i < endofheaders - 1; i++) {
131                                 if(colon <= linestart &&
header_buf[i]==':')

Can a CVE be assigned if one has not been already?

On a related note, I'm not sure if there are other issues close by. For
example, in version 1.9, miniwget.c:

172                         /* copy the remaining of the received data
back to buf */
173                         n = header_buf_used - endofheaders;
174                         memcpy(buf, header_buf + endofheaders, n);

n and endofheaders are signed ints, and header_buf_used is unsigned.
Mixing the types together (and the signed int in the memcpy) may warrant
further investigation.

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ