Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Aug 2015 22:15:19 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE-2015-5185 sblim-sfcb: lookupProviders() null pointer dereference

So the reporter specifically asked us to handle disclosure just now, so
here you go:


Qinghao Tang of QIHU 360 reports:

The function lookupProviders() in sblim-sfcb of version 1.3.4 and 1.3.18
exists a null dereference vulnerability , a remote attacher can cause a
denial of servise (sblim-sfcb crash) via a crafted packet without
"className" info.


Let`s see how this issue happened,the code below is from
./sblim-sfcb-1.3.18/providerMgr.c :


static UtilList *lookupProviders(long type, char *className, char
*nameSpace,
CMPIStatus *st)
{
UtilList *lst;
UtilHashTable **ht=provHt(type,1);
char *id;
int rc;

_SFCB_ENTER(TRACE_PROVIDERMGR, "lookupProviders");

//here, className should be checked
id=(char*)malloc(strlen(nameSpace)+strlen(className)+8);
strcpy(id,nameSpace);
strcat(id,"|");

...

}


Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5185



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ