NetBSD Security Advisory 2015-005: buffer overflow in libevent (CVE-2014-6272)
23 March, 2015 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2015-005 ================================= Topic: buffer overflow in libevent (CVE-2014-6272) Version: NetBSD-current: source prior to Jan 29th NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: DoS, potential code execution Fixed: NetBSD-current: Jan 30th, 2015 NetBSD-7 branch: Feb 9th, 2015 NetBSD-6-0 branch: Feb 5th, 2015 NetBSD-6-1 branch: Feb 5th, 2015 NetBSD-6 branch: Feb 5th, 2015 NetBSD-5-2 branch: Feb 5th, 2015 NetBSD-5-1 branch: Feb 5th, 2015 NetBSD-5 branch: Feb 5th, 2015 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A defect in the libevent evbuffer API leaves programs that pass inputs that in sum overflow size_t to evbuffers vulnerable to a possible heap overflow or infinite loop. For this to be a security issue, the vulnerable program also must not be sanitizing buffer sizes supplied by the user. Technical Details ================= A program that uses evbuffer_add or evbuffer_expand followed by a bufferevent_write in NetBSD-6 or below, and additionally evbuffer_prepend, evbuffer_reserve_space or evbuffer_read in NetBSD-7 and -current, and does not sanity check user-derived buffer sizes it passes to the library functions, may allow an attacker to construct an evbuffer with inconsistent size and to overwrite parts of the program's memory outside the evbuffer. Solutions and Workarounds ========================= Update libevent. - From source: +----------- Update src and rebuild and install. - From tarballs: +------------- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/ with a date later than the fix date for your branch as listed above, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-0/201502080050Z/amd64/binary/sets/ ), and then extract the files: Shared libraries: tar xzpf base.tgz \*libevent\* And static libraries and linker config files: tar xzpf comp.tgz \*libevent\* Get the fixed library into use +----------------------------- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libevent. The easiest way to do this is to reboot the system. Another method using /bin/sh: ps ax -o pid | (while read pid; do \ pmap $pid | egrep 'libevent' && echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. ldd <programname> will show the shared libraries a program will want to use. Fixed vulnerable source versions +------------------------------- src/external/bsd/libevent/dist/buffer.c HEAD 1.3 netbsd-7 1.2.8.1 netbsd-6 1.1.1.1.8.1 netbsd-6-1 1.1.1.1.20.1 netbsd-6-0 1.1.1.1.14.1 src/lib/libevent/buffer.c netbsd-5 1.4.4.2 netbsd-5-2 1.4.4.1.6.1 netbsd-5-1 1.4.4.1.2.1 Thanks To ========= Thanks to Andrew Bartlett of Catalyst (catalyst.net.nz) for reporting this issue and Nick Mathewson of libevent for their advisory and fix. Revision History ================ 2015-03-17 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-005.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2015-005.txt,v 1.1 2015/03/17 06:58:44 spz Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVCweMAAoJEAZJc6xMSnBuO9cP/2A29i3qF33fqxecE0j7qJT0 gtqy6mti0pEzmgAsNWBo9SRmLZY7JwOIESlaHBKLKbrgcmH7lUVpF4IlNSSITTFY mrkGZUtJbmS7jyDB9FNEnnYuAVdarFM8OJH3EgfByz+TsgxsBbkTG8BtOmIg21SW zcrmFn1/jaRJeTx4vqxpm084d6H65ZUnjjZNaSG4ReLur1mJRkAkq9yiiLsfpTUN 3pRiTtG3SMGuN6OkEjnRpZ8uGW+7xR6fnzOrJZRqWQtj/kh/NfOZz1emgXRpbPNS mz3QqoDT7eDuwvZY+OxJOHwSDd1i5OclHbMR3qCABXpoTVpT3Kwf/IziQA8VWSGP RiiJO56qoTD+z9wruBPFLuQzgBrU+UPOcXywtyl8y5sJstWrwJiGQiU/2XFacksp iUV5ZddctN0gyZl4ryYtRsrKH81HiBrmMvOBj/Kju+ZGRKMWgMO0Ub9sAOM5J694 ZCH3x/QCtK2gHfP7SewTDOTCGjMb7X14sc/GD2caGoclBch+IAMqEi/jlliBKqi8 mQKiNVR22rrDm0+qtJ4k0ANZFG7spKZGp/pYKX1jkEHHfnO/babMtutGuppsMTF9 am8jcsAPqWMoviz7lz0bnckA3fi0jWmlzUljmN9Y+HkFh05bKxmi1z/MhgMX2w6p c+sN71cYAvKkwX5InFbe =WZ+2 -----END PGP SIGNATURE-----