BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2015-005: buffer overflow in libevent (CVE-2014-6272)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                NetBSD Security Advisory 2015-005
                =================================

Topic:          buffer overflow in libevent (CVE-2014-6272)


Version:        NetBSD-current:         source prior to Jan 29th
                NetBSD 6.1 - 6.1.5:     affected
                NetBSD 6.0 - 6.0.6:     affected
                NetBSD 5.1 - 5.1.4:     affected
                NetBSD 5.2 - 5.2.2:     affected

Severity:       DoS, potential code execution

Fixed:          NetBSD-current:         Jan 30th, 2015
                NetBSD-7 branch:        Feb 9th, 2015
                NetBSD-6-0 branch:      Feb 5th, 2015
                NetBSD-6-1 branch:      Feb 5th, 2015
                NetBSD-6 branch:        Feb 5th, 2015
                NetBSD-5-2 branch:      Feb 5th, 2015
                NetBSD-5-1 branch:      Feb 5th, 2015
                NetBSD-5 branch:        Feb 5th, 2015

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A defect in the libevent evbuffer API leaves programs that
pass inputs that in sum overflow size_t to evbuffers vulnerable to
a possible heap overflow or infinite loop. For this to be a security
issue, the vulnerable program also must not be sanitizing buffer sizes
supplied by the user.


Technical Details
=================

A program that uses evbuffer_add or evbuffer_expand followed by a
bufferevent_write in NetBSD-6 or below, and additionally
evbuffer_prepend, evbuffer_reserve_space or evbuffer_read in NetBSD-7
and -current, and does not sanity check user-derived buffer sizes
it passes to the library functions, may allow an attacker to construct
an evbuffer with inconsistent size and to overwrite parts of
the program's memory outside the evbuffer.


Solutions and Workarounds
=========================

Update libevent.

- From source:
+-----------
Update src and rebuild and install.

- From tarballs:
+-------------
To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz
from a daily build later than the fix dates, from
http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/
with a date later than the fix date for your branch as listed above,
and your release version and architecture
(e.g.
http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-0/201502080050Z/amd64/binary/sets/
),
and then extract the files:

Shared libraries:

tar xzpf base.tgz \*libevent\*

And static libraries and linker config files:

tar xzpf comp.tgz \*libevent\*

Get the fixed library into use
+-----------------------------
Since the vulnerability is in a shared library, getting the old
library purged and the fixed one into use requires restarting
all programs that load libevent.
The easiest way to do this is to reboot the system.
Another method using /bin/sh:

ps ax -o pid | (while read pid; do \
        pmap $pid | egrep 'libevent' && echo found $pid ;\
done)

will find non-chrooted programs that have the affected libraries
open; restart them.
ldd <programname> will show the shared libraries a program will want to use.

Fixed vulnerable source versions
+-------------------------------

                src/external/bsd/libevent/dist/buffer.c
HEAD            1.3
netbsd-7        1.2.8.1
netbsd-6        1.1.1.1.8.1
netbsd-6-1      1.1.1.1.20.1
netbsd-6-0      1.1.1.1.14.1

                src/lib/libevent/buffer.c
netbsd-5        1.4.4.2
netbsd-5-2      1.4.4.1.6.1
netbsd-5-1      1.4.4.1.2.1


Thanks To
=========

Thanks to Andrew Bartlett of Catalyst (catalyst.net.nz) for
reporting this issue and Nick Mathewson of libevent for their
advisory and fix.


Revision History
================

        2015-03-17      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2015-005.txt,v 1.1 2015/03/17 06:58:44 spz Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVCweMAAoJEAZJc6xMSnBuO9cP/2A29i3qF33fqxecE0j7qJT0
gtqy6mti0pEzmgAsNWBo9SRmLZY7JwOIESlaHBKLKbrgcmH7lUVpF4IlNSSITTFY
mrkGZUtJbmS7jyDB9FNEnnYuAVdarFM8OJH3EgfByz+TsgxsBbkTG8BtOmIg21SW
zcrmFn1/jaRJeTx4vqxpm084d6H65ZUnjjZNaSG4ReLur1mJRkAkq9yiiLsfpTUN
3pRiTtG3SMGuN6OkEjnRpZ8uGW+7xR6fnzOrJZRqWQtj/kh/NfOZz1emgXRpbPNS
mz3QqoDT7eDuwvZY+OxJOHwSDd1i5OclHbMR3qCABXpoTVpT3Kwf/IziQA8VWSGP
RiiJO56qoTD+z9wruBPFLuQzgBrU+UPOcXywtyl8y5sJstWrwJiGQiU/2XFacksp
iUV5ZddctN0gyZl4ryYtRsrKH81HiBrmMvOBj/Kju+ZGRKMWgMO0Ub9sAOM5J694
ZCH3x/QCtK2gHfP7SewTDOTCGjMb7X14sc/GD2caGoclBch+IAMqEi/jlliBKqi8
mQKiNVR22rrDm0+qtJ4k0ANZFG7spKZGp/pYKX1jkEHHfnO/babMtutGuppsMTF9
am8jcsAPqWMoviz7lz0bnckA3fi0jWmlzUljmN9Y+HkFh05bKxmi1z/MhgMX2w6p
c+sN71cYAvKkwX5InFbe
=WZ+2
-----END PGP SIGNATURE-----