Bug 778508 (CVE-2012-4428) - VUL-1: CVE-2012-4428: openslp: Denial of Service (Application crash) due to out of bounds read
Summary: VUL-1: CVE-2012-4428: openslp: Denial of Service (Application crash) due to o...
Status: RESOLVED FIXED
Alias: CVE-2012-4428
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2015-04-08
Assignee: Michael Schröder
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:61656 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-03 13:44 UTC by Sebastian Krahmer
Modified: 2020-04-02 02:25 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-09-03 13:44:08 UTC 
Via private SECUNIA mail:


We have confirmed the vulnerability in version 1.2.1.

Details:
---------

The vulnerability is caused due to an out-of-bounds read error within the
"SLPIntersectStringList()" function (common/slp_compare.c) when processing
service requests and can be exploited to cause a crash via a specially
crafted request.

---------

Please find the PoC attached.

Please acknowledge receiving this e-mail and let us know when you expect to
fix the vulnerability.
Credits should go to: "Georgi Geshev via Secunia SVCRP".

A copy of the Secunia Research Disclosure Policy can be located here:
http://secunia.com/community/research/policy/
Comment 2 Swamp Workflow Management 2012-09-03 22:00:25 UTC 
bugbot adjusting priority
Comment 3 Matthias Weckbecker 2012-09-10 09:16:54 UTC 
Note: At the time of writing there is unfortunately no CRD available. We will
update the bug once it has got a CRD or any other news. Thanks.
Comment 4 Matthias Weckbecker 2012-09-10 10:36:12 UTC 
I have had a quick peek into it out of curiosity: itemend-1 is always '\\',
regardless of 'itemend == listend' and '*itemend == ','', ie thus the break
won't ever get executed whereas itemend gets increased by 1 every time the
while(1) loop ends.
Comment 5 Matthias Weckbecker 2012-09-10 10:38:25 UTC 
... which then results in out of bounds read access of 'itemend'.
Comment 6 Matthias Weckbecker 2012-09-10 10:45:23 UTC 
Created attachment 505009 [details]
-- openslp.bnc778508-openslp-out-of-bounds-read.patch

One way (probably out of many others) to address this. Be aware: It might have
its side effects if there is actual content behind '\\'.
Comment 7 Sebastian Krahmer 2012-09-12 15:00:40 UTC 
Their propsed CRD is September 14, 2012
Comment 9 Matthias Weckbecker 2012-09-14 08:52:06 UTC 
CVE-2012-4428
Comment 10 Matthias Weckbecker 2012-09-14 09:34:32 UTC 
Public as per [1]. Small addition on c#6: It's the way upstream does it these
days.

[1] http://seclists.org/oss-sec/2012/q3/476
Comment 11 Swamp Workflow Management 2015-03-11 15:28:30 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-04-08.
https://swamp.suse.de/webswamp/wf/61070
Comment 12 Leonardo Chiquitto 2015-04-28 19:43:46 UTC 
Michael, we also had the fix for this bug in our planned updates list. Could you include it and resubmit? Thanks.
Comment 13 Michael Schröder 2015-04-29 09:48:59 UTC 
Sure, sorry for missing this.
Comment 14 Sebastian Krahmer 2015-05-20 14:19:57 UTC 
released
Comment 15 Swamp Workflow Management 2015-05-20 20:04:57 UTC 
SUSE-SU-2015:0922-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 778508,855385
CVE References: CVE-2012-4428
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openslp-1.2.0-172.24.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openslp-1.2.0-172.24.1
SUSE Linux Enterprise Server 11 SP3 (src):    openslp-1.2.0-172.24.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    openslp-1.2.0-172.24.1