Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <53609C06.8010809@redhat.com>
Date: Wed, 30 Apr 2014 16:45:26 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: possible miniupnpc buffer overflow

Good morning,

It was pointed out in
https://bugzilla.redhat.com/show_bug.cgi?id=1085618 that miniupnpc
version 1.9 fixes a possible buffer overflow:

https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9

I am not familiar with the code but it may be just a crash, with an
invalid read here (on line 131):

129                         /* parse header lines */
130                         for(i = 0; i < endofheaders - 1; i++) {
131                                 if(colon <= linestart &&
header_buf[i]==':')

Can a CVE be assigned if one has not been already?

On a related note, I'm not sure if there are other issues close by. For
example, in version 1.9, miniwget.c:

172                         /* copy the remaining of the received data
back to buf */
173                         n = header_buf_used - endofheaders;
174                         memcpy(buf, header_buf + endofheaders, n);

n and endofheaders are signed ints, and header_buf_used is unsigned.
Mixing the types together (and the signed int in the memcpy) may warrant
further investigation.

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.