openslp-dfsg: CVE-2012-4428

Debian Bug report logs - #687597
openslp-dfsg: CVE-2012-4428

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openslp-dfsg: CVE-2012-4428

Date: Fri, 14 Sep 2012 08:15:57 +0200

Package: openslp-dfsg
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugzilla.redhat.com/show_bug.cgi?id=857242.

Cheers,
        Moritz

Message #10 received at 687597@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Debian Bug Tracking System <687597@bugs.debian.org>

Subject: openslp-dfsg: touch bug CVE-2012-4428

Date: Wed, 17 Oct 2012 15:33:01 +0200

Package: openslp-dfsg
Followup-For: Bug #687597

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As far as I can tell, no solution known yet, on 17 October 2012, 15:28 +0200.

While going through Debian QA group owned RC bugs, I touched on this bug.

http://security-tracker.debian.org/tracker/CVE-2012-4428

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlB+s40ACgkQHNUte6r+CGp99gCfb8V0OkWyTOTq68wZjuK50O/b
9tMAn2wLN1mGAPXS2YM36VgtU2hd0wVV
=selz
-----END PGP SIGNATURE-----

Message #15 received at 687597@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: Paul Gevers <elbrus@debian.org>

Cc: 687597@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: openslp-dfsg: touch bug CVE-2012-4428

Date: Sat, 5 Jan 2013 21:01:45 +0100

Hi,

there has also been an upstream bug report filed [1].

Might be reasonable to check back there from time to time. No patch
yet, unfortunately.

Cheers,

Adrian

> [1] http://sourceforge.net/p/openslp/bugs/122/

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Message #20 received at 687597@bugs.debian.org (full text, mbox, reply):

From: Steve McIntyre <steve@einval.com>

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 687597@bugs.debian.org

Cc: Paul Gevers <elbrus@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#687597: openslp-dfsg: touch bug CVE-2012-4428

Date: Sun, 27 Jan 2013 11:21:32 +0000

severity 687597 important
thanks

On Sat, Jan 05, 2013 at 09:01:45PM +0100, John Paul Adrian Glaubitz wrote:
>Hi,
>
>there has also been an upstream bug report filed [1].
>
>Might be reasonable to check back there from time to time. No patch
>yet, unfortunately.

I had a look at this yesterday. The buffer-handling in libslp *looks*
suspect to me (in terms of tracking lengths of text fields etc.), but
I can't see an easy way to reproduce the bug here to verify my
suspicions. I've followed up on the upstream bug to ask about this.

In the meantime, even if the code looks dodgy I *don't* see it as
being particularly likely to be exploitable, more a DoS at worst, and
only on a local-network basis rather than truly remote. I'm dropping
severity from grave accordingly - feel free to re-raise if you think
I'm wrong.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"C++ ate my sanity" -- Jon Rabone

Message #27 received at 687597@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Steve McIntyre <steve@einval.com>, 687597@bugs.debian.org

Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, Paul Gevers <elbrus@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#687597: openslp-dfsg: touch bug CVE-2012-4428

Date: Fri, 25 Jul 2014 19:02:03 +0200

[Message part 1 (text/plain, inline)]

Control: severity -1 important

Hi!

On Sun, 2013-01-27 at 11:21:32 +0000, Steve McIntyre wrote:
> severity 687597 important
> thanks

(Didn't seem to take effect, I assume missing control@b.d.o Bcc.)

> On Sat, Jan 05, 2013 at 09:01:45PM +0100, John Paul Adrian Glaubitz wrote:
> > there has also been an upstream bug report filed [1].
> >
> > Might be reasonable to check back there from time to time. No patch
> > yet, unfortunately.
> 
> I had a look at this yesterday. The buffer-handling in libslp *looks*
> suspect to me (in terms of tracking lengths of text fields etc.), but
> I can't see an easy way to reproduce the bug here to verify my
> suspicions. I've followed up on the upstream bug to ask about this.
> 
> In the meantime, even if the code looks dodgy I *don't* see it as
> being particularly likely to be exploitable, more a DoS at worst, and
> only on a local-network basis rather than truly remote. I'm dropping
> severity from grave accordingly - feel free to re-raise if you think
> I'm wrong.

I was preparing a QA upload, and took a stab at this. Here's the patch
I'm going to include. It seems pretty clear that if the previous to last
character in the string-list is '\\' then the string-list handling
functions will keep going, when they probably should only have done so
on escaped ','.

Although I've only code-stared at the issue, and my later few attempts
to reproduce this have been unsuccessful, but I've to confess I've not
tried very hard. Given this I'm a bit hesitant to close this bug with
the upload, but I guess I'll do so if I don't hear complains, in a
couple of days. :)

If any of you could either test or review this, that would be much
appreciated!

Thanks,
Guillem

[CVE-2012-4428.patch (text/x-diff, attachment)]

Message #32 received at 687597-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 687597-close@bugs.debian.org

Subject: Bug#687597: fixed in openslp-dfsg 1.2.1-10

Date: Tue, 29 Jul 2014 21:49:53 +0000

Source: openslp-dfsg
Source-Version: 1.2.1-10

We believe that the bug you reported is fixed in the latest version of
openslp-dfsg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated openslp-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 25 Jul 2014 16:57:05 +0200
Source: openslp-dfsg
Binary: libslp1 libslp-dev slpd slptool openslp-doc
Architecture: source all amd64
Version: 1.2.1-10
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
 libslp-dev - OpenSLP development files
 libslp1    - OpenSLP shared library
 openslp-doc - OpenSLP documentation
 slpd       - OpenSLP server (slpd)
 slptool    - OpenSLP command line tool
Closes: 687597 755935
Changes:
 openslp-dfsg (1.2.1-10) unstable; urgency=low
 .
   * QA upload.
   * Bump Standards-Version to 3.9.5 (no changes needed).
   * Bump debhelper compatibility level to 9.
   * Switch to machine-parseable copyright format.
   * Reorder binary package stanzas in debian/control.
   * Split common and specific package descriptions into distinct paragraphs
     so that translations are easier.
   * Reword package summaries.
   * Mark slpd and slptool as Multi-Arch:foreign, libslp1 and libslp-dev as
     Multi-Arch:same. Closes: #755935
   * Clean up debian/rules:
     - Explicitly set DEB_HOST_GNU_TYPE.
     - Remove unused DEB_BUILD_GNU_SYSTEM and DEB_BUILD_GNU_CPU assignments.
     - Remove commented out debhelper commands.
     - Do not pass any argument to update-rc.d via dh_installinit.
     - Pass --host and --build to configure only when cross-compiling.
     - Pass --disable-silent-rules to configure, preemptively.
     - Enable hardening build flags.
   * Clean up init script:
    - Update LSB header descriptions.
    - Add LSB status action support.
    - Rename debian/init.d to debian/slpd.init.
    - Add new PIDFILE variable.
   * Remove unnecessary debian/dirs, dh_installinit takes care of creating the
     etc/init.d directory.
   * Remove debian/preinst, as it was wrongly using start-stop-daemon directly,
     and invoke-rc.d is already being injected by debhelper to stop the daemon
     on upgrade.
   * Remove «set -x» from slpd postinst.
   * Namespace stray debhelper files with «slpd.» in debian/ filenames.
   * Remove trailing spaces from debian/ files.
   * Change the libcrypto configure-time checks conditional on whether it is
     going to be used at build time, so that we can remove the libssl-dev
     Build-Conflicts.
   * Add a debian/watch file.
   * Add a basic symbols file for libslp1.
   * Fix a typo in slptool's program output message.
   * Fix a typo in an automake coditional in the code, that was not properly
     disabling the code (ENABLE_SLPV2_SECURITY → ENABLE_SLPv2_SECURITY).
   * Fix handling of string-list in common/slp_common.c by not increasing
     the item pointer past the string-list pointer, and letting '\\' only
     escape the item separator ','. Although not reproduced it should in
     theory fix CVE-2012-4428. Closes: #687597
Checksums-Sha1:
 ab907bc5ee938b56b62bc0c33809b372d333b550 1934 openslp-dfsg_1.2.1-10.dsc
 4dc7e61b1014209d36018e44932ab368cde65df3 24360 openslp-dfsg_1.2.1-10.debian.tar.xz
 2d3588e2739be95443c77f1acbaa0d116b30ab37 73418 openslp-doc_1.2.1-10_all.deb
 651582c677b26e9564f33a36fa9af3b9a1971220 46622 libslp1_1.2.1-10_amd64.deb
 5318b6b6a75851a6cd2701afb0622476c4ef0d3b 61878 libslp-dev_1.2.1-10_amd64.deb
 f4f6c198ecb49bea4b9e98c47a01ea7074e5f375 66066 slpd_1.2.1-10_amd64.deb
 375d8628fb5b8998a8e62163472538bf445666a8 22290 slptool_1.2.1-10_amd64.deb
Checksums-Sha256:
 b04c5bd217de1ac6caab2716f8ef82ef1d6d5638c0274b056b563b4fa38fd702 1934 openslp-dfsg_1.2.1-10.dsc
 65bced768106b98f7777e150638b25cdd72bdd9cf35955b8edd26e394de6a644 24360 openslp-dfsg_1.2.1-10.debian.tar.xz
 2a37906ac9f655313221415309adf5232b7478d5a501ed2292e9d4704f78aa04 73418 openslp-doc_1.2.1-10_all.deb
 83169a15c6b40ce684b7d9829630980be99a62032559d042743cfcc694ba0d0e 46622 libslp1_1.2.1-10_amd64.deb
 baccf60cc39867600fc3bd2c9b8e3bac9b85719ebee1e9ffce64055b09d8ca43 61878 libslp-dev_1.2.1-10_amd64.deb
 fb38e21baa4c699447623379ab67701dc3f8c0484e3fda83f28ec6e515fb9580 66066 slpd_1.2.1-10_amd64.deb
 df7d8654ed12f00bde9a9cb993ca73486baad6f060622712b700553aa5468b45 22290 slptool_1.2.1-10_amd64.deb
Files:
 161641842a5be10ff77c568acb18808b 73418 doc extra openslp-doc_1.2.1-10_all.deb
 27a2dddf1ae65e5fcb9f0dcf9f13c560 46622 libs optional libslp1_1.2.1-10_amd64.deb
 528e7818b78d9ccce445958ce145a67f 61878 libdevel extra libslp-dev_1.2.1-10_amd64.deb
 d298213c21ad11b01d6398046153e0ce 66066 net extra slpd_1.2.1-10_amd64.deb
 88ee2437136f4c614d2e80af7edcc519 22290 utils extra slptool_1.2.1-10_amd64.deb
 aeb97f269313771db6445e3de3939c89 1934 net extra openslp-dfsg_1.2.1-10.dsc
 422a1acea878a7a2bd2b69c81b4291a6 24360 net extra openslp-dfsg_1.2.1-10.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJT1uDqAAoJELlyvz6krlejdVwP/2a7610HuYFwb0qRsNSjK5mh
WxZjCgEJOrwIWTK/C8Xd/nxqCV9YCGZACPmZpo2bLDwa4bPNqp67GkmaobyvXkx7
FMIERexrO7qjBH9lDx5QPhpLPzjzNLXxFodbi+A5XqJkDi8mG9WMFU1e8KMnTr5O
d0VJP4nCf6ZXEgKKMs8J4muFNAZkNzGBWWIP5KkpiY9w9taHsiE/EzKKZrLCgxH1
n3wHDl0MyB52tcylcoIqZlheykmDbiN/MrE0e4G2vVYGTyIxFQGW3pIu+5Z9PVMf
l9CD2+IfaCwNkjDgIy1F2MOqxuc8eKivJun6pB7H1lqVLYwIf+yw8FLP/qWcmegA
aLUue0tqwgQCNXlxqKrUGTomHPAYeDD7LjGRLCSN5JtxhGKD7fvPLqPyAip+SxaM
+1rDf+Ko2+JXpUaJxA4eElKHDNy/dbXX64l1+G5R3NQJSPXcsYHmBJfoqM5aCS4S
JGDLjod3b1G26eWZy4URUk49cpvtzYPmEQjoSyC7xiwrLzGXUUBY8O0x2Q8Zekvp
JantlFMDYM2w5VI0fWA1+nvQcD4vmIYw3QVAFvk0uTIOWG6sYq/sO4zkr8Bxj2Cp
mTPFTH8K0EOCnIDdVUMw0tIAHkJH8Kc1Fng70BeQ3L4wrAf4Rs7paqpUZQPvEfhy
lxrvgXzF+P2FLtpVjjhq
=ZoXy
-----END PGP SIGNATURE-----

Message #37 received at 687597@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 687597@bugs.debian.org

Subject: Re: openslp-dfsg: CVE-2012-4428

Date: Wed, 30 Jul 2014 11:15:02 -0000

Package: openslp-dfsg

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.8) - use target "oldstable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/687597/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.