libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs

Debian Bug report logs - #774645
libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs

Date: Mon, 05 Jan 2015 18:49:12 +0100

Source: libevent
Version: 1.4.13-stable-1
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for libevent.

CVE-2014-6272[0]:
potential heap overflow in buffer/bufferevent APIs

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Upstream patches are found in [1], [2] and [3].

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-6272
[1] http://archives.seul.org/libevent/users/Jan-2015/msg00011.html
    https://github.com/libevent/libevent/commit/841ecbd96105c84ac2e7c9594aeadbcc6fb38bc4 (2.1)
[2] http://archives.seul.org/libevent/users/Jan-2015/msg00012.html
    https://github.com/libevent/libevent/commit/20d6d4458bee5d88bda1511c225c25b2d3198d6c (2.0)
[3] http://archives.seul.org/libevent/users/Jan-2015/msg00013.html
    https://github.com/libevent/libevent/commit/7b21c4eabf1f3946d3f63cce1319c490caab8ecf (1.4)

(FYI, I have already prepared an update for wheezy-security with the
upstream patch).

Regards,
Salvatore

Message #12 received at 774645@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 774645@bugs.debian.org

Subject: Re: Bug#774645: libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs

Date: Wed, 7 Jan 2015 13:10:51 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi Anibal,

Please find attached debdiff for unstable. I have *not* uploaded it to
any delayed queue so far. Are you working on th update yourself?

Regards,
Salvatore

[libevent_2.0.21-stable-1.2.debdiff (text/plain, attachment)]

Message #17 received at 774645@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 774645@bugs.debian.org

Subject: Re: Bug#774645: libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs

Date: Wed, 7 Jan 2015 23:18:15 +1100

[Message part 1 (text/plain, inline)]

On Wed, 2015-01-07 13:10:51 +0100, Salvatore Bonaccorso wrote:
> 
> Please find attached debdiff for unstable. I have *not* uploaded it to
> any delayed queue so far. Are you working on the update yourself?

Hello Salvatore,

I'm about to upload a package with the fix. Before the upload, I'll
compare my debdiff with yours.

Thank you,

Aníbal

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 774645@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Aníbal Monsalve Salazar <anibal@debian.org>

Cc: 774645@bugs.debian.org

Subject: Re: Bug#774645: libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs

Date: Wed, 7 Jan 2015 13:21:11 +0100

Hi Anibal,

On Wed, Jan 07, 2015 at 11:18:15PM +1100, Aníbal Monsalve Salazar wrote:
> On Wed, 2015-01-07 13:10:51 +0100, Salvatore Bonaccorso wrote:
> > 
> > Please find attached debdiff for unstable. I have *not* uploaded it to
> > any delayed queue so far. Are you working on the update yourself?
> 
> Hello Salvatore,
> 
> I'm about to upload a package with the fix. Before the upload, I'll
> compare my debdiff with yours.

Ok, that is great, thank you!

Regards,
Salvatore

Message #27 received at 774645-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>

To: 774645-close@bugs.debian.org

Subject: Bug#774645: fixed in libevent 2.0.21-stable-2

Date: Wed, 07 Jan 2015 12:49:01 +0000

Source: libevent
Source-Version: 2.0.21-stable-2

We believe that the bug you reported is fixed in the latest version of
libevent, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774645@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libevent package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Jan 2015 11:33:15 +0000
Source: libevent
Binary: libevent-dev libevent-dbg libevent-2.0-5 libevent-core-2.0-5 libevent-extra-2.0-5 libevent-pthreads-2.0-5 libevent-openssl-2.0-5
Architecture: source mips
Version: 2.0.21-stable-2
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
 libevent-2.0-5 - Asynchronous event notification library
 libevent-core-2.0-5 - Asynchronous event notification library (core)
 libevent-dbg - Asynchronous event notification library (debug symbols)
 libevent-dev - Asynchronous event notification library (development files)
 libevent-extra-2.0-5 - Asynchronous event notification library (extra)
 libevent-openssl-2.0-5 - Asynchronous event notification library (openssl)
 libevent-pthreads-2.0-5 - Asynchronous event notification library (pthreads)
Closes: 774645
Changes:
 libevent (2.0.21-stable-2) unstable; urgency=high
 .
   * Fix CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs.
     Add upstream patch: 20d6d445.patch.
     Closes: #774645.
   * Don't use deprecated compression for data tarball.
     Use default compression for data tarball.
Checksums-Sha1:
 ba082d63ca3f67dad9c3771dbd99939680a4fe36 2392 libevent_2.0.21-stable-2.dsc
 4be8e5b3968240d240e592e577f59da7d59afca4 10736 libevent_2.0.21-stable-2.debian.tar.xz
 239739e65a98b1b2c5e7320c1c3aefec0cb38804 245974 libevent-dev_2.0.21-stable-2_mips.deb
 b6b7ea79083cc97bdeae5ab225cb30f3c568ff58 665584 libevent-dbg_2.0.21-stable-2_mips.deb
 b1aa39fd1c061ec7694cf19182dceac872c5e2de 131632 libevent-2.0-5_2.0.21-stable-2_mips.deb
 06bd09d71ba48ca84bef33ca9d6b549846c03ae9 96394 libevent-core-2.0-5_2.0.21-stable-2_mips.deb
 b3536ffc731b40cd70d2ec826663866c3a5e45c6 82146 libevent-extra-2.0-5_2.0.21-stable-2_mips.deb
 f11c718ffe07f1d29c71276836373417206c9441 43682 libevent-pthreads-2.0-5_2.0.21-stable-2_mips.deb
 e6fd71a77ba5648e7f077453231b4e581846d9dc 48718 libevent-openssl-2.0-5_2.0.21-stable-2_mips.deb
Checksums-Sha256:
 1d4bdc39ab31730ebc8c09d29cfd4247238d81294204722a9b038513a17d6992 2392 libevent_2.0.21-stable-2.dsc
 34ae24e760a426fd1cf38d372b2b1c5887987bc5705507ef13158fbe61a7492e 10736 libevent_2.0.21-stable-2.debian.tar.xz
 17b61066a88218bd4d6cf3825d7bcf1514c401962de5611abe4bf02f23ab008b 245974 libevent-dev_2.0.21-stable-2_mips.deb
 8ee5c822d15ee1f7f2232c6dc5d1809d4bd2d394ce6944ab32a3385b93240517 665584 libevent-dbg_2.0.21-stable-2_mips.deb
 a3accce27e3a387ed690e8aa8d827c5cbb2f17e0366fe034a2a79679e6d6b1c1 131632 libevent-2.0-5_2.0.21-stable-2_mips.deb
 cf2e62cdc443e4c499d914f71c81851a12a5f84452f97465aea81aa331554ecf 96394 libevent-core-2.0-5_2.0.21-stable-2_mips.deb
 ef7d8e15b43c55998d8eac66db6f157d79381f2ff5745793da64bc5271c192a5 82146 libevent-extra-2.0-5_2.0.21-stable-2_mips.deb
 1f9db16ae005daea52cb8229506948f195d67ea0e905080030d66d91376f5e88 43682 libevent-pthreads-2.0-5_2.0.21-stable-2_mips.deb
 35aeb57a1d796c772b158435e22b649eba0b08b71f23b72d3460055d01420feb 48718 libevent-openssl-2.0-5_2.0.21-stable-2_mips.deb
Files:
 00e4cdf7df12eaede205e3ffb2ffdaf6 2392 libs optional libevent_2.0.21-stable-2.dsc
 fe653a9e5fb45d9d8cb9a5a4b3653262 10736 libs optional libevent_2.0.21-stable-2.debian.tar.xz
 fd981d2cb9d66a45815ea55fbb40f2bf 245974 libdevel optional libevent-dev_2.0.21-stable-2_mips.deb
 0f02e8b31d658d35135f2e437d6d02fc 665584 debug extra libevent-dbg_2.0.21-stable-2_mips.deb
 6743c3fea5e59d5f23cc4e86d2573cb2 131632 libs standard libevent-2.0-5_2.0.21-stable-2_mips.deb
 fad4ae8bf9b9e52442b0739d19a99b3a 96394 libs optional libevent-core-2.0-5_2.0.21-stable-2_mips.deb
 35ee470174a509792babe661158039e7 82146 libs optional libevent-extra-2.0-5_2.0.21-stable-2_mips.deb
 4f55711a92ef511521a24a40234dcfdd 43682 libs optional libevent-pthreads-2.0-5_2.0.21-stable-2_mips.deb
 a64fba89ed036301f71b9827059b0d53 48718 libs optional libevent-openssl-2.0-5_2.0.21-stable-2_mips.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUrScLAAoJEHxWrP6UeJfYZvEP/1Tl5zKS8gQ/YTcumb2xw94j
+1hamIKoUY6sVYWJahVeebekC4zDbXYGl1Fv5z09DgXbSkokylLmTEHic/WuTvAE
zGCntIDeJUPqHZ1g6L/pOaPbnCb1oD9mDMGdL4ff/cDOw9RcUeJ3t3kKCXLoldFE
e19Iyu9gjoWLO2waf+6rvPhN3Cn0Pv7hAsjpjXwOzFf3nkcod7EBFfwTWCIW+sQD
OOqVaEAy4DueD0U96SPOLcSnl1wWISQaU3h4PnKcexngIYFO6rHCjmJgjO1rOU9q
dpI0iB5zo6A7xTIIKQGxnpjF8xclcAnqTSfExSq7L2fEbPTrCAXaIax/ss+Zbbfm
A9ZUVgK1Krtp7dXdsOjY3bOwk+sE7iowbOFJoSWMChzys66GAxArS01NkwQYITX3
BN2USc9GuMcxPaTcGUg/Den1LaqA+9y0EuOge8b2ZnUZ6k9sknx4gUPG22Mrth+x
z6tM08QQR7kjKSVhn0QknDebpeJh+BCcLv19UzKzwUkbE1MZXAZ3c/qVQ7i/XkXO
uGOaOBnHJTHgi6g24W1l4Ev2gSdUIvjWmLxo+YPBkN9V+dHjh7qnoEbyUTnlX3Kj
kLe4zaTQZ7ipTQIEo1lPwpbMHvR/Ik7rbckINwn7X3ldhIOZe6692LvfJoNjMbkt
hP33UDDcGiqcsHGFxIMY
=Lcf5
-----END PGP SIGNATURE-----

Message #32 received at 774645-close@bugs.debian.org (full text, mbox, reply):

From: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>

To: 774645-close@bugs.debian.org

Subject: Bug#774645: fixed in libevent 1.4.13-stable-1+deb6u1

Date: Mon, 26 Jan 2015 10:33:25 +0000

Source: libevent
Source-Version: 1.4.13-stable-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
libevent, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774645@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> (supplier of updated libevent package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Jan 2015 16:00:14 +0700
Source: libevent
Binary: libevent-dev libevent-1.4-2 libevent-core-1.4-2 libevent-extra-1.4-2
Architecture: source amd64
Version: 1.4.13-stable-1+deb6u1
Distribution: squeeze-lts
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>
Description: 
 libevent-1.4-2 - An asynchronous event notification library
 libevent-core-1.4-2 - An asynchronous event notification library (core)
 libevent-dev - Development libraries, header files and docs for libevent
 libevent-extra-1.4-2 - An asynchronous event notification library (extra)
Closes: 774645
Changes: 
 libevent (1.4.13-stable-1+deb6u1) squeeze-lts; urgency=low
 .
   * Non-maintainer upload by the Debian LTS team.
   * Fix potential heap overflow in buffer/bufferevent APIs reported in
     CVE-2014-6272 by applying the upstream-provided patch:
     https://github.com/libevent/libevent/commit/7b21c4eabf1f3946d3f63cce1319c490caab8ecf
     Closes: #774645
Checksums-Sha1: 
 3c0ec7668d42cf59c3023fa644603f39ad57afdc 1496 libevent_1.4.13-stable-1+deb6u1.dsc
 2b69c4d652855e0ef4430ce30478bb7f97e687b0 10188 libevent_1.4.13-stable-1+deb6u1.diff.gz
 2953cc465ac5a9913549f06830a03a706e7b6179 174142 libevent-dev_1.4.13-stable-1+deb6u1_amd64.deb
 970b6780fbed71f62ac305cb0f09b7e1407c305f 62476 libevent-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
 12a8f9f4bc3c2ff13d55828f77299992dba22aab 31462 libevent-core-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
 ef8c63ac5b2ebc6f46c3f919e240f14d929c420e 52040 libevent-extra-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
Checksums-Sha256: 
 a3a28b358fc2a39ae0397bdbbd780c7145f6ecaf9204afd513fb6d2c841ee7ea 1496 libevent_1.4.13-stable-1+deb6u1.dsc
 da324f71ee900c83d648ea22bc412d8bc684ba1f3a9f1e87654db69d9284e19d 10188 libevent_1.4.13-stable-1+deb6u1.diff.gz
 17b6840bf0879f6e5f50f94fbeec7200f7f508494136223599c5735fd74ce9d3 174142 libevent-dev_1.4.13-stable-1+deb6u1_amd64.deb
 3041cc610ef7f1f99d4a5d9dba8dde69da6d6a61723b76bfe779a3d6606f0b17 62476 libevent-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
 3934728980aa9c35550ddfe836399b75176eb1609c3015cfb075f9b49f393bca 31462 libevent-core-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
 4b61ea7bdcc2640274af528d97611e7486f241f117feee919d4982a1552547aa 52040 libevent-extra-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
Files: 
 bbcc4dfc15adeee84fea74f1b2768c84 1496 libs optional libevent_1.4.13-stable-1+deb6u1.dsc
 381e0943ef7e1eba23512189cd7440f4 10188 libs optional libevent_1.4.13-stable-1+deb6u1.diff.gz
 c4595376a23b70b6e8df6d376dd41b91 174142 libdevel optional libevent-dev_1.4.13-stable-1+deb6u1_amd64.deb
 f7f424c2c5504b52aab8579c119a7cfc 62476 libs standard libevent-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
 b90d38829ad78dc29dc6bc37912fa4c3 31462 libs optional libevent-core-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
 ccc86362730c47a89f47072bf2368f39 52040 libs optional libevent-extra-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJUxhcvAAoJEAOIHavrwpq5E50H/R3t4UoRteVCG5Wvy9W2NKT6
24CJc0bSJjruE4P/hTE2qN2Ki6f+KHTxkargYMjDdFkpq8QqDUTLBuSQ1DFH2T3o
7FSLeht/SDXsDgEAflNxWUJb//0NuAvOlZgB3612GNhGoZMhEZzjSZ2J2xp9FnI0
nbsJk0pYdwLiqT7LdLBQOObK7oxcofKjnb0ZBYz4ZvW07mKc/wdBLXOSTBVSK2QW
lGWGAgnh5TbRdFtB7zNj7ZenT40PBTIitmZzjQc+NEOrrFiX5r4O4WTW+sX/TplD
QwcN/iNClQNhwkJLZk/5UAVlDvJRiyvP+HwtKDAQkaVpVWPjXM2G6K1whzgMHQE=
=fEel
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.