Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

fastd: CVE-2020-27638: DoS'able memory leak on invalid packets

Related Vulnerabilities: CVE-2020-27638  

Source

Debian Bug report logs - #972521
fastd: CVE-2020-27638: DoS'able memory leak on invalid packets

version graph

Package: fastd; Maintainer for fastd is Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>; Source for fastd is src:fastd (PTS, buildd, popcon).

Reported by: Sven Eckelmann <sven@narfation.org>

Date: Mon, 19 Oct 2020 20:30:01 UTC

Severity: important

Tags: security

Found in version fastd/17-4

Fixed in version fastd/21-1

Done: Sven Eckelmann <sven@narfation.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>:
Bug#972521; Package fastd. (Mon, 19 Oct 2020 20:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Sven Eckelmann <sven@narfation.org>:
New Bug report received and forwarded. Copy sent to Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>. (Mon, 19 Oct 2020 20:30:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Eckelmann <sven@narfation.org>
To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: fastd: DoS'able memory leak on invalid packets
Date: Mon, 19 Oct 2020 22:21:16 +0200
[Message part 1 (text/plain, inline)]
Package: fastd
Severity: important
Version: 17-4

fastd doesn't free receive buffers for invalid packets. This can lead to 
memory exhaustion or (with v20) to an assert. From the release text: 

    The new buffer management of fastd v20 revealed that received packets with an
    invalid type code were handled incorrectly, leaking the packet buffer. This lead
    to an assertion failure as soon as the buffer pool was empty, crashing fastd.

    Older versions of fastd are affected as well, but display a different behaviour:
    instead of crashing, the buffer leaks will manifest as a regular memory leak.
    This can still be used for Denial of Service attacks, so a patch for older
    versions will be provided, for the case that users can't or do not want to
    update to a newer version yet.

The fix can also be found inside the attached mail.

Kind regards,
	Sven
[forwarded message (message/rfc822, inline)]
From: Matthias Schiffer <mschiffer@universe-factory.net>
To: "gluon@luebeck.freifunk.net" <gluon@luebeck.freifunk.net>
Subject: [gluon] [ANNOUNCE] fastd v21
Date: Mon, 19 Oct 2020 21:49:44 +0200
[Message part 3 (text/plain, inline)]
Faster than expected, there is a new release of fastd, fixing a critial
Denial of Service (fastd crash) vulnerability. All users of fastd v20 must
update.

In fastd v19 and older, the same vulnerablity exists, but exploiting it
will cause a memory leak rather than an instant crash. Users that can't or
do not want to update to v21 yet should apply the patch that is attached to
this mail.

The release notes can be found at:

  https://fastd.readthedocs.io/en/stable/releases/v21.html

The new release can be obtained via Git from

  https://github.com/NeoRaider/fastd

or as a tarball:

  https://github.com/NeoRaider/fastd/releases/download/v21/fastd-21.tar.xz
  SHA256: 942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c

-- NeoRaider





[0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Sven Eckelmann <sven@narfation.org>:
You have taken responsibility. (Mon, 19 Oct 2020 21:03:16 GMT) (full text, mbox, link).

Notification sent to Sven Eckelmann <sven@narfation.org>:
Bug acknowledged by developer. (Mon, 19 Oct 2020 21:03:16 GMT) (full text, mbox, link).

Message #10 received at 972521-done@bugs.debian.org (full text, mbox, reply):

From: Sven Eckelmann <sven@narfation.org>
To: 972521-done@bugs.debian.org
Subject: Re: Bug#972521: fastd: DoS'able memory leak on invalid packets
Date: Mon, 19 Oct 2020 22:51:09 +0200
[Message part 1 (text/plain, inline)]
Source: fastd
Source-Version: 21-1
Done: Sven Eckelmann <sven@narfation.org>


[forwarded message (message/rfc822, inline)]
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: debian-devel-changes@lists.debian.org
Subject: Accepted fastd 21-1 (source) into unstable
Date: Mon, 19 Oct 2020 20:35:41 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 Oct 2020 21:47:58 +0200
Source: fastd
Architecture: source
Version: 21-1
Distribution: unstable
Urgency: high
Maintainer: Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>
Changed-By: Sven Eckelmann <sven@narfation.org>
Changes:
 fastd (21-1) unstable; urgency=high
 .
   * New Upstream Version
     - Fix crash (assert) when receiving too many invalid packets
Checksums-Sha1:
 86e3526afcdd5e029a4c83245f4a784fb824479f 2118 fastd_21-1.dsc
 685f538e46b32a1a63c86fbfbc7934d97a93a9a5 137660 fastd_21.orig.tar.xz
 f9c38e8e1e410e9a54f092b53f946b8bc1f74a03 6784 fastd_21-1.debian.tar.xz
 47e521cb5e55360739824f76c49fb1a4e95060dd 7569 fastd_21-1_source.buildinfo
Checksums-Sha256:
 503249c0366679398819d5b3e7d38bf2a59d9cd7ca20d1ec0e68aeb002f45653 2118 fastd_21-1.dsc
 942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c 137660 fastd_21.orig.tar.xz
 803f8e8e37a53b55001cdd76c0edfc2d1498da045e800d91ca7e804d902276c8 6784 fastd_21-1.debian.tar.xz
 30b46e89ce0da3b26dd88b813f611165d3f110b870041b04bb2abcfc417298b6 7569 fastd_21-1_source.buildinfo
Files:
 ba245bab5393210f1e75b3c1f98a20e4 2118 net optional fastd_21-1.dsc
 6342b9eae209327ce1d0ae99bc493425 137660 net optional fastd_21.orig.tar.xz
 ea9046ee7838ee6e38cb2a65f830ab73 6784 net optional fastd_21-1.debian.tar.xz
 0f9b4da78c305ceb4256a6397d56a035 7569 net optional fastd_21-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEF10rh4Elc9zjMuACXYcKB8Eme0YFAl+N7ggACgkQXYcKB8Em
e0bmjw//ZizLoG5D3L/kM6kD1OePBywBapBUyu2H86UpSdNExKC7i/Sob2kH4+DI
MldM04bUQ5tViieOGjtdIHicVe3HJKiM9lQZGl7MDWMteG02SQpYpQVIhKEzf+DS
/Eo+naZY0ttvJCEoeAN3CCkS98VoaK9RiynjlMUxmqC/kKmps/N5OFqevzh6g/ot
fFa9wUR2wQ9j2coJI+IplrkJTi3S6GmE9VWbj9ouaf2aLMAWFsl4h4BDHgG8IBFZ
plRT0ANHurBp6bNpJaPcRnndd0pqDjMRoA5/DkIMZTjEzWwKVVGo37wPvF5ac87t
vqfEcd4WbQ6EO26hd+4FxrbFXGqQ6b7fCXjg2BpnoFVGzy4w84e3xmT0s1KYxNmZ
ajKIdrzsl2tbxspdbB6MQonsYXMipw0jZvloI54ftvOe8E8E6sY4CvO61fCgfwFX
ZZ0kn8+1a0jIs/VGh/UgAOT/u+7xGJ9MJZ3mcabn3jNlqFy6E4546OnbX5BjPOmk
e1gCbxNehgroSom0vtOKhMqzjUiAJ4r4+is3w4gGPdyUO35eUVsvmfQS+gf4GBuc
ldPTMNBSHBtnwFtAT2p6oP7kZqe5fmC7XMOZFRXHYSe6HyBjLqW3h4ex5Kbi1cA5
UoS42nbZDlxwDw22WgMntdd4g2TN9KscmJo3AHyCVsRdG0wUdL0=
=GXef
-----END PGP SIGNATURE-----


[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 22 Oct 2020 07:09:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>:
Bug#972521; Package fastd. (Thu, 22 Oct 2020 12:42:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CommunityWLAN Team <team+communitywlan@tracker.debian.org>. (Thu, 22 Oct 2020 12:42:02 GMT) (full text, mbox, link).

Message #17 received at 972521@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Sven Eckelmann <sven@narfation.org>, 972521@bugs.debian.org
Subject: Re: Bug#972521: fastd: DoS'able memory leak on invalid packets
Date: Thu, 22 Oct 2020 14:39:02 +0200
Control: retitle -1 fastd: CVE-2020-27638: DoS'able memory leak on invalid packets 

On Mon, Oct 19, 2020 at 10:21:16PM +0200, Sven Eckelmann wrote:
> Package: fastd
> Severity: important
> Version: 17-4
> 
> fastd doesn't free receive buffers for invalid packets. This can lead to 
> memory exhaustion or (with v20) to an assert. From the release text: 
> 
>     The new buffer management of fastd v20 revealed that received packets with an
>     invalid type code were handled incorrectly, leaking the packet buffer. This lead
>     to an assertion failure as soon as the buffer pool was empty, crashing fastd.
> 
>     Older versions of fastd are affected as well, but display a different behaviour:
>     instead of crashing, the buffer leaks will manifest as a regular memory leak.
>     This can still be used for Denial of Service attacks, so a patch for older
>     versions will be provided, for the case that users can't or do not want to
>     update to a newer version yet.
> 
> The fix can also be found inside the attached mail.

CVE-2020-27638 was assigned for this issue.

Regards,
Salvatore

Changed Bug title to 'fastd: CVE-2020-27638: DoS'able memory leak on invalid packets' from 'fastd: DoS'able memory leak on invalid packets'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 972521-submit@bugs.debian.org. (Thu, 22 Oct 2020 12:42:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Nov 16 09:51:31 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started