Bug 1055373 (CVE-2013-7298)

Summary: CVE-2013-7298 cxxtools: DoS via crafted HTTP query parameter
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mgansser
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cxxtools 2.2.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-24 16:51:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1055375    
Bug Blocks:    

Description Ratul Gupta 2014-01-20 06:26:56 UTC 
Cxxtools, a collection of general-purpose C++ classes, was found to be affected by a DoS vulnerability, where a remote attacker could DoS the server by sending a crafted HTTP query parameter containing two percent signs in a row, which would make the URL parsing to enter an infinite recursive loop, leading to a crash.

The issue is said to be fixed in cxxtools 2.2.1.

References:
http://seclists.org/oss-sec/2014/q1/112
http://www.tntnet.org/download/cxxtools-2.2.1/Releasenotes-2.2.1.html

Commit:
https://github.com/maekitalo/cxxtools/commit/142bb2589dc184709857c08c1e10570947c444e3
Comment 1 Ratul Gupta 2014-01-20 06:27:41 UTC 
Created cxxtools tracking bugs for this issue:

Affects: fedora-all [bug 1055375]
Comment 3 Fedora Update System 2014-01-29 03:14:52 UTC 
cxxtools-2.2.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 MartinKG 2014-06-24 16:51:29 UTC 
already fixed with cxxtools-2.2.1-1.fc20