Bug 1173605

Summary: libhtp: denial of service with specific packets
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, bochecha, jrusnack, sgrubb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libhtp 0.5.16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-17 23:08:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1173607, 1173608, 1173610    
Bug Blocks: 1180487    

Description Vasyl Kaigorodov 2014-12-12 14:00:48 UTC 
It was reported [1] that libhtp handling of streams in error state could lead to NULL pointer dereference, leading to caller crash.
Suricata (Intrusion Detection System) embeds libhtp, and is one of the affected components [2].

[1]: https://github.com/OISF/libhtp/pull/82
[2]: https://redmine.openinfosecfoundation.org/issues/1272
Comment 1 Vasyl Kaigorodov 2014-12-12 14:04:30 UTC 
Created suricata tracking bugs for this issue:

Affects: fedora-all [bug 1173607]
Comment 2 Vasyl Kaigorodov 2014-12-12 14:04:32 UTC 
Created libhtp tracking bugs for this issue:

Affects: fedora-all [bug 1173608]
Affects: epel-6 [bug 1173610]
Comment 3 Mathieu Bridon 2014-12-12 14:11:49 UTC 
Given that this is fixed in 0.5.16, I guess I can just push an update for it in Rawhide and F21.

However, we need to check whether there were API/ABI breaks between 0.5.15 and 0.5.16, and if there were, maybe we should just backport the patch for F20 et EPEL6?

In any case, I'll look at upgrading F21+ right away.
Comment 4 Mathieu Bridon 2015-01-01 16:13:10 UTC 
Updates have been submitted almost 3 weeks ago.

Can I get an ACK from the security team, that they do fix the reported vulnerability?
Comment 5 Vasyl Kaigorodov 2015-01-09 16:49:12 UTC 
*** Bug 1180487 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2015-01-19 01:34:19 UTC 
libhtp-0.5.16-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-01-19 01:35:43 UTC 
libhtp-0.5.6-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-01-24 18:47:28 UTC 
libhtp-0.5.16-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-01-28 19:53:34 UTC 
suricata-2.0.6-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Mathieu Bridon 2015-02-27 03:13:38 UTC 
*** Bug 1180488 has been marked as a duplicate of this bug. ***
Comment 11 Mathieu Bridon 2015-02-27 03:14:06 UTC 
*** Bug 1180489 has been marked as a duplicate of this bug. ***