Bug 1199925 (CVE-2015-1783)

Summary: CVE-2015-1783 lasso: use of uninitialized value leading to a crash
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rcritten, scorneli, security-response-team, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-27 08:13:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1200085    
Bug Blocks: 1199930    
Attachments:
Description Flags
proposed patch for lasso none

Description Martin Prpič 2015-03-09 09:50:03 UTC 
An uninitialized data structure flaw was found in lasso, a library that implements SSO standards. A remote attacker could potentially use this flaw to crash an application using the lasso library.

The lasso library is used by ipsilon and mod_auth_mellon.

Acknowledgements:

This issue was discovered by Rob Crittenden of Red Hat.
Comment 1 Martin Prpič 2015-03-09 16:32:33 UTC 
Created attachment 999630 [details]
proposed patch for lasso
Comment 2 Martin Prpič 2015-03-09 16:36:42 UTC 
Created lasso tracking bugs for this issue:

Affects: fedora-all [bug 1200085]
Comment 4 Rob Crittenden 2015-03-10 16:21:21 UTC 
Not sure how I didn't notice this before but this is already fixed upstream in master, https://repos.entrouvert.org/lasso.git/commit/lasso/xml?id=6d854cef4211cdcdbc7446c978f23ab859847cdd
Comment 5 Fedora Update System 2015-04-06 08:33:16 UTC 
lasso-2.4.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-04-06 08:36:23 UTC 
lasso-2.4.1-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-04-21 19:07:12 UTC 
lasso-2.4.1-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.