Bug 1256797 (CVE-2015-6525)

Summary: CVE-2015-6525 libevent: multiple integer overflows in the evbuffer APIs
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, slong, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libevent 1.4.15, libevent 2.0.22, libevent 2.1.5 Doc Type: Bug Fix
Doc Text:
Multiple integer overflow flaws were found in the libevent's evbuffer API. An attacker able to make an application pass an excessively long input to libevent using the API could use these flaws to make the application enter an infinite loop, crash, and, possibly, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:43:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1178963, 1256804    
Bug Blocks: 1256801    

Description Adam Mariš 2015-08-25 13:05:33 UTC 
Multiple integer overflows in the evbuffer API in Libevent 2.0.x before 2.0.22 and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the:

(1) evbuffer_add, 
(2) evbuffer_prepend, 
(3) evbuffer_expand, 
(4) exbuffer_reserve_space, or 
(5) evbuffer_read function, 

which triggers a heap-based buffer overflow or an infinite loop. 

NOTE: this identifier was SPLIT from CVE-2014-6272 per ADT3 due to different affected versions.

References:

http://archives.seul.org/libevent/users/Jan-2015/msg00010.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6525
Comment 1 Adam Mariš 2015-08-25 13:23:05 UTC 
Created libevent tracking bugs for this issue:

Affects: fedora-all [bug 1256804]
Comment 2 Tomas Hoger 2015-12-01 12:59:03 UTC 
These issue were already investigated as part of CVE-2014-6272 (see bug 1144646), from which this CVE was split out.  There is no new issue under this new CVE, only some issues that were originally tracked under CVE-2014-6272 now have a separate id.  This CVE-2015-6525 only covers issues in APIs only available in libevent 2.0 and later.