Bug 1572166 (CVE-2017-17833)
| Summary: | CVE-2017-17833 openslp: Heap memory corruption in slpd/slpd_process.c allows denial of service or potentially code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | scorneli, security-response-team, sfowler, vcrhonek, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A use-after-free flaw in OpenSLP 1.x and 2.x baselines was discovered in the ProcessSrvRqst function. A failure to update a local pointer may lead to heap corruption. A remote attacker may be able to leverage this flaw to gain remote code execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:20:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1572167, 1575697, 1575698, 1575699, 1597725 | ||
| Bug Blocks: | 1572168 | ||
|
Description
Adam Mariš
2018-04-26 10:01:34 UTC
Created openslp tracking bugs for this issue: Affects: fedora-all [bug 1572167] Reproducible now. See: https://dumpco.re/blog/openslp-2.0.0-double-free Re-opened this flaw to work on it a bit more. [root@qeos-8 openslp-2.0.0]# slpd -d *** Error in `slpd': double free or corruption (fasttop): 0x0000556d19e43ff0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x81489)[0x7fd1ae42d489] slpd(+0x10b41)[0x556d18687b41] slpd(+0xccba)[0x556d18683cba] slpd(+0x3313)[0x556d1867a313] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7fd1ae3ce3d5] slpd(+0x355e)[0x556d1867a55e] ======= Memory map: ======== 556d18677000-556d1869a000 r-xp 00000000 fd:01 6329358 /usr/sbin/slpd 556d18899000-556d1889a000 r--p 00022000 fd:01 6329358 /usr/sbin/slpd 556d1889a000-556d1889b000 rw-p 00023000 fd:01 6329358 /usr/sbin/slpd 556d19e3b000-556d19e5c000 rw-p 00000000 00:00 0 [heap] 7fd1a8000000-7fd1a8021000 rw-p 00000000 00:00 0 7fd1a8021000-7fd1ac000000 ---p 00000000 00:00 0 7fd1adf83000-7fd1adf98000 r-xp 00000000 fd:01 6291531 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7fd1adf98000-7fd1ae197000 ---p 00015000 fd:01 6291531 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7fd1ae197000-7fd1ae198000 r--p 00014000 fd:01 6291531 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7fd1ae198000-7fd1ae199000 rw-p 00015000 fd:01 6291531 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7fd1ae199000-7fd1ae1a5000 r-xp 00000000 fd:01 6341868 /usr/lib64/libnss_files-2.17.so 7fd1ae1a5000-7fd1ae3a4000 ---p 0000c000 fd:01 6341868 /usr/lib64/libnss_files-2.17.so 7fd1ae3a4000-7fd1ae3a5000 r--p 0000b000 fd:01 6341868 /usr/lib64/libnss_files-2.17.so 7fd1ae3a5000-7fd1ae3a6000 rw-p 0000c000 fd:01 6341868 /usr/lib64/libnss_files-2.17.so 7fd1ae3a6000-7fd1ae3ac000 rw-p 00000000 00:00 0 7fd1ae3ac000-7fd1ae56e000 r-xp 00000000 fd:01 6341850 /usr/lib64/libc-2.17.so 7fd1ae56e000-7fd1ae76e000 ---p 001c2000 fd:01 6341850 /usr/lib64/libc-2.17.so 7fd1ae76e000-7fd1ae772000 r--p 001c2000 fd:01 6341850 /usr/lib64/libc-2.17.so 7fd1ae772000-7fd1ae774000 rw-p 001c6000 fd:01 6341850 /usr/lib64/libc-2.17.so 7fd1ae774000-7fd1ae779000 rw-p 00000000 00:00 0 7fd1ae779000-7fd1ae78f000 r-xp 00000000 fd:01 6341878 /usr/lib64/libresolv-2.17.so 7fd1ae78f000-7fd1ae98e000 ---p 00016000 fd:01 6341878 /usr/lib64/libresolv-2.17.so 7fd1ae98e000-7fd1ae98f000 r--p 00015000 fd:01 6341878 /usr/lib64/libresolv-2.17.so 7fd1ae98f000-7fd1ae990000 rw-p 00016000 fd:01 6341878 /usr/lib64/libresolv-2.17.so 7fd1ae990000-7fd1ae992000 rw-p 00000000 00:00 0 7fd1ae992000-7fd1ae9a8000 r-xp 00000000 fd:01 6341860 /usr/lib64/libnsl-2.17.so 7fd1ae9a8000-7fd1aeba8000 ---p 00016000 fd:01 6341860 /usr/lib64/libnsl-2.17.so 7fd1aeba8000-7fd1aeba9000 r--p 00016000 fd:01 6341860 /usr/lib64/libnsl-2.17.so 7fd1aeba9000-7fd1aebaa000 rw-p 00017000 fd:01 6341860 /usr/lib64/libnsl-2.17.so 7fd1aebaa000-7fd1aebac000 rw-p 00000000 00:00 0 7fd1aebac000-7fd1aecad000 r-xp 00000000 fd:01 6341858 /usr/lib64/libm-2.17.so 7fd1aecad000-7fd1aeeac000 ---p 00101000 fd:01 6341858 /usr/lib64/libm-2.17.so 7fd1aeeac000-7fd1aeead000 r--p 00100000 fd:01 6341858 /usr/lib64/libm-2.17.so 7fd1aeead000-7fd1aeeae000 rw-p 00101000 fd:01 6341858 /usr/lib64/libm-2.17.so 7fd1aeeae000-7fd1aeec5000 r-xp 00000000 fd:01 6341876 /usr/lib64/libpthread-2.17.so 7fd1aeec5000-7fd1af0c4000 ---p 00017000 fd:01 6341876 /usr/lib64/libpthread-2.17.so 7fd1af0c4000-7fd1af0c5000 r--p 00016000 fd:01 6341876 /usr/lib64/libpthread-2.17.so 7fd1af0c5000-7fd1af0c6000 rw-p 00017000 fd:01 6341876 /usr/lib64/libpthread-2.17.so 7fd1af0c6000-7fd1af0ca000 rw-p 00000000 00:00 0 7fd1af0ca000-7fd1af2fe000 r-xp 00000000 fd:01 6377314 /usr/lib64/libcrypto.so.1.0.2k 7fd1af2fe000-7fd1af4fe000 ---p 00234000 fd:01 6377314 /usr/lib64/libcrypto.so.1.0.2k 7fd1af4fe000-7fd1af51a000 r--p 00234000 fd:01 6377314 /usr/lib64/libcrypto.so.1.0.2k 7fd1af51a000-7fd1af527000 rw-p 00250000 fd:01 6377314 /usr/lib64/libcrypto.so.1.0.2k 7fd1af527000-7fd1af52b000 rw-p 00000000 00:00 0 7fd1af52b000-7fd1af540000 r-xp 00000000 fd:01 6363337 /usr/lib64/libz.so.1.2.7 7fd1af540000-7fd1af73f000 ---p 00015000 fd:01 6363337 /usr/lib64/libz.so.1.2.7 7fd1af73f000-7fd1af740000 r--p 00014000 fd:01 6363337 /usr/lib64/libz.so.1.2.7 7fd1af740000-7fd1af741000 rw-p 00015000 fd:01 6363337 /usr/lib64/libz.so.1.2.7 7fd1af741000-7fd1af743000 r-xp 00000000 fd:01 6341856 /usr/lib64/libdl-2.17.so 7fd1af743000-7fd1af943000 ---p 00002000 fd:01 6341856 /usr/lib64/libdl-2.17.so 7fd1af943000-7fd1af944000 r--p 00002000 fd:01 6341856 /usr/lib64/libdl-2.17.so 7fd1af944000-7fd1af945000 rw-p 00003000 fd:01 6341856 /usr/lib64/libdl-2.17.so 7fd1af945000-7fd1af967000 r-xp 00000000 fd:01 6341843 /usr/lib64/ld-2.17.so 7fd1afb58000-7fd1afb5e000 rw-p 00000000 00:00 0 7fd1afb63000-7fd1afb66000 rw-p 00000000 00:00 0 7fd1afb66000-7fd1afb67000 r--p 00021000 fd:01 6341843 /usr/lib64/ld-2.17.so 7fd1afb67000-7fd1afb68000 rw-p 00022000 fd:01 6341843 /usr/lib64/ld-2.17.so 7fd1afb68000-7fd1afb69000 rw-p 00000000 00:00 0 7fffc8a29000-7fffc8a4a000 rw-p 00000000 00:00 0 [stack] 7fffc8afa000-7fffc8afc000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted *** Bug 1596450 has been marked as a duplicate of this bug. *** CVE-2018-12938 appears to be a duplicate of this. The proof of concept works against OpenSLP 2.0 and using the upstream patch appears to fix the issue. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2240 https://access.redhat.com/errata/RHSA-2018:2240 I have verified that the patch posted by amaris appears to fix this issue. There was originally some confusion on other distro lists/by the discover about this not being patched. The reproducer webpage at https://dumpco.re/blog/openslp-2.0.0-double-free now accurately reflects that. As it states, there does not appear to be an official release out with the patch. External References: https://dumpco.re/blog/openslp-2.0.0-double-free This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2308 https://access.redhat.com/errata/RHSA-2018:2308 |