Bug 705173 (CVE-2010-5111)

Summary: CVE-2010-5111 echoping: boundary error in SSL-related functions can lead to buffer overflow
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andreas, carnil, darunesh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:02:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 705174    
Bug Blocks:    

Description Vincent Danen 2011-05-16 20:47:11 UTC 
A Debian bug report [1] indicates:

"My concern is the third gnutls_record_recv() call. 'maxlen' argument
of TLS_readline() was passed to the call as is, and TLS_readline()
callers *always pass the full size* of TLS_buffer[] as 'maxlen', but
pointer passed to the gnutls_record_recv() is (TLS_buffer + some
offset). So, in theory, remote side could send specifically prepared
data which could overwrite up to MAXTOREAD bytes past the buffer. As
I'm not a security expert, I can't say for sure if it is really
exploitable or not, but it does not look good at all."

To exploit, a user would need to be coerced into running echoping against a malicious HTTPS site that sends back certain crafted data.  This affects version 6.0.2 as found in Fedora; upstream has committed a fix [2].


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606808#22
[2] http://echoping.svn.sourceforge.net/viewvc/echoping/trunk/SRC/readline.c?r1=427&r2=430
Comment 1 Vincent Danen 2011-05-16 20:48:12 UTC 
Created echoping tracking bugs for this issue

Affects: fedora-all [bug 705174]
Comment 2 Vincent Danen 2013-10-17 17:02:12 UTC 
Upstream bug report:

http://sourceforge.net/p/echoping/bugs/55/

This is still unfixed in current Fedora.

CVE request:

http://seclists.org/oss-sec/2013/q4/120
Comment 3 Salvatore Bonaccorso 2013-10-22 07:06:51 UTC 
Hi

FYI: CVE-2013-4448 was rejected, and CVE-2010-5111 assigned for this issue.

See: http://marc.info/?l=oss-security&m=138238646504844&w=2

Regards,
Salvatore
Comment 4 Dhananjay Arunesh 2020-02-26 10:28:23 UTC 
*** Bug 1803069 has been marked as a duplicate of this bug. ***