Bug 841698 (CVE-2012-3418)

Summary: CVE-2012-3418 pcp: multiple integer and heap-based buffer overflow flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fche, fweimer, kenj, mgoodwin, nathans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20120816,reported=20120718,source=redhat,cvss2=5.8/AV:A/AC:L/Au:N/C:P/I:P/A:P,fedora-all/pcp=affected,epel-all/pcp=affected,dts-1.1/pcp=affected,cwe=CWE-122[auto]
Fixed In Version: pcp 3.6.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-22 11:57:30 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 840822, 840920, 841112, 841126, 841159, 841180, 841183, 841240, 841249, 841284, 841290, 848451, 848629, 848630    
Bug Blocks: 841708    

Description Vincent Danen 2012-07-19 18:03:51 EDT
Florian Weimer of the Red Hat Product Security Team discovered multiple integer and heap-based buffer overflow flaws in PCP (Performance Co-Pilot) libpcp protocol decoding functions.  These flaws could lead to daemon crashes or the execution of arbitrary code with root privileges.  Many of these flaws can be exploited without requiring the attacker to be authenticated.
Comment 1 Vincent Danen 2012-07-19 18:06:45 EDT
The individual bugs that make up these flaws:

bug #840822 Crash in __pmDecodeCreds decoding crafted PDUs
bug #840920 pmcd heap-based buffer overflow in __pmDecodeNameList
bug #841112 __pmDecodeIDList lacks check against PDU size
bug #841126 Missing PDU length checks in __pmDecodeProfile
bug #841159 __pmDecodeResult multiple vulnerabilities
bug #841180 DecodeNameReq buffer overflow
bug #841183 Missing namelen check in __pmDecodeFetch
bug #841240 __pmDecodeInstanceReq heap buffer overflow
bug #841249 __pmDecodeText heap overflow
bug #841284 __pmDecodeInstance vulnerabilities
bug #841290 pcp: __pmDecodeLogControl vulnerabilities
bug #841306 libpcp additional decoder hardening

Respective upstream patches which fix the flaws are included in the individual bugs.
Comment 5 Huzaifa S. Sidhpurwala 2012-08-16 00:44:53 EDT
Created pcp tracking bugs for this issue

Affects: epel-all [bug 848629]
Comment 7 Huzaifa S. Sidhpurwala 2012-08-20 04:39:52 EDT
(In reply to comment #1)
> bug #841306 libpcp additional decoder hardening

We have excluded this bug from CVE-2012-3418. It is not fixed in pcp-3.6.5.
A CVE is not assigned to bug #841306 however, since its not really a flaw, but more of a hardening issue.
Comment 8 Fedora Update System 2012-08-20 06:54:31 EDT
pcp-3.6.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-08-20 06:57:03 EDT
pcp-3.6.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-08-21 14:34:13 EDT
pcp-3.6.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-08-21 14:38:02 EDT
pcp-3.6.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-09-17 20:00:48 EDT
pcp-3.6.5-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.