Bug 861234 (CVE-2012-4458)

Summary: CVE-2012-4458 qpid-cpp: long arrays of zero-width types cause a denial of service
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fweimer, iboverma, jneedle, jross, mcressma, messaging-bugs, mjc, rmillner, security-response-team, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130305,reported=20120523,source=redhat,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,fedora-all/qpid-cpp=affected,mrg-2/qpid-cpp=affected,mrg-1/qpid-cpp=wontfix,rhel-6/qpid-cpp=affected
Fixed In Version: qpid-cpp 0.21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-06 17:23:45 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 824493, 845364, 918804    
Bug Blocks: 849724, 851360    

Description Vincent Danen 2012-09-27 17:35:50 EDT
It was discovered that the AMQP type decoder was exposed pre-authentication because it was possible to send arbitrary types in the client-properties map in a connection.start-ok message.  This is used to send an array with elements which are all of width zero and thus consume no space on the wire, but need storage after decoding by the server.  On some systems, a suitably chosen SIZE value triggers the OOM killer and terminates the server process permanently.


Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Comment 1 Vincent Danen 2013-03-06 11:58:57 EST
This is corrected upstream:

https://svn.apache.org/viewvc?view=revision&revision=1453031


External References:

https://issues.apache.org/jira/browse/QPID-4629
Comment 2 errata-xmlrpc 2013-03-06 13:50:52 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0562 https://rhn.redhat.com/errata/RHSA-2013-0562.html
Comment 3 errata-xmlrpc 2013-03-06 13:52:04 EST
This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2013:0561 https://rhn.redhat.com/errata/RHSA-2013-0561.html
Comment 4 Vincent Danen 2013-03-06 17:13:35 EST
Created qpid-cpp tracking bugs for this issue

Affects: fedora-all [bug 918804]