1256797 – (CVE-2015-6525) CVE-2015-6525 libevent: multiple integer overflows in the evbuffer APIs

Bug 1256797 (CVE-2015-6525) - CVE-2015-6525 libevent: multiple integer overflows in the evbuffer APIs

Summary: CVE-2015-6525 libevent: multiple integer overflows in the evbuffer APIs

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2015-6525
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1178963 1256804
Blocks:	1256801
TreeView+	depends on / blocked

Reported:	2015-08-25 13:05 UTC by Adam Mariš
Modified:	2019-09-29 13:36 UTC (History)
CC List:	3 users (show)
Fixed In Version:	libevent 1.4.15, libevent 2.0.22, libevent 2.1.5
Doc Type:	Bug Fix
Doc Text:	Multiple integer overflow flaws were found in the libevent's evbuffer API. An attacker able to make an application pass an excessively long input to libevent using the API could use these flaws to make the application enter an infinite loop, crash, and, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed:	2019-06-08 02:43:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2015-08-25 13:05:33 UTC

Multiple integer overflows in the evbuffer API in Libevent 2.0.x before 2.0.22 and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the:

(1) evbuffer_add, 
(2) evbuffer_prepend, 
(3) evbuffer_expand, 
(4) exbuffer_reserve_space, or 
(5) evbuffer_read function, 

which triggers a heap-based buffer overflow or an infinite loop. 

NOTE: this identifier was SPLIT from CVE-2014-6272 per ADT3 due to different affected versions.

References:

http://archives.seul.org/libevent/users/Jan-2015/msg00010.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6525

Comment 1 Adam Mariš 2015-08-25 13:23:05 UTC

Created libevent tracking bugs for this issue:

Affects: fedora-all [bug 1256804]

Comment 2 Tomas Hoger 2015-12-01 12:59:03 UTC

These issue were already investigated as part of CVE-2014-6272 (see bug 1144646), from which this CVE was split out.  There is no new issue under this new CVE, only some issues that were originally tracked under CVE-2014-6272 now have a separate id.  This CVE-2015-6525 only covers issues in APIs only available in libevent 2.0 and later.

Note You need to log in before you can comment on or make changes to this bug.