841290 – pcp: __pmDecodeLogControl vulnerabilities

Bug 841290 - pcp: __pmDecodeLogControl vulnerabilities

Summary: pcp: __pmDecodeLogControl vulnerabilities

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pcp
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Mark Goodwin
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	840765 CVE-2012-3418
TreeView+	depends on / blocked

Reported:	2012-07-18 15:04 UTC by Florian Weimer
Modified:	2012-08-20 04:00 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pcp-3.6.5
Clone Of:
Environment:
Last Closed:	2012-08-20 04:00:49 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Resolve issues in decoding PCP logcontrol PDUs (3.31 KB, patch) 2012-07-27 06:41 UTC, Nathan Scott	no flags	Details \| Diff
Updated patch to address PCP logcontrol PDU decoding issues (3.18 KB, patch) 2012-07-29 01:37 UTC, Nathan Scott	no flags	Details \| Diff
Show Obsolete (1) View All

Description Florian Weimer 2012-07-18 15:04:32 UTC

Comment 1 Tomas Hoger 2012-07-18 15:11:17 UTC

Moving text form Environment field to proper comment:

__pmDecodeLogControl does not check the c_numpmid and v_numval fields against the size of the PDU.  Due to the way the sizes passed to malloc are calculated, heap objects could be allocated which are too small, leading to a heap-based buffer overflow.

This seems to be exposed through pmlogger, but not through pmcd.

Comment 2 Nathan Scott 2012-07-27 06:41:46 UTC

Created attachment 600705 [details]
Resolve issues in decoding PCP logcontrol PDUs

Comment 3 Florian Weimer 2012-07-27 15:31:53 UTC

(In reply to comment #2)
> Created attachment 600705 [details]
> Resolve issues in decoding PCP logcontrol PDUs

I think this is fine, thanks.  You can remove

	    if (nv >= (INT_MAX - sizeof(vlist_t) - sizeof(__pmValue_PDU)) / sizeof(__pmValue_PDU))
		goto corrupt;

from the nv == 0 branch.

Comment 4 Nathan Scott 2012-07-29 01:37:11 UTC

Created attachment 600969 [details]
Updated patch to address PCP logcontrol PDU decoding issues

Incorporate Florian's review comments.

Comment 5 Florian Weimer 2012-07-30 12:21:10 UTC

(In reply to comment #4)
> Created attachment 600969 [details]
> Updated patch to address PCP logcontrol PDU decoding issues
> 
> Incorporate Florian's review comments.

Still looks okay.

Comment 6 Huzaifa S. Sidhpurwala 2012-08-16 04:00:55 UTC

Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=b9f41448621b01988f72bd41d4764a5570e606ba

This issue has been addressed in pcp-3.6.5

Comment 7 Huzaifa S. Sidhpurwala 2012-08-20 04:00:49 UTC

This issue was addressed in Fedora and EPEL via the following security updates:

Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16
Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17
Rawhide:   https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18

EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5
EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6

Note You need to log in before you can comment on or make changes to this bug.