Florian Weimer of the Red Hat Product Security Team discovered multiple integer and heap-based buffer overflow flaws in PCP (Performance Co-Pilot) libpcp protocol decoding functions. These flaws could lead to daemon crashes or the execution of arbitrary code with root privileges. Many of these flaws can be exploited without requiring the attacker to be authenticated.
The individual bugs that make up these flaws: bug #840822 Crash in __pmDecodeCreds decoding crafted PDUs bug #840920 pmcd heap-based buffer overflow in __pmDecodeNameList bug #841112 __pmDecodeIDList lacks check against PDU size bug #841126 Missing PDU length checks in __pmDecodeProfile bug #841159 __pmDecodeResult multiple vulnerabilities bug #841180 DecodeNameReq buffer overflow bug #841183 Missing namelen check in __pmDecodeFetch bug #841240 __pmDecodeInstanceReq heap buffer overflow bug #841249 __pmDecodeText heap overflow bug #841284 __pmDecodeInstance vulnerabilities bug #841290 pcp: __pmDecodeLogControl vulnerabilities bug #841306 libpcp additional decoder hardening Respective upstream patches which fix the flaws are included in the individual bugs.
Created pcp tracking bugs for this issue Affects: epel-all [bug 848629]
This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6
(In reply to comment #1) > bug #841306 libpcp additional decoder hardening We have excluded this bug from CVE-2012-3418. It is not fixed in pcp-3.6.5. A CVE is not assigned to bug #841306 however, since its not really a flaw, but more of a hardening issue.
pcp-3.6.5-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.6.5-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.6.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.6.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.6.5-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.