Bug 861241 - (CVE-2012-4459) CVE-2012-4459 qpid-cpp: crash due to qpid::framing::Buffer::checkAvailable() wraparound
CVE-2012-4459 qpid-cpp: crash due to qpid::framing::Buffer::checkAvailable() ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 825298 878512 878513 878514 878516 878517 918804
Blocks: 849724 851360
  Show dependency treegraph
Reported: 2012-09-27 17:59 EDT by Vincent Danen
Modified: 2014-01-11 13:51 EST (History)
10 users (show)

See Also:
Fixed In Version: qpid-cpp 0.21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-06 17:23:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-09-27 17:59:48 EDT
It was discovered that the qpid::framing::Buffer::checkAvailable() function could crash due to a wraparound.  The function looks like this:

  void checkAvailable(uint32_t count)
      { if (position + count > size) throw OutOfBounds(); }

where position + count can overflow, resulting in a value which is smaller than size.  The put*String() functions contain potential wraparounds in the argument to checkAvailable().


This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Comment 3 Vincent Danen 2013-03-06 11:59:27 EST
This is corrected upstream:


External References:

Comment 4 errata-xmlrpc 2013-03-06 13:50:56 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0562 https://rhn.redhat.com/errata/RHSA-2013-0562.html
Comment 5 errata-xmlrpc 2013-03-06 13:52:07 EST
This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2013:0561 https://rhn.redhat.com/errata/RHSA-2013-0561.html
Comment 6 Vincent Danen 2013-03-06 17:13:57 EST
Created qpid-cpp tracking bugs for this issue

Affects: fedora-all [bug 918804]

Note You need to log in before you can comment on or make changes to this bug.