861241 – (CVE-2012-4459) CVE-2012-4459 qpid-cpp: crash due to qpid::framing::Buffer::checkAvailable() wraparound

Bug 861241 (CVE-2012-4459) - CVE-2012-4459 qpid-cpp: crash due to qpid::framing::Buffer::checkAvailable() wraparound

Summary: CVE-2012-4459 qpid-cpp: crash due to qpid::framing::Buffer::checkAvailable() ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-4459
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	825298 878512 878513 878514 878516 878517 918804
Blocks:	849724 851360
TreeView+	depends on / blocked

Reported:	2012-09-27 21:59 UTC by Vincent Danen
Modified:	2023-05-11 19:33 UTC (History)
CC List:	10 users (show)
Fixed In Version:	qpid-cpp 0.21
Clone Of:
Environment:
Last Closed:	2013-03-06 22:23:15 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0561	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise MRG Messaging 2.3 security update	2013-03-06 23:48:13 UTC
Red Hat Product Errata	RHSA-2013:0562	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise MRG Messaging 2.3 security update	2013-03-06 23:47:57 UTC

Description Vincent Danen 2012-09-27 21:59:48 UTC

It was discovered that the qpid::framing::Buffer::checkAvailable() function could crash due to a wraparound.  The function looks like this:

  void checkAvailable(uint32_t count)
      { if (position + count > size) throw OutOfBounds(); }

where position + count can overflow, resulting in a value which is smaller than size.  The put*String() functions contain potential wraparounds in the argument to checkAvailable().


Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

Comment 3 Vincent Danen 2013-03-06 16:59:27 UTC

This is corrected upstream:

https://svn.apache.org/viewvc?view=revision&revision=1453031


External References:

https://issues.apache.org/jira/browse/QPID-4629

Comment 4 errata-xmlrpc 2013-03-06 18:50:56 UTC

This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0562 https://rhn.redhat.com/errata/RHSA-2013-0562.html

Comment 5 errata-xmlrpc 2013-03-06 18:52:07 UTC

This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2013:0561 https://rhn.redhat.com/errata/RHSA-2013-0561.html

Comment 6 Vincent Danen 2013-03-06 22:13:57 UTC

Created qpid-cpp tracking bugs for this issue

Affects: fedora-all [bug 918804]

Note You need to log in before you can comment on or make changes to this bug.