Bug 861241 (CVE-2012-4459) - CVE-2012-4459 qpid-cpp: crash due to qpid::framing::Buffer::checkAvailable() wraparound
Summary: CVE-2012-4459 qpid-cpp: crash due to qpid::framing::Buffer::checkAvailable() ...
Status: CLOSED ERRATA
Alias: CVE-2012-4459
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130305,repor...
Keywords: Security
Depends On: 825298 878512 878513 878514 878516 878517 918804
Blocks: 849724 851360
TreeView+ depends on / blocked
 
Reported: 2012-09-27 21:59 UTC by Vincent Danen
Modified: 2014-01-11 18:51 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-03-06 22:23:15 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0561 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Messaging 2.3 security update 2013-03-06 23:48:13 UTC
Red Hat Product Errata RHSA-2013:0562 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Messaging 2.3 security update 2013-03-06 23:47:57 UTC

Description Vincent Danen 2012-09-27 21:59:48 UTC
It was discovered that the qpid::framing::Buffer::checkAvailable() function could crash due to a wraparound.  The function looks like this:

  void checkAvailable(uint32_t count)
      { if (position + count > size) throw OutOfBounds(); }

where position + count can overflow, resulting in a value which is smaller than size.  The put*String() functions contain potential wraparounds in the argument to checkAvailable().


Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

Comment 3 Vincent Danen 2013-03-06 16:59:27 UTC
This is corrected upstream:

https://svn.apache.org/viewvc?view=revision&revision=1453031


External References:

https://issues.apache.org/jira/browse/QPID-4629

Comment 4 errata-xmlrpc 2013-03-06 18:50:56 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:0562 https://rhn.redhat.com/errata/RHSA-2013-0562.html

Comment 5 errata-xmlrpc 2013-03-06 18:52:07 UTC
This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2013:0561 https://rhn.redhat.com/errata/RHSA-2013-0561.html

Comment 6 Vincent Danen 2013-03-06 22:13:57 UTC
Created qpid-cpp tracking bugs for this issue

Affects: fedora-all [bug 918804]


Note You need to log in before you can comment on or make changes to this bug.