Bug 1560084 (CVE-2018-1000140) - CVE-2018-1000140 librelp: Stack-based buffer overflow in relpTcpChkPeerName function in src/tcp.c
Summary: CVE-2018-1000140 librelp: Stack-based buffer overflow in relpTcpChkPeerName f...
Status: NEW
Alias: CVE-2018-1000140
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20180323,repor...
Keywords: Security
Depends On: 1560086 1560085 1561229 1561230 1561231 1561232 1570814 1570815 1570816 1570817 1570818 1570819 1570820
Blocks: 1560087
TreeView+ depends on / blocked
 
Reported: 2018-03-23 20:50 UTC by Pedro Sampaio
Modified: 2018-08-31 21:54 UTC (History)
8 users (show)

Fixed In Version: librelp 1.2.15
Doc Type: If docs needed, set a value
Doc Text:
A stack-based buffer overflow was found in the way librelp parses X.509 certificates. By connecting or accepting connections from a remote peer, an attacker may use a specially crafted X.509 certificate to exploit this flaw and potentially execute arbitrary code.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1223 None None None 2018-04-24 18:32 UTC
Red Hat Product Errata RHSA-2018:1225 None None None 2018-04-24 18:35 UTC
Red Hat Product Errata RHSA-2018:1701 None None None 2018-05-23 15:48 UTC
Red Hat Product Errata RHSA-2018:1702 None None None 2018-05-23 15:54 UTC
Red Hat Product Errata RHSA-2018:1703 None None None 2018-05-23 15:55 UTC
Red Hat Product Errata RHSA-2018:1704 None None None 2018-05-23 15:53 UTC
Red Hat Product Errata RHSA-2018:1707 None None None 2018-05-23 15:57 UTC

Description Pedro Sampaio 2018-03-23 20:50:02 UTC
librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.

Upstream patch:

https://github.com/rsyslog/librelp/commit/2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf

References:

https://lgtm.com/rules/1505913226124/
https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205

Comment 1 Pedro Sampaio 2018-03-23 20:50:34 UTC
Created librelp tracking bugs for this issue:

Affects: fedora-all [bug 1560085]

Comment 4 Tomas Hoger 2018-04-04 18:41:35 UTC
External References:

https://www.rsyslog.com/cve-2018-1000140/

Comment 8 Pedro Yóssis Silva Barbosa 2018-04-24 14:49:43 UTC
Mitigation:

Users are strongly advised not to expose their logging RELP services to a public network.

Comment 11 Pedro Yóssis Silva Barbosa 2018-04-24 15:45:14 UTC
Acknowledgments:

Name: Rainer Gerhards (rsyslog)
Upstream: Bas van Schaik (lgtm.com / Semmle), Kevin Backhouse (lgtm.com / Semmle)

Comment 12 errata-xmlrpc 2018-04-24 18:31:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1223 https://access.redhat.com/errata/RHSA-2018:1223

Comment 13 errata-xmlrpc 2018-04-24 18:35:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1225 https://access.redhat.com/errata/RHSA-2018:1225

Comment 19 errata-xmlrpc 2018-05-23 15:48:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:1701 https://access.redhat.com/errata/RHSA-2018:1701

Comment 20 errata-xmlrpc 2018-05-23 15:53:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:1704 https://access.redhat.com/errata/RHSA-2018:1704

Comment 21 errata-xmlrpc 2018-05-23 15:54:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:1702 https://access.redhat.com/errata/RHSA-2018:1702

Comment 22 errata-xmlrpc 2018-05-23 15:55:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2018:1703 https://access.redhat.com/errata/RHSA-2018:1703

Comment 23 errata-xmlrpc 2018-05-23 15:57:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2018:1707 https://access.redhat.com/errata/RHSA-2018:1707


Note You need to log in before you can comment on or make changes to this bug.