Bug#795429: CVE-2015-5177
Package: openslp-dfsg
Version: 1.2.1-10
Followup-For: Bug #795429
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu wily ubuntu-patch
*** /tmp/tmpHzlE84/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: denial of service via double free flaw
- debian/patches/CVE-2015-5177.patch: fix double free if
SLPDKnownDAAdd() fails in slpd/slpd_knownda.c.
- CVE-2015-5177
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers vivid-updates
APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid-proposed'), (500, 'vivid'), (100, 'vivid-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-27-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru openslp-dfsg-1.2.1/debian/changelog openslp-dfsg-1.2.1/debian/changelog
diff -Nru openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch
--- openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch 1969-12-31 19:00:00.000000000 -0500
+++ openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch 2015-08-28 15:29:54.000000000 -0400
@@ -0,0 +1,30 @@
+Description: fix denial of service via double free flaw
+Origin: backport, http://sourceforge.net/p/openslp/mercurial/ci/2bc15d0494f886d9c4fe342d23bc160605aea51d/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795429
+
+Index: openslp-dfsg-1.2.1/slpd/slpd_knownda.c
+===================================================================
+--- openslp-dfsg-1.2.1.orig/slpd/slpd_knownda.c 2005-02-08 00:34:31.000000000 -0500
++++ openslp-dfsg-1.2.1/slpd/slpd_knownda.c 2015-08-28 15:27:26.098428039 -0400
+@@ -823,15 +823,15 @@
+ */
+ SLPDLogDAAdvertisement("Removed",entry);
+ }
++ /* If we are here, we need to cleanup the message descriptor and the */
++ /* message buffer because they were not added to the database and not */
++ /* cleaning them up would result in a memory leak. This is because we */
++ /* return zero, so the caller thinks it must not do the cleanup. */
++ SLPMessageFree(msg);
++ SLPBufferFree(buf);
+ }
+
+ CLEANUP:
+- /* If we are here, we need to cleanup the message descriptor and the */
+- /* message buffer because they were not added to the database and not */
+- /* cleaning them up would result in a memory leak */
+- /* We also need to make sure the Database handle is closed. */
+- SLPMessageFree(msg);
+- SLPBufferFree(buf);
+ if (dh) SLPDatabaseClose(dh);
+
+ return result;
diff -Nru openslp-dfsg-1.2.1/debian/patches/series openslp-dfsg-1.2.1/debian/patches/series
--- openslp-dfsg-1.2.1/debian/patches/series 2014-07-25 10:14:50.000000000 -0400
+++ openslp-dfsg-1.2.1/debian/patches/series 2015-08-28 15:23:23.000000000 -0400
@@ -4,3 +4,4 @@
fix-typo.patch
fix-automake-cond-spelling.patch
CVE-2012-4428.patch
+CVE-2015-5177.patch
Reply to: