[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#795429: CVE-2015-5177

Package: openslp-dfsg
Version: 1.2.1-10
Followup-For: Bug #795429
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu wily ubuntu-patch



*** /tmp/tmpHzlE84/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service via double free flaw
    - debian/patches/CVE-2015-5177.patch: fix double free if
      SLPDKnownDAAdd() fails in slpd/slpd_knownda.c.
    - CVE-2015-5177


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers vivid-updates
  APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid-proposed'), (500, 'vivid'), (100, 'vivid-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-27-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru openslp-dfsg-1.2.1/debian/changelog openslp-dfsg-1.2.1/debian/changelog
diff -Nru openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch
--- openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch	1969-12-31 19:00:00.000000000 -0500
+++ openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch	2015-08-28 15:29:54.000000000 -0400
@@ -0,0 +1,30 @@
+Description: fix denial of service via double free flaw
+Origin: backport, http://sourceforge.net/p/openslp/mercurial/ci/2bc15d0494f886d9c4fe342d23bc160605aea51d/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795429
+
+Index: openslp-dfsg-1.2.1/slpd/slpd_knownda.c
+===================================================================
+--- openslp-dfsg-1.2.1.orig/slpd/slpd_knownda.c	2005-02-08 00:34:31.000000000 -0500
++++ openslp-dfsg-1.2.1/slpd/slpd_knownda.c	2015-08-28 15:27:26.098428039 -0400
+@@ -823,15 +823,15 @@
+              */
+             SLPDLogDAAdvertisement("Removed",entry);
+         }
++        /* If we are here, we need to cleanup the message descriptor and the  */
++        /* message buffer because they were not added to the database and not */
++        /* cleaning them up would result in a memory leak. This is because we */
++        /* return zero, so the caller thinks it must not do the cleanup.      */
++        SLPMessageFree(msg);
++        SLPBufferFree(buf);
+     }
+ 
+     CLEANUP:
+-    /* If we are here, we need to cleanup the message descriptor and the  */
+-    /* message buffer because they were not added to the database and not */
+-    /* cleaning them up would result in a memory leak                     */
+-    /* We also need to make sure the Database handle is closed.           */
+-    SLPMessageFree(msg);
+-    SLPBufferFree(buf);
+     if (dh) SLPDatabaseClose(dh);
+ 
+     return result;
diff -Nru openslp-dfsg-1.2.1/debian/patches/series openslp-dfsg-1.2.1/debian/patches/series
--- openslp-dfsg-1.2.1/debian/patches/series	2014-07-25 10:14:50.000000000 -0400
+++ openslp-dfsg-1.2.1/debian/patches/series	2015-08-28 15:23:23.000000000 -0400
@@ -4,3 +4,4 @@
 fix-typo.patch
 fix-automake-cond-spelling.patch
 CVE-2012-4428.patch
+CVE-2015-5177.patch
Reply to: