From ec6ddd9a35e4a0ced42216b989457ed630bb45b0 Mon Sep 17 00:00:00 2001 From: Vitezslav Crhonek Date: Wed, 9 May 2018 13:40:46 +0200 Subject: [PATCH] Fix heap memory corruption, CVE-2017-17833 --- openslp-2.0.0-cve-2017-17833.patch | 19 +++++++++++++++++++ openslp.spec | 11 ++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 openslp-2.0.0-cve-2017-17833.patch diff --git a/openslp-2.0.0-cve-2017-17833.patch b/openslp-2.0.0-cve-2017-17833.patch new file mode 100644 index 0000000..eefce40 --- /dev/null +++ b/openslp-2.0.0-cve-2017-17833.patch @@ -0,0 +1,19 @@ +diff -up openslp-2.0.0/slpd/slpd_process.c.orig openslp-2.0.0/slpd/slpd_process.c +--- openslp-2.0.0/slpd/slpd_process.c.orig 2018-05-09 13:08:06.185104375 +0200 ++++ openslp-2.0.0/slpd/slpd_process.c 2018-05-09 13:07:21.017095089 +0200 +@@ -462,6 +462,15 @@ static int ProcessSrvRqst(SLPMessage * m + message->body.srvrqst.srvtype, 23, SLP_DA_SERVICE_TYPE) == 0) + { + errorcode = ProcessDASrvRqst(message, sendbuf, errorcode); ++ ++ if (result != *sendbuf) ++ { ++ // The pointer stored at *sendbuf can be modified by a realloc ++ // operation in ProcessDASrvRqst(). Fix up the local copy of ++ // that pointer if necessary. ++ result = *sendbuf; ++ } ++ + if (errorcode == 0) + { + /* Since we have an errorcode of 0, we were successful, diff --git a/openslp.spec b/openslp.spec index bb0cde9..0e51e0d 100644 --- a/openslp.spec +++ b/openslp.spec @@ -2,7 +2,7 @@ Summary: Open implementation of Service Location Protocol V2 Name: openslp Version: 2.0.0 -Release: 17%{?dist} +Release: 18%{?dist} License: BSD URL: http://sourceforge.net/projects/openslp/ @@ -26,6 +26,10 @@ Patch4: openslp-2.0.0-openssl-1.1-fix.patch # Patch5: fixes possible overflow in SLPFoldWhiteSpace, # backported from upstream, CVE-2016-7567 Patch5: openslp-2.0.0-cve-2016-7567.patch +# Patch6: fixes heap memory corruption in slpd/slpd_process.c, which allows +# denial of service or potentially code execution, +# backported form upstream, CVE-2017-17833 +Patch6: openslp-2.0.0-cve-2017-17833.patch BuildRequires: automake libtool BuildRequires: bison @@ -67,6 +71,7 @@ OpenSLP server daemon to dynamically register services. %patch3 -p1 -b .null-pointer-deref %patch4 -p1 -b .openssl-1.1-fix %patch5 -p1 -b .cve-2016-7567 +%patch6 -p1 -b .cve-2017-17833 # tarball goof (?), it wants to re-automake anyway, so let's do it right. #libtoolize --force @@ -170,6 +175,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la %changelog +* Wed May 09 2018 Vitezslav Crhonek - 2.0.0-18 +- Fix heap memory corruption, CVE-2017-17833 + Related: #1572166 + * Thu Feb 08 2018 Fedora Release Engineering - 2.0.0-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild