[Secure-testing-team] Bug#855588: memory leak could lead to Denial Of Service
Antoine Beaupre
anarcat at debian.org
Mon Feb 20 14:40:18 UTC 2017
Package: atheme-services
Version: 7.2.7
Severity: grave
Tags: security
Upstream changelog says:
This is a security release closing a memory leak that could be
exploited by attackers to potentially cause a denial of
service. Release 7.2.7 is affected; older releases are
unaffected. See #539 for technical information.
The upstream issue is https://github.com/atheme/atheme/pull/539 and
doesn't have much more details.
The patch is:
https://github.com/atheme/atheme/pull/539/commits/a80355d2971f6453ef9c6c9507e8f0d16e55dd0f
But then the fun part is that the fix introduced yet another DOS,
which led to the release of 7.2.9:
This is a security release fixing use after free that could
potentially be abused by an attacker already having the privilege
to use SASL impersonation to cause a denial of service. Users of
7.2.8 should update to version 7.2.9; older releases are not
affected.
Not sure if those issues should be treated separately, but since 7.2.8
wasn't packaged yet, maybe it's fine to have a single issue about
this.
A CVE was requested, but it is unclear where or if there was a
response:
https://github.com/atheme/atheme/pull/539#issuecomment-278204870
A.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
More information about the Secure-testing-team
mailing list