Ubuntu
libcommoncpp2 package

crash from invalid memset

Bug #1176058 reported by Tristan Matthews
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcommoncpp2 (Debian)
Fix Released
Unknown
libcommoncpp2 (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

When using commoncpp2 on 64 bit systems (as SFLphone does), if gethostbyname fails, libcommoncpp2 will cause a buffer overflow by doing an incorrect memset.
The memset in the buggy version is called using sizeof(ipaddr), where ipaddr is a pointer. What is intended is sizeof(struct inaddr), the type to which ipaddr points. The reason this bug only manifests itself on 64 bit systems is that sizeof(pointer) > sizeof(struct inaddr), whereas on 32 bit systems they are equal.

This has since been corrected upstream in commoncpp, but the bug remains in the libcommoncpp2 package. This affects SFLphone and any other application which depends on commoncpp.

This was previously reported to Debian:
http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/2012-November/022478.html

Tags: patch

Related branches

lp:~le-businessman/ubuntu/raring/libcommoncpp2/fix-for-1176058
James Page: Needs Fixing
Ubuntu branches: Pending requested
Diff: 44 lines (+24/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/inaddr-overflow.patch (+15/-0)
debian/patches/series (+1/-0)
Revision history for this message
Tristan Matthews (le-businessman) wrote :
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patch with corrected memset call" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in libcommoncpp2 (Ubuntu):
status: New → Incomplete
Bug Watch Updater (bug-watch-updater)
Changed in libcommoncpp2 (Debian):
status: Unknown → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I was willing to prepare the debdiff for this patch to sponsor it, but I could not verify the origin of the patch (checked with http://ftp.gnu.org/gnu/commoncpp/ which only has 1.8.1 and all through http://www.gnu.org/software/commoncpp/, which has surprisingly little). You stated that "This has since been corrected upstream in commoncpp", but I could not find it. Can you give a URL to a bug report or commit?

Revision history for this message
Tristan Matthews (le-businessman) wrote : Re: [Bug 1176058] Re: crash from invalid memset

On Fri, Jun 14, 2013 at 11:40 AM, Jamie Strandboge <email address hidden> wrote:
> I was willing to prepare the debdiff for this patch to sponsor it, but I
> could not verify the origin of the patch (checked with
> http://ftp.gnu.org/gnu/commoncpp/ which only has 1.8.1 and all through
> http://www.gnu.org/software/commoncpp/, which has surprisingly little).
> You stated that "This has since been corrected upstream in commoncpp",
> but I could not find it. Can you give a URL to a bug report or commit?

Yup, it's:

https://github.com/dyfet/ucommon/commit/d530ef040def990b2f44a9dc7da410f233cae2be

>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1176058
>
> Title:
> crash from invalid memset
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libcommoncpp2/+bug/1176058/+subscriptions

--
Tristan Matthews
web: http://tristanswork.blogspot.com

Bug Watch Updater (bug-watch-updater)
Changed in libcommoncpp2 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.