SB2017020216 - Out-of-bounds read in libevent (Alpine package)
Published: February 2, 2017
Security Bulletin ID
SB2017020216
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2016-10197)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in search_make_new() function in evdns.c within libevent library before 2.1.6-beta. A remote attacker can trigger out-of-bounds read and gain access to sensitive system memory.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=fb29aea7b5093b746bf012e92b9fc65c967dfef6
- https://git.alpinelinux.org/aports/commit/?id=4c85a04d263a2e7f1e4bdf0f71287ab31734d04f
- https://git.alpinelinux.org/aports/commit/?id=99589481b5da0518d7bf8bf51364997e4fe6f851
- https://git.alpinelinux.org/aports/commit/?id=8b9e6e1ff866811f2c239901ce1e30c2887ee430
- https://git.alpinelinux.org/aports/commit/?id=3c80c2b8ba89beb95eac7b5c221a8c618eb084f3
- https://git.alpinelinux.org/aports/commit/?id=a2d8297fdbd08e8dcfc76244abd83ad49f3659cc