FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libevent -- multiple vulnerabilities

Affected packages
libevent < 2.1.6
libevent2 < 2.1.6
linux-c6-libevent2 < 2.1.6
linux-c7-libevent < 2.1.6

Details

VuXML ID b8ee7a81-a879-4358-9b30-7dd1bd4c14b1
Discovery 2017-01-31
Entry 2017-04-19

Debian Security reports:

CVE-2016-10195: The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read.

CVE-2016-10196: Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.

CVE-2016-10197: The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname.

References

CVE Name CVE-2016-10195
CVE Name CVE-2016-10196
CVE Name CVE-2016-10197
URL http://www.openwall.com/lists/oss-security/2017/01/31/17
URL https://github.com/libevent/libevent/issues/317
URL https://github.com/libevent/libevent/issues/318
URL https://github.com/libevent/libevent/issues/332
URL https://github.com/libevent/libevent/issues/335