CVE-2014-6272

Publication date 6 January 2015

Last updated 24 July 2024

Ubuntu priority

Multiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2015-6525 for the functions that are only affected in 2.0 and later.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libevent	14.10 utopic	Fixed 2.0.21-stable-1ubuntu1.14.10.1
	14.04 LTS trusty	Fixed 2.0.21-stable-1ubuntu1.14.04.1
	12.04 LTS precise	Fixed 2.0.16-stable-1ubuntu0.1
	10.04 LTS lucid	Fixed 1.4.13-stable-1ubuntu0.1

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libevent	Upstream: 7b21c4e Upstream: 20d6d44 Upstream: 841ecbd Vendor: https://www.debian.org/security/2015/dsa-3119

References

Related Ubuntu Security Notices (USN)

USN-2477-1
libevent vulnerability
19 January 2015

CVE-2014-6272

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references