So the reporter specifically asked us to handle disclosure just now, sohere you go:


Qinghao Tang of QIHU 360 reports:

The function lookupProviders() in sblim-sfcb of version 1.3.4 and 1.3.18 exists a null dereference vulnerability , a remote attacher can cause a denial of servise (sblim-sfcb crash) via a crafted packet without "className" info.


Let`s see how this issue happened,the code below is from
./sblim-sfcb-1.3.18/providerMgr.c :


static UtilList *lookupProviders(long type, char *className, char
*nameSpace,
CMPIStatus *st)
{
UtilList *lst;
UtilHashTable **ht=provHt(type,1);
char *id;
int rc;

_SFCB_ENTER(TRACE_PROVIDERMGR, "lookupProviders");

//here, className should be checked
id=(char*)malloc(strlen(nameSpace)+strlen(className)+8);
strcpy(id,nameSpace);
strcat(id,"|");

...

}


Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5185



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud