So the reporter specifically asked us to handle disclosure just now, sohere you go:
Qinghao Tang of QIHU 360 reports:
The function lookupProviders() in sblim-sfcb of version 1.3.4 and 1.3.18 exists a null dereference vulnerability , a remote attacher can cause a denial of servise (sblim-sfcb crash) via a crafted packet without "className" info.
Let`s see how this issue happened,the code below is from
./sblim-sfcb-1.3.18/providerMgr.c :
static UtilList *lookupProviders(long type, char *className, char
*nameSpace,
CMPIStatus *st)
{
UtilList *lst;
UtilHashTable **ht=provHt(type,1);
char *id;
int rc;
_SFCB_ENTER(TRACE_PROVIDERMGR, "lookupProviders");
//here, className should be checked
id=(char*)malloc(strlen(nameSpace)+strlen(className)+8);
strcpy(id,nameSpace);
strcat(id,"|");
...
}
Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5185
--
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud