Bug 1158251 - (CVE-2019-5163) VUL-1: CVE-2019-5163: shadowsocks-lib: exploitable denial-of-service vulnerability exists in the UDPRelay functionality
(CVE-2019-5163)
VUL-1: CVE-2019-5163: shadowsocks-lib: exploitable denial-of-service vulnerab...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Hillwood Yang
E-mail List
https://smash.suse.de/issue/248187/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-03 09:02 UTC by Robert Frohl
Modified: 2020-01-29 23:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-12-03 09:02:39 UTC
CVE-2019-5163

An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2.
When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and
exit. An attacker can send arbitrary UDP packets to trigger this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5163
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5163.html
Comment 1 Robert Frohl 2019-12-03 09:07:05 UTC
This actually only affects openSUSE.
Comment 2 Robert Frohl 2019-12-03 09:21:04 UTC
Fixed by version 3.3.3 [0]. Therefore only still relevant for Leap:15.0 and Leap:15.1.


[0] https://github.com/shadowsocks/shadowsocks-libev/issues/2536
Comment 3 Swamp Workflow Management 2019-12-03 14:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1158251) was mentioned in
https://build.opensuse.org/request/show/753248 15.0 / shadowsocks-libev
https://build.opensuse.org/request/show/753255 15.1 / shadowsocks-libev
Comment 4 Swamp Workflow Management 2019-12-05 02:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1158251) was mentioned in
https://build.opensuse.org/request/show/754211 15.1 / shadowsocks-libev
Comment 5 Swamp Workflow Management 2019-12-11 14:13:39 UTC
openSUSE-SU-2019:2667-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1158251,1158365
CVE References: CVE-2019-5163,CVE-2019-5164
Sources used:
openSUSE Leap 15.1 (src):    shadowsocks-libev-3.3.3-lp151.2.3.1
Comment 6 Hillwood Yang 2020-01-13 07:12:48 UTC
Fixed.
Comment 7 Swamp Workflow Management 2020-01-16 04:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1158251) was mentioned in
https://build.opensuse.org/request/show/764828 Factory / shadowsocks-libev
Comment 8 Swamp Workflow Management 2020-01-29 20:36:08 UTC
openSUSE-SU-2020:0142-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1158251,1158365
CVE References: CVE-2019-5163,CVE-2019-5164
Sources used:
openSUSE Backports SLE-15-SP1 (src):    shadowsocks-libev-3.3.3-bp151.5.3.1