SB2018060607 - Denial of service in Liblouis

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Segmentation fault (CVE-ID: CVE-2018-11577)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to boundary error in the lou_logPrint function, as defined in the logging.c source code file. A remote attacker can send a specially crafted request that submits malicious input, trigger memory corruption and segmentation fault and cause the service to crash.

2) Stack-based buffer overflow (CVE-ID: CVE-2018-11440)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to stack-based buffer overflow in the parseChars function, as defined in the compileTranslationTable.csource code file, during table parsing operations. A remote attacker can send a specially crafted request that submits malicious input, trigger memory corruption and cause the service to crash.

3) Invalid free condition (CVE-ID: CVE-2018-11410)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to buffer overflow in the compileRule function, as defined in the compileTranslationTable.c source code file, during table parsing operations. A remote attacker can send a specially crafted request that submits malicious input, trigger memory corruption and invalid free condition and cause the service to crash.

4) Stack-based buffer overflow (CVE-ID: CVE-2018-11683)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to stack-based buffer overflow in the parseChars function, as defined in the compileTranslationTable.c source code file, during table parsing operations. A remote attacker can send a specially crafted request that submits malicious input, trigger memory corruption and cause the service to crash.

5) Stack-based buffer overflow (CVE-ID: CVE-2018-11684)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to stack-based buffer overflow in the includeFile function, as defined in the compileTranslationTable.c source code file, during table parsing operations. A remote attacker can send a specially crafted request that submits malicious input, trigger memory corruption and cause the service to crash.

6) Stack-based buffer overflow (CVE-ID: CVE-2018-11685)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to stack-based buffer overflow in the compileHyphenation function, as defined in the compileTranslationTable.c source code file, during table parsing operations. A remote attacker can send a specially crafted request that submits malicious input, trigger memory corruption and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://github.com/liblouis/liblouis/issues/582
• https://github.com/liblouis/liblouis/issues/575
• https://github.com/liblouis/liblouis/issues/573
• https://github.com/liblouis/liblouis/issues/591
• https://github.com/liblouis/liblouis/issues/592
• https://github.com/liblouis/liblouis/issues/593