CVE-2014-6272

Multiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop.  NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2015-6525 for the functions that are only affected in 2.0 and later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
debianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
VendorProductVersion
debiandebian_linux
7.0
libevent_projectlibevent
1.4.0
libevent_projectlibevent
1.4.1
libevent_projectlibevent
1.4.2
libevent_projectlibevent
1.4.3
libevent_projectlibevent
1.4.4
libevent_projectlibevent
1.4.5
libevent_projectlibevent
1.4.6
libevent_projectlibevent
1.4.7
libevent_projectlibevent
1.4.8
libevent_projectlibevent
1.4.9
libevent_projectlibevent
1.4.10
libevent_projectlibevent
1.4.11
libevent_projectlibevent
1.4.12
libevent_projectlibevent
1.4.13
libevent_projectlibevent
1.4.14
libevent_projectlibevent
2.0.1
libevent_projectlibevent
2.0.2
libevent_projectlibevent
2.0.3
libevent_projectlibevent
2.0.4
libevent_projectlibevent
2.0.5
libevent_projectlibevent
2.0.6
libevent_projectlibevent
2.0.7
libevent_projectlibevent
2.0.8
libevent_projectlibevent
2.0.9
libevent_projectlibevent
2.0.10
libevent_projectlibevent
2.0.11
libevent_projectlibevent
2.0.12
libevent_projectlibevent
2.0.13
libevent_projectlibevent
2.0.14
libevent_projectlibevent
2.0.15
libevent_projectlibevent
2.0.16
libevent_projectlibevent
2.0.17
libevent_projectlibevent
2.0.18
libevent_projectlibevent
2.0.19
libevent_projectlibevent
2.0.20
libevent_projectlibevent
2.0.21
libevent_projectlibevent
2.1.1
libevent_projectlibevent
2.1.2
libevent_projectlibevent
2.1.3
libevent_projectlibevent
2.1.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libevent
bullseye
2.1.12-stable-1
fixed
bookworm
2.1.12-stable-8
fixed
sid
2.1.12-stable-10
fixed
trixie
2.1.12-stable-10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libevent
utopic
Fixed 2.0.21-stable-1ubuntu1.14.10.1
released
trusty
Fixed 2.0.21-stable-1ubuntu1.14.04.1
released
precise
Fixed 2.0.16-stable-1ubuntu0.1
released
lucid
Fixed 1.4.13-stable-1ubuntu0.1
released
Common Weakness Enumeration
References
http://archives.seul.org/libevent/users/Jan-2015/msg00010.html
http://www.debian.org/security/2015/dsa-3119
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.366317
https://puppet.com/security/cve/CVE-2014-6272
http://archives.seul.org/libevent/users/Jan-2015/msg00010.html
http://www.debian.org/security/2015/dsa-3119
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.366317
https://puppet.com/security/cve/CVE-2014-6272