CVE-2019-7732
Published: 11 February 2019
In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed.
Notes
Author | Note |
---|---|
ebarretto | According to upstream: Actually, this is not a memory leak. The parameters to “parseAuthorizationHeader()” are reference parameters (to pointers). The allocated memory is passed back to the calling function, which ends up deleting them all. So, there’s no bug here. |
Priority
Status
Package | Release | Status |
---|---|---|
liblivemedia Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
|
|
trusty |
Does not exist
(trusty was needs-triage)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |