CVE-2019-7732
Published: 11 February 2019
In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed.
Notes
| Author | Note |
|---|---|
| ebarretto | According to upstream: Actually, this is not a memory leak. The parameters to “parseAuthorizationHeader()” are reference parameters (to pointers). The allocated memory is passed back to the calling function, which ends up deleting them all. So, there’s no bug here. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
liblivemedia Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
|
|
| trusty |
Does not exist
(trusty was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |