CVE-2014-6272

Name of the Vulnerable Software and Affected Versions Libevent versions 1.4.x through 1.4.14 Libevent versions 2.0.x through 2.0.21 Libevent versions 2.1.x through 2.1.4-beta

Description The issue is caused by multiple integer overflows in the evbuffer API, allowing context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the evbuffer add, evbuffer expand, or bufferevent write function. This can trigger a heap-based buffer overflow or an infinite loop. The vulnerability can be exploited by a remote attacker to cause a denial of service using large input data in the affected functions.

Recommendations For Libevent versions 1.4.x through 1.4.14, update to version 1.4.15 or later. For Libevent versions 2.0.x through 2.0.21, update to version 2.0.22 or later. For Libevent versions 2.1.x through 2.1.4-beta, update to version 2.1.5-beta or later. As a temporary workaround, consider restricting the input size to the evbuffer add, evbuffer expand, and bufferevent write functions to prevent large input data from being processed.