1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202208-18 ] Motion: Denial of service

    From glsamaker@gentoo.org@21:1/5 to All on Thu Aug 11 01:00:02 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202208-18
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Low
    Title: Motion: Denial of service
    Date: August 10, 2022
    Bugs: #760714
    ID: 202208-18

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability in Motion allows a remote attacker to cause denial of
    service.

    Background
    ==========

    Motion is a program that monitors the video signal from one or more
    cameras and is able to detect motions.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 media-video/motion < 4.3.2 >= 4.3.2

    Description
    ===========

    The Motion HTTP server does not correctly perform URL decoding. If the
    HTTP server receives a request for a URL containing an incomplete percent-encoded character, a flaw in parsing results in an infinite loop
    trying to parse the rest of the character, which eventually results in a
    denial of service condition when reading out-of-bounds.

    Impact
    ======

    A remote attacker can trigger a denial of service condition in Motion.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Motion users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-video/motion-4.3.2"

    References
    ==========

    [ 1 ] CVE-2020-26566
    https://nvd.nist.gov/vuln/detail/CVE-2020-26566

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202208-18

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmL0McIACgkQFMQkOaVy +9m66Q/+IaG5nJ6rabXGUdGyVrNSRiMk+aHnFUT2a3o2W1oBRrXxzDbQ04xRs/sf JZZc/WHK4yxGL0pvwMPjbKYsDuIRwirlbAvN90zAhxjezcTL9qNobgzPVDPC046e o2ax5c4eMa58NwUQEDwOavmmEru0RKeUqPfdCel6uS2wriSsL+YVxHx/qiTHsjJs HZx4Atp+RHDrhIPFx1BtbvCjjK4TY70dai1MD7JZERDGGds5O+ECoUuBBvzA8rf4 igF5tkWYMf7gaNI5SMzn8bFtTPpI2HiuMM0DnLlv4xl/lXpBDX5Fftktm9zYXUN5 9Oiss4NUlwUUmy0j/BzE3AN/PA5wFM/Nf52NbPIK3qyPC9eOBiCF2LvI1ME4RfHm p7ycV/LuSA1kwJ7lw42LfYOudlvQe2ajJGzc1WKGXSYGcJSIo4DCcfX8Lg4dSlcr HIlBRaFFa8qd5jilT2v3xT13Mf6qTEO4c29MQxvHvMUITPDp1ovjaRIwc9hdSgnq k8hBbztZfxNpGjG8t75eXalpWpHpw30VCusEuuREwbFVcSkbTjPUCqXVKJRP8xGe qB5lORyJJCZDzY7oJRxZCc4rKiVbTmqMapz7vupAs/y6HRNbiE5bAhufAAac5shA 12+8wu8lFc00ILTo0tlWYtDw4/bsOzpVbhAHRLTye2/+Oiseg/M=
    =jYLY
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)