security/vuxml: Mark bro < 2.6.2 as vulnerable as per:

    https://raw.githubusercontent.com/zeek/zeek/bb979702cf9a2fa67b8d1a1c7f88d0b56c6af104/NEWS

The issue is unsafe integer conversions that can cause unintentional
code paths to be executed.

Reviewed by:	ler (mentor)
Approved by:	ler (mentor)
Security:	CVE-2019-12175
Differential Revision:	https://reviews.freebsd.org/D20481

1 files changed, 55 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 12933ee0ece6..54b13fd38494 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,61 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="177fa455-48fc-4ded-ba1b-9975caa7f62a">
+    <topic>bro -- Unsafe integer conversions can cause unintentional code paths to be executed</topic>
+    <affects>
+      <package>
+	<name>bro</name>
+	<range><lt>2.6.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Jon Siwek of Corelight reports:</p>
+	<blockquote cite="https://raw.githubusercontent.com/zeek/zeek/bb979702cf9a2fa67b8d1a1c7f88d0b56c6af104/NEWS">
+	  <p>The following Denial of Service vulnerabilities are addressed:</p>
+	  <ul>
+	  <li>Integer type mismatches in BinPAC-generated parser code
+	  and Bro analyzer code may allow for crafted packet data
+	  to cause unintentional code paths in the analysis logic
+	  to be taken due to unsafe integer conversions causing the
+	  parser and analysis logic to each expect different fields
+	  to have been parsed.  One such example, reported by Maksim
+	  Shudrak, causes the Kerberos analyzer to dereference a
+	  null pointer.  CVE-2019-12175 was assigned for this issue.</li>
+
+	  <li>The Kerberos parser allows for several fields to be left
+	  uninitialized, but they were not marked with an &amp;optional
+	  attribute and several usages lacked existence checks.
+	  Crafted packet data could potentially cause an attempt
+	  to access such uninitialized fields, generate a runtime
+	  error/exception, and leak memory.  Existence checks and
+	  &amp;optional attributes have been added to the relevent
+	  Kerberos fields.</li>
+
+	  <li>BinPAC-generated protocol parsers commonly contain fields
+	  whose length is derived from other packet input, and for
+	  those that allow for incremental parsing, BinPAC did not
+	  impose a limit on how large such a field could grow,
+	  allowing for remotely-controlled packet data to cause
+	  growth of BinPAC's flowbuffer bounded only by the numeric
+	  limit of an unsigned 64-bit integer, leading to memory
+	  exhaustion.  There is now a generalized limit for how
+	  large flowbuffers are allowed to grow, tunable by setting
+	  "BinPAC::flowbuffer_capacity_max".</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2017-12175</cvename>
+    </references>
+    <dates>
+      <discovery>2019-05-29</discovery>
+      <entry>2019-05-31</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="183d700e-ec70-487e-a9c4-632324afa934">
     <topic>ImageMagick -- multiple vulnerabilities</topic>
     <affects>