oss-sec mailing list archives
Re: MaraDNS 1.4.06 and 1.3.07.11 released
From: Raphael Geissert <geissert () debian org>
Date: Fri, 18 Mar 2011 12:52:32 -0600
On Friday 18 March 2011 12:11:15 Vincent Danen wrote:
* [2011-01-29 22:21:08 -0700] Sam Trenholme wrote:In 2002, when I rewrote the compression code for MaraDNS for the first time, I made a mistake in allocating an array of integers, allocating it in bytes instead of sizeof(int) units. The resulted in a buffer being too small, allowing it to be overwritten. The impact of this programming error is that MaraDNS can be crashed by sending MaraDNS a single "packet of death". Since the data placed in the overwritten array can not be remotely controlled (it is a list of increasing integers), there is no way to increase privileges exploiting this bug. The attached patch resolves this issue by allocating in sizeof(int) units instead of byte-sized units for an integer array. In addition, it uses a smaller array because a DNS name can only have, at most, 128 labels.Was a CVE name ever assigned to this issue?
Yes, Josh assigned CVE-2011-0520. (his message is also recorded on the Debian bug you CC'ed) Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- MaraDNS 1.4.06 and 1.3.07.11 released Sam Trenholme (Jan 29)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Tomas Hoger (Jan 31)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Vincent Danen (Mar 18)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Raphael Geissert (Mar 18)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Vincent Danen (Mar 18)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Raphael Geissert (Mar 18)