Re: MaraDNS 1.4.06 and 1.3.07.11 released

[Vincent Danen <vdanen () redhat com>]

* [2011-03-18 12:52:32 -0600] Raphael Geissert wrote:

> On Friday 18 March 2011 12:11:15 Vincent Danen wrote:
> > * [2011-01-29 22:21:08 -0700] Sam Trenholme wrote:
> > >In 2002, when I rewrote the compression code for MaraDNS for the first
> > >time, I made a mistake in allocating an array of integers, allocating
> > >it in bytes instead of sizeof(int) units.  The resulted in a buffer
> > >being too small, allowing it to be overwritten.
> > >
> > >The impact of this programming error is that MaraDNS can be crashed by
> > >sending MaraDNS a single "packet of death".  Since the data placed in
> > >the overwritten array can not be remotely controlled (it is a list of
> > >increasing integers), there is no way to increase privileges
> > >exploiting this bug.
> > >
> > >The attached patch resolves this issue by allocating in sizeof(int)
> > >units instead of byte-sized units for an integer array.  In addition,
> > >it uses a smaller array because a DNS name can only have, at most, 128
> > >labels.
> >
> > Was a CVE name ever assigned to this issue?
>
> Yes, Josh assigned CVE-2011-0520.
> (his message is also recorded on the Debian bug you CC'ed)

Sorry, I should have looked at the Debian bug.  I was looking at the
GMANE archive and only saw Tomas' reply the next day, but no further
followups.

Thanks!

--
Vincent Danen / Red Hat Security Response Team