oss-sec mailing list archives
Re: MaraDNS 1.4.06 and 1.3.07.11 released
From: Vincent Danen <vdanen () redhat com>
Date: Fri, 18 Mar 2011 13:05:38 -0600
* [2011-03-18 12:52:32 -0600] Raphael Geissert wrote:
On Friday 18 March 2011 12:11:15 Vincent Danen wrote:* [2011-01-29 22:21:08 -0700] Sam Trenholme wrote: >In 2002, when I rewrote the compression code for MaraDNS for the first >time, I made a mistake in allocating an array of integers, allocating >it in bytes instead of sizeof(int) units. The resulted in a buffer >being too small, allowing it to be overwritten. > >The impact of this programming error is that MaraDNS can be crashed by >sending MaraDNS a single "packet of death". Since the data placed in >the overwritten array can not be remotely controlled (it is a list of >increasing integers), there is no way to increase privileges >exploiting this bug. > >The attached patch resolves this issue by allocating in sizeof(int) >units instead of byte-sized units for an integer array. In addition, >it uses a smaller array because a DNS name can only have, at most, 128 >labels. Was a CVE name ever assigned to this issue?Yes, Josh assigned CVE-2011-0520. (his message is also recorded on the Debian bug you CC'ed)
Sorry, I should have looked at the Debian bug. I was looking at the GMANE archive and only saw Tomas' reply the next day, but no further followups. Thanks! --Vincent Danen / Red Hat Security Response Team
Current thread:
- MaraDNS 1.4.06 and 1.3.07.11 released Sam Trenholme (Jan 29)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Tomas Hoger (Jan 31)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Vincent Danen (Mar 18)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Raphael Geissert (Mar 18)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Vincent Danen (Mar 18)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Raphael Geissert (Mar 18)