oss-sec mailing list archives

CVE Request uclibc-ng dns resolver issues

From: Daniel Fahlgren <daniel () fahlgren se>
Date: Fri, 05 Feb 2016 15:26:35 +0100

Hi,

Uclibc-ng 1.0.12 has been released which fixes some issues found in the
dns resolver code.

The first is a denial of service while parsing compressed items. An
attacker can make the application end up in an infinit loop. Fixed by:

http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515

The other problem is that a crafted packet will make the parser
terminate early. The buffer is never initialized and is later passed to
strdup(). Fixed by:

http://repo.or.cz/uclibc-ng.git/commit/bb01edff0377f2585ce304ecbadcb7b6cde372ac

Can one or two CVEs be assigned for these issues?

Best regards,
Daniel Fahlgren

Current thread:

CVE Request uclibc-ng dns resolver issues Daniel Fahlgren (Feb 05)
- Re: CVE Request uclibc-ng dns resolver issues cve-assign (Feb 05)