oss-sec mailing list archives
CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings
From: Martin Prpic <mprpic () redhat com>
Date: Tue, 18 Feb 2014 18:59:33 +0100
Hi, can a CVE be assigned to the following issue? It was reported that MaraDNS's recursive resolver, Deadwood, suffers from a flaw where string bounds checking was not done correctly under certain circumstances. As a result, it was possible for a remote attacker to send Deadwood a "packet of death", which would cause Deadwood to crash. Upstream notes that it currently appears that this attack can only be exploited by an IP address with a permission to perform recursive queries against Deadwood. It looks like these are the appropriate patches in git: https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093 https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3 References: http://samiam.org/blog/2014-02-12.html http://secunia.com/advisories/57033/ https://bugzilla.redhat.com/show_bug.cgi?id=1066609 -- Martin Prpič / Red Hat Security Response Team
Current thread:
- CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings Martin Prpic (Feb 18)
- Re: CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings cve-assign (Feb 19)