CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings

[Martin Prpic <mprpic () redhat com>]

Hi, can a CVE be assigned to the following issue?

It was reported that MaraDNS's recursive resolver, Deadwood, suffers
from a flaw where string bounds checking was not done correctly under
certain circumstances. As a result, it was possible for a remote
attacker to send Deadwood a "packet of death", which would cause
Deadwood to crash. Upstream notes that it currently appears that this
attack can only be exploited by an IP address with a permission to
perform recursive queries against Deadwood.

It looks like these are the appropriate patches in git:

https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093
https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3

References:

http://samiam.org/blog/2014-02-12.html
http://secunia.com/advisories/57033/
https://bugzilla.redhat.com/show_bug.cgi?id=1066609

-- 
Martin Prpič / Red Hat Security Response Team