Bugs in dn_expand (XS and PP) on mailformed packages
Bug #125236 reported by
Scott Kitterman
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libnet-dns-perl (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| Dapper |
Fix Released
|
High
|
Unassigned | ||
| Edgy |
Fix Released
|
High
|
Unassigned | ||
| Feisty |
Fix Released
|
High
|
Unassigned | ||
Bug Description
Binary package hint: libnet-dns-perl
the XS implementation puts the return code of netdns_dn_expand into an
unsigned int instead of an int, so that it never finds out if the
function returned an error (e.g. <0).
The PP implementation goes into and endless loop exhausting the stack on
a mailformed DNS packet, where the string compression causes and endless
loop (e.g. the pointer in www.example.
Both problems have been fixed in the attached diff which also contains a
test for this problem.
This allows remote attackers to cause a denial of service (stack consumption) via a malformed compressed DNS packet with self-referencing pointers, which triggers an infinite loop.
CVE References
Revision history for this message
| Scott Kitterman (kitterman) wrote | #1 |
| Changed in libnet-dns-perl: | |
| status: | New → Fix Released |
| importance: | Undecided → High |
| importance: | Undecided → High |
| status: | New → Confirmed |
| Changed in libnet-dns-perl: | |
| status: | Confirmed → Fix Released |
| importance: | Undecided → High |
| status: | New → Fix Released |
| importance: | Undecided → High |
| status: | New → Fix Released |
To post a comment you must log in.
Fixed in Gutsy