|
Message-ID: <20110318190538.GU5174@redhat.com> Date: Fri, 18 Mar 2011 13:05:38 -0600 From: Vincent Danen <vdanen@...hat.com> To: Raphael Geissert <geissert@...ian.org> Cc: oss-security@...ts.openwall.com, list@...adns.org, bressers@...hat.com, coley@...re.org Subject: Re: MaraDNS 1.4.06 and 1.3.07.11 released * [2011-03-18 12:52:32 -0600] Raphael Geissert wrote: >On Friday 18 March 2011 12:11:15 Vincent Danen wrote: >> * [2011-01-29 22:21:08 -0700] Sam Trenholme wrote: >> >In 2002, when I rewrote the compression code for MaraDNS for the first >> >time, I made a mistake in allocating an array of integers, allocating >> >it in bytes instead of sizeof(int) units. The resulted in a buffer >> >being too small, allowing it to be overwritten. >> > >> >The impact of this programming error is that MaraDNS can be crashed by >> >sending MaraDNS a single "packet of death". Since the data placed in >> >the overwritten array can not be remotely controlled (it is a list of >> >increasing integers), there is no way to increase privileges >> >exploiting this bug. >> > >> >The attached patch resolves this issue by allocating in sizeof(int) >> >units instead of byte-sized units for an integer array. In addition, >> >it uses a smaller array because a DNS name can only have, at most, 128 >> >labels. >> >> Was a CVE name ever assigned to this issue? > >Yes, Josh assigned CVE-2011-0520. >(his message is also recorded on the Debian bug you CC'ed) Sorry, I should have looked at the Debian bug. I was looking at the GMANE archive and only saw Tomas' reply the next day, but no further followups. Thanks! -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.