Openwall GNU/*/Linux 3.0 - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 18 Mar 2011 12:11:15 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: list@...adns.org, 610834@...s.debian.org, geissert@...ian.org,
        atomo64@...il.com, bressers@...hat.com, coley@...re.org
Subject: Re: MaraDNS 1.4.06 and 1.3.07.11 released

* [2011-01-29 22:21:08 -0700] Sam Trenholme wrote:

>In 2002, when I rewrote the compression code for MaraDNS for the first
>time, I made a mistake in allocating an array of integers, allocating
>it in bytes instead of sizeof(int) units.  The resulted in a buffer
>being too small, allowing it to be overwritten.
>
>The impact of this programming error is that MaraDNS can be crashed by
>sending MaraDNS a single "packet of death".  Since the data placed in
>the overwritten array can not be remotely controlled (it is a list of
>increasing integers), there is no way to increase privileges
>exploiting this bug.
>
>The attached patch resolves this issue by allocating in sizeof(int)
>units instead of byte-sized units for an integer array.  In addition,
>it uses a smaller array because a DNS name can only have, at most, 128
>labels.

Was a CVE name ever assigned to this issue?

-- 
Vincent Danen / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ