Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Feb 2014 18:59:33 +0100
From: Martin Prpic <mprpic@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings

Hi, can a CVE be assigned to the following issue?

It was reported that MaraDNS's recursive resolver, Deadwood, suffers
from a flaw where string bounds checking was not done correctly under
certain circumstances. As a result, it was possible for a remote
attacker to send Deadwood a "packet of death", which would cause
Deadwood to crash. Upstream notes that it currently appears that this
attack can only be exploited by an IP address with a permission to
perform recursive queries against Deadwood.

It looks like these are the appropriate patches in git:

https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093
https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3

References:

http://samiam.org/blog/2014-02-12.html
http://secunia.com/advisories/57033/
https://bugzilla.redhat.com/show_bug.cgi?id=1066609

-- 
Martin Prpič / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ