Date: Fri, 18 Mar 2011 12:52:32 -0600 From: Raphael Geissert <geissert@...ian.org> To: Vincent Danen <vdanen@...hat.com> Cc: oss-security@...ts.openwall.com, list@...adns.org, bressers@...hat.com, coley@...re.org Subject: Re: MaraDNS 1.4.06 and 1.3.07.11 released On Friday 18 March 2011 12:11:15 Vincent Danen wrote: > * [2011-01-29 22:21:08 -0700] Sam Trenholme wrote: > >In 2002, when I rewrote the compression code for MaraDNS for the first > >time, I made a mistake in allocating an array of integers, allocating > >it in bytes instead of sizeof(int) units. The resulted in a buffer > >being too small, allowing it to be overwritten. > > > >The impact of this programming error is that MaraDNS can be crashed by > >sending MaraDNS a single "packet of death". Since the data placed in > >the overwritten array can not be remotely controlled (it is a list of > >increasing integers), there is no way to increase privileges > >exploiting this bug. > > > >The attached patch resolves this issue by allocating in sizeof(int) > >units instead of byte-sized units for an integer array. In addition, > >it uses a smaller array because a DNS name can only have, at most, 128 > >labels. > > Was a CVE name ever assigned to this issue? Yes, Josh assigned CVE-2011-0520. (his message is also recorded on the Debian bug you CC'ed) Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.