Date: Wed, 9 Jun 2021 10:19:09 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: connman stack buffer overflow in dnsproxy CVE-2021-33833 Hi, On behalf of my colleague Daniel Wagner, connman maintainer. CVE-2021-33833 Found by Mike Evdokimov at Digital Security. The issue affects the dnsproxy component in releases 1.32 to 1.39 of connman. Unpacking of NAME and RDATA/RDLENGTH fields with TYPE A/AAAA in the uncompress function uses a memcpy with insufficient bounds checking, which can overflow a stack buffer. Researcher has written a POC, works with stack overflow heuristics and PIE disabled, so stack overflow protection seems to mitigate it. attached is 0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch by r.alyautdin@...russia.ru will be used by upstream connman team. Note that it touches the same function and piece of code as a previous CVE in connman, the earlier fix was apparently not complete. Ciao, Marcus View attachment "0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch" of type "text/x-patch" (1802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.