Bug 206847 - net-dns/bind-* libbind "inet_network()" Off-By-One Vulnerability (CVE-2008-0122)
|
Bug#:
206847
(CVE-2008-0122)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: ASSIGNED
|
Severity: normal
|
Priority: P2
|
|
Resolution:
|
Assigned To: security@gentoo.org
|
Reported By: lars@chaotika.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/28579/
|
|
Summary: net-dns/bind-* libbind "inet_network()" Off-By-One Vulnerability (CVE-2008-0122)
|
|
Keywords:
|
|
Status Whiteboard: B2 [ebuild?]
|
|
Opened: 2008-01-21 11:00 0000
|
A vulnerability has been reported in ISC BIND, which can be exploited by
malicious people to cause a DoS (Denial of Service) or to potentially
compromise a vulnerable system.
The vulnerability affects applications linked against libbind and is related
to:
SA28367
NOTE: The applications included in BIND 8 and 9 do not call the vulnerable
function.
Solution:
Please see vendor advisory for patch information.
Provided and/or discovered by:
The vendor credits Nate Eldredge.
Original Advisory:
http://www.isc.org/index.pl?/sw/bind/bind-security.php
Other References:
SA28367:
http://secunia.com/advisories/28367/
hm the paper says that bind plus bindtools do not use this libs, so are there
any packages in gentoo which use em?
The vulnerable file
lib/bind/inet/inet_network.c
does not get compiled with this USE combination:
[ebuild R ] net-dns/bind-9.4.1_p1 USE="berkdb idn ipv6 ldap ssl threads
urandom -dlz -doc -mysql -odbc -postgres -resolvconf (-selinux)" 0 kB [1]
The file lib/Makefile.in says:
SUBDIRS = isc isccc dns isccfg bind9 lwres tests
The "bind" (not bind9) directory is not included there, so bind itself would be
safe. Bind herd, do you agree here?
Created an attachment (id=141492) [details]
List of tarballs containing inet_network.c
All packages that contain inet_network.c:
* net-dns/bind
* sys-freebsd/freebsd-contrib
* sys-freebsd/freebsd-lib
* sys-libs/newlib
And whoever needs
./openbsd-lib-3.8.tar.bz2:lib/libc/net/inet_network.c
(In reply to comment #2)
> The "bind" (not bind9) directory is not included there, so bind itself would be
> safe. Bind herd, do you agree here?
>
*ping*
Lu, it seems newlib is also affected by this. Please advise here.
(In reply to comment #4)
> (In reply to comment #2)
>
> > The "bind" (not bind9) directory is not included there, so bind itself would be
> > safe. Bind herd, do you agree here?
> >
>
> *ping*
>
timeout :(
It's been almost one month now...
*** Bug 211089 has been marked as a duplicate of this bug. ***
(In reply to comment #4)
> Bind herd, do you agree here?
There's no herd here, mjolnir retired (Bug 159513) and voxus probably doesn't
read the alias mail at all.
(In reply to comment #2)
> The "bind" (not bind9) directory is not included there, so bind itself would be
> safe. Bind herd, do you agree here?
>
yep
(In reply to comment #3)
> Created an attachment (id=141492) [edit] [details]
> List of tarballs containing inet_network.c
>
> All packages that contain inet_network.c:
>
> * net-dns/bind
> * sys-freebsd/freebsd-contrib
> * sys-freebsd/freebsd-lib
> * sys-libs/newlib
>
> And whoever needs
> ./openbsd-lib-3.8.tar.bz2:lib/libc/net/inet_network.c
>
So bind seems ok, but what about the 3 others? Is there anything to do? please
advise.
