Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 199967 - sys-auth/nss-mdns < 0.10 Denial of Service Vulnerability
Summary: sys-auth/nss-mdns < 0.10 Denial of Service Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27690/
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-22 11:21 UTC by Lars Hartmann
Modified: 2007-11-26 08:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-11-22 11:21:50 UTC 
A vulnerability has been reported in nss-mdns, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the use of miss-aligned data structures within the "_nss_mdns_gethostbyname2_r()" function in nss.c and can be exploited to crash an application using the library.

The vulnerability is reported in versions prior to 0.10 running on the ARM and SPARC architectures.

Solution:
Update to version 0.10.

Provided and/or discovered by:
Daniel Smolik

Original Advisory:
Debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=423222
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=451428

nss-mdns:
http://0pointer.de/lennart/projects/nss-mdns/#news

Reproducible: Always
Comment 1 Lars Hartmann 2007-11-22 11:23:08 UTC 
please have a look at it
Comment 2 Lars Hartmann 2007-11-22 11:24:28 UTC 
corrected severity Level
Comment 3 Saleem Abdulrasool (RETIRED) gentoo-dev 2007-11-22 20:32:14 UTC 
nss-mdns-0.10 has been in the tree, please stable.
Comment 4 Markus Meier gentoo-dev 2007-11-23 15:29:59 UTC 
x86 stable and added quotes
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-11-23 22:13:01 UTC 
amd64 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2007-11-24 04:37:39 UTC 
ppc stable
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-26 01:59:12 UTC 
This does not affect x86 and amd64 systems because they do not require strict alignment. While I am not sure about ppc, and only ARM and SPARC are mentioned affected, plus the impact is DoS, I vote NO.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-26 08:14:40 UTC 
no too, closing.