From ${URL} : Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string. References: https://cxsecurity.com/issue/WLB-2017060030 https://www.exploit-db.com/exploits/42115/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@arches, please stabilize.
amd64 stable
x86 stable
commit 949f332373007d13d147ceaa10863926f5e21a86 Author: Jeroen Roovers <jer@gentoo.org> Date: Sat Feb 10 10:53:42 2018 +0100 net-analyzer/dnstracer: Stable for HPPA too.
ia64 stable
ppc64 stable
arm stable, all arches done.
CVE calls out a DoS. No PoC for ACE/RCE found. Downgraded. GLSA Vote: No
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85f923455730d39bb7722b54b58a606cc8d2acd7 commit 85f923455730d39bb7722b54b58a606cc8d2acd7 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-08 13:29:18 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-08 13:30:21 +0000 net-analyzer/dnstracer: drop vulnerable Bug: https://bugs.gentoo.org/620928 Package-Manager: Portage-2.3.28, Repoman-2.3.9 net-analyzer/dnstracer/dnstracer-1.9-r1.ebuild | 19 ------------------- 1 file changed, 19 deletions(-)}
