Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638338 (CVE-2017-1000231, CVE-2017-1000232) - <net-libs/ldns-1.7.0-r1: Multiple vulnerabilities
Summary: <net-libs/ldns-1.7.0-r1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-1000231, CVE-2017-1000232
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
: 618178 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-11-21 16:33 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-18 03:27 UTC (History)
2 users (show)

See Also:
Package list:
=net-libs/ldns-1.7.0-r2
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-21 16:33:21 UTC 
CVE-2017-1000232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000232):
  A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecified
  impact and attack vectors.

CVE-2017-1000231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000231):
  A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified impact
  and attack vectors.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-21 16:47:49 UTC 
@Maintainer, please advise the best way to handle this.

Thank you
Comment 2 Marc Schiffbauer gentoo-dev 2017-11-23 16:50:31 UTC 
I have added 1.7.0-r1 to the tree with patches for both CVEs because upstream has not released a new version yet
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-23 17:20:13 UTC 
(In reply to Marc Schiffbauer from comment #2)
> I have added 1.7.0-r1 to the tree with patches for both CVEs because
> upstream has not released a new version yet

Thank you, please call for stabilization when appropriate. I'm re-assigning whiteboard since a stable version is affected and no PoC from nothing besides the double free memory corruption.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-01-19 21:13:51 UTC 
First unaffected version in tree is net-libs/ldns-1.7.0-r1.  net-libs/1.7.0-r2 is almost finished with stabilization, but is pending alpha.

@alpha, please stabilize.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-21 17:22:35 UTC 
commit 62937fb372986f20d2a98e04f6f035c097131e97
Author: Tobias Klausmann <klausman@gentoo.org>
Date:   Sat Jan 20 12:50:36 2018 +0100

    net-libs/ldns-1.7.0-r2: alpha stable

    Gentoo-Bug: http://bugs.gentoo.org/509632
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-01-21 19:42:04 UTC 
(In reply to Sergei Trofimovich from comment #5)
> commit 62937fb372986f20d2a98e04f6f035c097131e97
> Author: Tobias Klausmann <klausman@gentoo.org>
> Date:   Sat Jan 20 12:50:36 2018 +0100
> 
>     net-libs/ldns-1.7.0-r2: alpha stable
> 
>     Gentoo-Bug: http://bugs.gentoo.org/509632

Thanks, Sergei!

@maintainer, please clean the vulnerable versions from the tree.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2020-03-18 03:27:34 UTC 
*** Bug 618178 has been marked as a duplicate of this bug. ***