80267 – net-misc/dante: FD_SET Overflow Vulnerability

Bug 80267 - net-misc/dante: FD_SET Overflow Vulnerability

Summary: net-misc/dante: FD_SET Overflow Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.inet.no/dante/announce-1.1.15
Whiteboard:	C3 [noglsa] lewk
Keywords:

Depends on:
Blocks:

Reported:	2005-01-31 16:12 UTC by Luke Macken (RETIRED)
Modified:	2009-07-13 22:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luke Macken (RETIRED) gentoo-dev

2005-01-31 16:12:27 UTC

TITLE:
Dante FD_SET Overflow Vulnerability

SECUNIA ADVISORY ID:
SA14071

VERIFY ADVISORY:
http://secunia.com/advisories/14071/

CRITICAL:
Less critical

IMPACT:
DoS

WHERE:
>From local network

SOFTWARE:
Dante 1.x
http://secunia.com/product/4583/

DESCRIPTION:
3APA3A has reported a vulnerability in Dante, which can be exploited
by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a missing boundary check when
doing "FD_SET()" operations. This can be exploited to cause a buffer
overflow in certain configurations by establishing multiple
concurrent connections.

The vulnerability has been reported in version 1.1. Other versions
may also be affected.

SOLUTION:
Update to version 1.1.15.
http://www.inet.no/dante/

PROVIDED AND/OR DISCOVERED BY:
3APA3A

ORIGINAL ADVISORY:
Inferno Nettverk:
http://www.inet.no/dante/advisory-2005-01-28

3APA3A:
http://www.security.nnov.ru/advisories/sockets.asp

Comment 1 Luke Macken (RETIRED) gentoo-dev

2005-01-31 16:14:44 UTC

agriffis, there is no metadata for this package, and you were the last one to bump it, so please update bump to 1.1.15

Comment 2 petre rodan (RETIRED) gentoo-dev

2005-02-02 23:39:40 UTC

version bumped. please test and mark stable for your arch

Comment 3 Markus Rothe (RETIRED) gentoo-dev

2005-02-03 04:09:19 UTC

just works. stable on ppc64

Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev

2005-02-03 05:53:58 UTC

sparc good.

Comment 5 Olivier Crete (RETIRED) gentoo-dev

2005-02-03 09:18:40 UTC

x86 stable

Comment 6 Bryan Østergaard (RETIRED) gentoo-dev

2005-02-04 13:03:57 UTC

Stable on alpha.

Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-02-04 14:05:10 UTC

Sorry for the delay. Stable on ppc.

Comment 8 Jan Brinkmann (RETIRED) gentoo-dev

2005-02-04 15:22:05 UTC

stable on amd64

Comment 9 SpanKY gentoo-dev

2005-02-06 02:43:35 UTC

arm/hppa/ia64/s390 stable

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2005-02-06 09:21:30 UTC

Please vote: only very specific conf affected -> NO ?

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-06 11:16:02 UTC

I vote for no GLSA here as well. Lewk?

Comment 12 Luke Macken (RETIRED) gentoo-dev

2005-02-07 05:29:24 UTC

Closing without GLSA.

Comment 13 Hardave Riar (RETIRED) gentoo-dev

2005-02-17 23:40:40 UTC

Stable on mips.