Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 906113 (CVE-2023-31137) - <net-dns/maradns-3.5.0036: integer underflow vulnerability
Summary: <net-dns/maradns-3.5.0036: integer underflow vulnerability
Status: CONFIRMED
Alias: CVE-2023-31137
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/samboy/MaraDNS/sec...
Whiteboard: B3 [stable?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-05-11 04:45 UTC by John Helmert III
Modified: 2024-02-09 14:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:45:07 UTC 
CVE-2023-31137:

MaraDNS is open-source software that implements the Domain Name System (DNS). In version 3.5.0024 and prior, a remotely exploitable integer underflow vulnerability in the DNS packet decompression function allows an attacker to cause a Denial of Service by triggering an abnormal program termination.

The vulnerability exists in the `decomp_get_rddata` function within the `Decompress.c` file. When handling a DNS packet with an Answer RR of qtype 16 (TXT record) and any qclass, if the `rdlength` is smaller than `rdata`, the result of the line `Decompress.c:886` is a negative number `len = rdlength - total;`. This value is then passed to the `decomp_append_bytes` function without proper validation, causing the program to attempt to allocate a massive chunk of memory that is impossible to allocate. Consequently, the program exits with an error code of 64, causing a Denial of Service.

One proposed fix for this vulnerability is to patch `Decompress.c:887` by breaking `if(len <= 0)`, which has been incorporated in version 3.5.0036 via commit bab062bde40b2ae8a91eecd522e84d8b993bab58.

Patch is 3.5.0036: https://github.com/samboy/MaraDNS/commit/bab062bde40b2ae8a91eecd522e84d8b993bab58
Comment 1 Larry the Git Cow gentoo-dev 2024-02-09 13:47:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73937e86b92dcf813bf021a83451e2ae4dbc423c

commit 73937e86b92dcf813bf021a83451e2ae4dbc423c
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-01-20 16:34:59 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2024-02-09 13:47:34 +0000

    net-dns/maradns: add 3.5.0036, security bump
    
    Rebased patch, removed fix_shebang due to the tool no longer being
    present.
    
    Bug: https://bugs.gentoo.org/906113
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/34684
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-dns/maradns/Manifest                           |  1 +
 net-dns/maradns/files/maradns-3.5.0022-flags.patch | 23 ++----
 net-dns/maradns/maradns-3.5.0036.ebuild            | 89 ++++++++++++++++++++++
 3 files changed, 97 insertions(+), 16 deletions(-)