Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 248709

Summary: net-dns/noip-updater <2.1.9: Stack-based buffer overflow (CVE-2008-5297)
Product: Gentoo Security Reporter: jieryn <jieryn>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: 98036119lmak, danielpi, dragonheart, gentoo-bugzilla, gentoobugs, rb6, takreeger, zeekec
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/32761/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 248758    
Bug Blocks:    
Attachments:
Description Flags
noip-updater-2.1.9.ebuild.patch
none
noip-2.1.9-flags.patch
none
noip-2.1.9-daemon.patch none

Description jieryn 2008-11-25 01:30:20 UTC 
No-IP has determined that the following advisory is applicable to
one or more of the systems you have registered.


Security Advisory - 2008-11-22
------------------------------------------------------------------------------
Summary:
Important: No-IP Linux DUC (Dynamic Update Client)

An updated version of the No-IP Linux Dynamic Update Client that fixes
a security issue is now available.

This update has been rated as having important security impact.

Description:
Versions 2.1.1- > 2.1.8 are prone to a stack-based buffer-overflow due to
a boundary error when processing HTTP responses received  from the update
server. This can be exploited and cause a stack-based buffer overflow when
performing an update.

A malicious user could exploit this by faking the No-IP update server
via DNS poisoning or a man in the middle attack.  This can cause a denial of
service (client crash) or
potentially execute arbitrary code on the computer the client is running on.

Users running versions 2.1.8 and older are encouraged to upgrade to the most
recent version, 2.1.9
at http://www.no-ip.com/downloads?page=linux&av=1

Regards,

The No-IP Team

Reproducible: Always
Comment 1 jieryn 2008-11-25 01:35:39 UTC 
Added Secunia link.
Comment 2 Serkan Kaba (RETIRED) gentoo-dev 2008-11-25 05:21:22 UTC 
*** Bug 248727 has been marked as a duplicate of this bug. ***
Comment 3 Serkan Kaba (RETIRED) gentoo-dev 2008-11-25 11:18:19 UTC 

*** This bug has been marked as a duplicate of bug 248758 ***
Comment 4 Serkan Kaba (RETIRED) gentoo-dev 2008-11-25 11:19:49 UTC 
This is not a duplicate, sorry for the bugspam.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:58:27 UTC 
*PING*
Comment 6 P Nienaber 2008-11-30 23:27:10 UTC 
*Additional Ping*
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-02 11:26:23 UTC 
CVE-2008-5297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5297):
  Buffer overflow in No-IP DUC 2.1.7 and earlier allows remote DNS
  servers to execute arbitrary code via a crafted DNS response, related
  to a missing length check in the GetNextLine function.
Comment 8 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-12-12 11:24:47 UTC 
Created attachment 175075 [details, diff]
noip-updater-2.1.9.ebuild.patch

since dragonheart is away until the 20th,

patch to apply on top of noip-updater-2.1.7-r1
Comment 9 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-12-12 11:25:35 UTC 
Created attachment 175077 [details]
noip-2.1.9-flags.patch

updated patch from noip-2.1.3-cflags with added bonus that it respects ldflags.
Comment 10 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-12-12 11:26:07 UTC 
Created attachment 175079 [details]
noip-2.1.9-daemon.patch

update patch from noip-2.1.4-daemon.patch
Comment 11 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-12-14 15:53:41 UTC 
ebuild commited to the tree.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-12-14 18:21:10 UTC 
Arches, please test and mark stable:
=net-dns/noip-updater-2.1.9
Target keywords : "alpha amd64 ia64 ppc64 sparc x86"
Comment 13 Brent Baude (RETIRED) gentoo-dev 2008-12-15 15:35:45 UTC 
ppc64 done
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2008-12-15 20:25:48 UTC 
Stable on alpha.
Comment 15 Markus Meier gentoo-dev 2008-12-17 20:11:41 UTC 
amd64/x86 stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-12-22 20:29:32 UTC 
ia64/sparc stable
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-29 20:14:38 UTC 
GLSA request filed.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-18 22:28:49 UTC 
GLSA 200901-12