Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622874 (CVE-2017-9445)

Summary: <sys-apps/systemd-233-r3: systemd-resolved: Out-of-bounds write via crafted TCP payload (CVE-2017-9445)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexander, systemd
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/06/27/8
See Also: https://launchpad.net/bugs/1695546
https://github.com/systemd/systemd/pull/6214
https://github.com/systemd/systemd/pull/6220
Whiteboard: B3 [noglsa cve]
Package list:
sys-libs/libseccomp-2.3.2 arm sys-apps/systemd-233-r3
 Runtime testing required: ---
Bug Depends on: 623532    
Bug Blocks: 595476, 623536    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-27 20:42:49 UTC 
CVE-2017-9445 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9445):
  Out-of-bounds write in systemd-resolved with crafted TCP payload.


Certain sizes passed to dns_packet_new can cause it to allocate a buffer
that's too small. A page-aligned number - sizeof(DnsPacket) +
sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016
on x86 will result in an allocation of 4096 bytes, but 108 bytes of this
are for the DnsPacket struct.

A malicious DNS server can exploit this by responding with a specially
crafted TCP payload to trick systemd-resolved in to allocating a buffer
that's too small, and subsequently write arbitrary data beyond the end
of it.

Introduced by: https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37
Comment 1 Mike Gilbert gentoo-dev 2017-06-28 17:03:17 UTC 
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d6384e102e34db05c2897b20d63587173f141c5

commit 6d6384e102e34db05c2897b20d63587173f141c5
Author: Mike Gilbert <floppym@gentoo.org>
Date:   Wed Jun 28 13:01:09 2017 -0400

    sys-apps/systemd: backport fix for CVE-2017-9445

    Bug: https://bugs.gentoo.org/622874
    Package-Manager: Portage-2.3.6_p9, Repoman-2.3.2_p77

 sys-apps/systemd/files/233-CVE-2017-9445.patch | 178 ++++++++++
 sys-apps/systemd/systemd-233-r2.ebuild         | 460 +++++++++++++++++++++++++
 2 files changed, 638 insertions(+)
Comment 2 Mike Gilbert gentoo-dev 2017-06-28 20:32:49 UTC 
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9a542b09cb0ee4c3b085881190bed393f4ece03

commit e9a542b09cb0ee4c3b085881190bed393f4ece03
Author: Mike Gilbert <floppym@gentoo.org>
Date:   Wed Jun 28 16:30:47 2017 -0400

    sys-apps/systemd: update CVE-2017-9445 patch after upstream revert

    Package-Manager: Portage-2.3.6_p9, Repoman-2.3.2_p77

 sys-apps/systemd/files/233-CVE-2017-9445.patch     | 29 ----------------------
 ...systemd-233-r2.ebuild => systemd-233-r3.ebuild} |  0
 2 files changed, 29 deletions(-)
Comment 3 Richard Freeman gentoo-dev 2017-06-28 22:16:04 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-30 11:13:45 UTC 
x86 stable
Comment 5 Markus Meier gentoo-dev 2017-07-07 06:19:04 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-07-07 09:12:16 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-07-07 13:27:38 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-07-07 14:53:02 UTC 
ppc64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-16 11:12:45 UTC 
Stable on alpha.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 19:52:56 UTC 
GLSA Vote: No