Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635718 (CVE-2017-9217)

Summary: <sys-apps/systemd-233-r6: Denial of Service via crafted DNS response with an empty question section
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: systemd
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/systemd/systemd/commit/a924f43f30f9c4acaf70618dd2a055f8b0f166be
Whiteboard: B3 [noglsa cve]
Package list:
sys-apps/systemd-233-r6
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 635514    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-28 18:27:04 UTC 
CVE-2017-9217 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9217):
  systemd-resolved through 233 allows remote attackers to cause a denial of
  service (daemon crash) via a crafted DNS response with an empty question
  section.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-28 18:28:50 UTC 
@Maintainers fix is available in 235, please call for stabilization when ready.

Thank you
Comment 2 Larry the Git Cow gentoo-dev 2017-10-28 18:58:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e698f887553690f3172ab1c1cabf36296dd901e

commit 2e698f887553690f3172ab1c1cabf36296dd901e
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2017-10-28 18:57:31 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2017-10-28 18:58:29 +0000

    sys-apps/systemd: backport fix for CVE-2017-9217
    
    Bug: https://bugs.gentoo.org/635718
    Package-Manager: Portage-2.3.12_p5, Repoman-2.3.3_p75

 sys-apps/systemd/files/CVE-2017-9217.patch |  28 ++
 sys-apps/systemd/systemd-233-r6.ebuild     | 462 +++++++++++++++++++++++++++++
 2 files changed, 490 insertions(+)}
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 20:48:30 UTC 
ia64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 20:54:16 UTC 
ppc/ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-10-29 15:55:53 UTC 
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-29 21:08:35 UTC 
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:54:19 UTC 
Stable on alpha.
Comment 8 Aleksandr Wagner (Kivak) 2017-11-08 17:20:21 UTC 
@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.

@ Security: Please vote on glsa.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-12 14:05:37 UTC 
@arm ping, we need you to finish stabilization before proceeding.

Thank you
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-11-19 20:35:46 UTC 
ping @arm.
Comment 11 Markus Meier gentoo-dev 2017-11-24 06:03:41 UTC 
arm stable, all arches done.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-11-24 21:51:04 UTC 
GLSA Vote: No

@maintainer(s), please drop the vulnerable versions.
Comment 13 Larry the Git Cow gentoo-dev 2017-12-17 19:03:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3baee2f1beb124c37f0307acd2124f92218dae0c

commit 3baee2f1beb124c37f0307acd2124f92218dae0c
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2017-12-17 19:02:49 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2017-12-17 19:03:15 +0000

    sys-apps/systemd: remove old
    
    Bug: https://bugs.gentoo.org/635718
    Package-Manager: Portage-2.3.19_p1, Repoman-2.3.6_p35

 sys-apps/systemd/systemd-233-r4.ebuild | 460 --------------------------------
 sys-apps/systemd/systemd-233-r5.ebuild | 461 ---------------------------------
 2 files changed, 921 deletions(-)}
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 15:15:30 UTC 
Tree is clean.