Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 639780 (CVE-2017-15120)

Summary: <net-dns/pdns-recursor-4.0.8: Crafted CNAME answer can cause a denial of service
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: swegener
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html
Whiteboard: B3 [noglsa cve]
Package list:
=net-dns/pdns-recursor-4.0.8
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev 2017-12-04 14:48:56 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev 2017-12-11 12:36:49 UTC
PowerDNS Security Advisory 2017-08: Crafted CNAME answer can cause a denial of service

CVE: CVE-2017-15120

Date: December 11th 2017

Credit: Toshifumi Sakaguchi

Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.7

Not affected: PowerDNS Recursor 3.7.4, 4.0.8, 4.1.0

Severity: High

Impact: Denial of service

Exploit: This problem can be triggered by an authoritative server sending a crafted CNAME answer with a class other than IN to the Recursor.

Risk of system compromise: No

Solution: Upgrade to a non-affected version

Workaround: run the process inside a supervisor like supervisord or systemd

An issue has been found in the parsing of authoritative answers in PowerDNS Recursor, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. This issue has been assigned CVE-2017-15120.

When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, it will be automatically restarted, limiting the impact to somewhat degraded service.

PowerDNS Recursor from 4.0.0 up to and including 4.0.7 are affected.
Comment 2 Sven Wegener gentoo-dev 2017-12-11 12:49:23 UTC
I've committed pdns-recursor-4.0.8. In addition to the security fix it only contains small changes over 4.0.7 and should be ready for stabilization.
Comment 3 Thomas Deutschmann gentoo-dev 2017-12-11 13:00:10 UTC
@ Arches,

please test and mark stable: =net-dns/pdns-recursor-4.0.8
Comment 4 Thomas Deutschmann gentoo-dev 2017-12-12 16:37:59 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-12-14 20:27:37 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-15 15:48:58 UTC
GLSA Vote: No

Tree is clean.