Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 248709 - net-dns/noip-updater <2.1.9: Stack-based buffer overflow (CVE-2008-5297)
Summary: net-dns/noip-updater <2.1.9: Stack-based buffer overflow (CVE-2008-5297)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/32761/
Whiteboard: B1 [glsa]
Keywords:
: 248727 (view as bug list)
Depends on: 248758
Blocks:
  Show dependency tree
 
Reported: 2008-11-25 01:30 UTC by jieryn
Modified: 2009-01-18 22:28 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
noip-updater-2.1.9.ebuild.patch (noip-updater-2.1.9.ebuild.patch,824 bytes, patch)
2008-12-12 11:24 UTC, Gilles Dartiguelongue
no flags Details | Diff
noip-2.1.9-flags.patch (noip-2.1.9-flags.patch,400 bytes, text/plain)
2008-12-12 11:25 UTC, Gilles Dartiguelongue
no flags Details
noip-2.1.9-daemon.patch (noip-2.1.9-daemon.patch,533 bytes, text/plain)
2008-12-12 11:26 UTC, Gilles Dartiguelongue
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description jieryn 2008-11-25 01:30:20 UTC
No-IP has determined that the following advisory is applicable to
one or more of the systems you have registered.


Security Advisory - 2008-11-22
------------------------------------------------------------------------------
Summary:
Important: No-IP Linux DUC (Dynamic Update Client)

An updated version of the No-IP Linux Dynamic Update Client that fixes
a security issue is now available.

This update has been rated as having important security impact.

Description:
Versions 2.1.1- > 2.1.8 are prone to a stack-based buffer-overflow due to
a boundary error when processing HTTP responses received  from the update
server. This can be exploited and cause a stack-based buffer overflow when
performing an update.

A malicious user could exploit this by faking the No-IP update server
via DNS poisoning or a man in the middle attack.  This can cause a denial of
service (client crash) or
potentially execute arbitrary code on the computer the client is running on.

Users running versions 2.1.8 and older are encouraged to upgrade to the most
recent version, 2.1.9
at http://www.no-ip.com/downloads?page=linux&av=1

Regards,

The No-IP Team

Reproducible: Always
Comment 1 jieryn 2008-11-25 01:35:39 UTC
Added Secunia link.
Comment 2 Serkan Kaba (RETIRED) gentoo-dev 2008-11-25 05:21:22 UTC
*** Bug 248727 has been marked as a duplicate of this bug. ***
Comment 3 Serkan Kaba (RETIRED) gentoo-dev 2008-11-25 11:18:19 UTC

*** This bug has been marked as a duplicate of bug 248758 ***
Comment 4 Serkan Kaba (RETIRED) gentoo-dev 2008-11-25 11:19:49 UTC
This is not a duplicate, sorry for the bugspam.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:58:27 UTC
*PING*
Comment 6 P Nienaber 2008-11-30 23:27:10 UTC
*Additional Ping*
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-02 11:26:23 UTC
CVE-2008-5297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5297):
  Buffer overflow in No-IP DUC 2.1.7 and earlier allows remote DNS
  servers to execute arbitrary code via a crafted DNS response, related
  to a missing length check in the GetNextLine function.

Comment 8 Gilles Dartiguelongue gentoo-dev 2008-12-12 11:24:47 UTC
Created attachment 175075 [details, diff]
noip-updater-2.1.9.ebuild.patch

since dragonheart is away until the 20th,

patch to apply on top of noip-updater-2.1.7-r1
Comment 9 Gilles Dartiguelongue gentoo-dev 2008-12-12 11:25:35 UTC
Created attachment 175077 [details]
noip-2.1.9-flags.patch

updated patch from noip-2.1.3-cflags with added bonus that it respects ldflags.
Comment 10 Gilles Dartiguelongue gentoo-dev 2008-12-12 11:26:07 UTC
Created attachment 175079 [details]
noip-2.1.9-daemon.patch

update patch from noip-2.1.4-daemon.patch
Comment 11 Gilles Dartiguelongue gentoo-dev 2008-12-14 15:53:41 UTC
ebuild commited to the tree.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-12-14 18:21:10 UTC
Arches, please test and mark stable:
=net-dns/noip-updater-2.1.9
Target keywords : "alpha amd64 ia64 ppc64 sparc x86"
Comment 13 Brent Baude (RETIRED) gentoo-dev 2008-12-15 15:35:45 UTC
ppc64 done
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2008-12-15 20:25:48 UTC
Stable on alpha.
Comment 15 Markus Meier gentoo-dev 2008-12-17 20:11:41 UTC
amd64/x86 stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-12-22 20:29:32 UTC
ia64/sparc stable
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-29 20:14:38 UTC
GLSA request filed.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-18 22:28:49 UTC
GLSA 200901-12