From secunia security advisory ad $URL: Description: The vulnerability is caused due to a boundary error in the "ldns_rr_new_frm_str_internal()" function in rr.c when handling the data of unknown RR types ("\#"). This can be exploited to cause a heap-based buffer overflow by e.g. processing specially crafted DNS Resource Records. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 1.6.10. Other versions may also be affected. Solution: Fixed in the SVN repository. https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=403
net-libs/ldns-1.6.11 net-dns/ldns-utils-1.6.11 in cvs. please mark stable both.
Thanks Matsuu. Arches, please test and mark stable: =net-libs/ldns-1.6.11 =net-dns/ldns-utils-1.6.11 target KEYWORDS : "amd64 x86"
amd64 ok minor issue about cflags that not blocks this. I'll pointed out in a new bug.
amd64 ditto Ago
x86 stable
+ 06 Oct 2011; Tony Vroon <chainsaw@gentoo.org> ldns-1.6.11.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #384249. + 06 Oct 2011; Tony Vroon <chainsaw@gentoo.org> ldns-utils-1.6.11.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #384249.
No GLSA vote required. Added to pending GLSA request.
CVE-2011-3581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3581): Heap-based buffer overflow in the ldns_rr_new_frm_str_internal function in ldns before 1.6.11 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Resource Record (RR) with an unknown type containing input that is longer than a specified length.
This issue was resolved and addressed in GLSA 201401-25 at http://security.gentoo.org/glsa/glsa-201401-25.xml by GLSA coordinator Chris Reffett (creffett).