CVE-2017-9445 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9445): Out-of-bounds write in systemd-resolved with crafted TCP payload. Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct. A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. Introduced by: https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d6384e102e34db05c2897b20d63587173f141c5 commit 6d6384e102e34db05c2897b20d63587173f141c5 Author: Mike Gilbert <floppym@gentoo.org> Date: Wed Jun 28 13:01:09 2017 -0400 sys-apps/systemd: backport fix for CVE-2017-9445 Bug: https://bugs.gentoo.org/622874 Package-Manager: Portage-2.3.6_p9, Repoman-2.3.2_p77 sys-apps/systemd/files/233-CVE-2017-9445.patch | 178 ++++++++++ sys-apps/systemd/systemd-233-r2.ebuild | 460 +++++++++++++++++++++++++ 2 files changed, 638 insertions(+)
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9a542b09cb0ee4c3b085881190bed393f4ece03 commit e9a542b09cb0ee4c3b085881190bed393f4ece03 Author: Mike Gilbert <floppym@gentoo.org> Date: Wed Jun 28 16:30:47 2017 -0400 sys-apps/systemd: update CVE-2017-9445 patch after upstream revert Package-Manager: Portage-2.3.6_p9, Repoman-2.3.2_p77 sys-apps/systemd/files/233-CVE-2017-9445.patch | 29 ---------------------- ...systemd-233-r2.ebuild => systemd-233-r3.ebuild} | 0 2 files changed, 29 deletions(-)
amd64 stable
x86 stable
arm stable
sparc stable
ppc stable
ppc64 stable
Stable on alpha.
GLSA Vote: No