206847 – (CVE-2008-0122) net-dns/bind-* libbind "inet_network()" Off-By-One Vulnerability (CVE-2008-0122)

Bug 206847 (CVE-2008-0122) - net-dns/bind-* libbind "inet_network()" Off-By-One Vulnerability (CVE-2008-0122)

Summary: net-dns/bind-* libbind "inet_network()" Off-By-One Vulnerability (CVE-2008-0122)

Status:	RESOLVED INVALID

Alias:	CVE-2008-0122

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/28579/
Whiteboard:	[invalid]
Keywords:

Duplicates (1):	211089 (view as bug list)
Depends on:
Blocks:

Reported:	2008-01-21 11:00 UTC by Lars Hartmann
Modified:	2010-10-07 22:26 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
List of tarballs containing inet_network.c (inet_network.packages,1.71 KB, text/plain) 2008-01-21 17:50 UTC, Robert Buchholz (RETIRED)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Hartmann 2008-01-21 11:00:05 UTC

A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system.

The vulnerability affects applications linked against libbind and is related to:
SA28367

NOTE: The applications included in BIND 8 and 9 do not call the vulnerable function.

Solution:
Please see vendor advisory for patch information.

Provided and/or discovered by:
The vendor credits Nate Eldredge.

Original Advisory:
http://www.isc.org/index.pl?/sw/bind/bind-security.php

Other References:
SA28367:
http://secunia.com/advisories/28367/

Comment 1 Lars Hartmann 2008-01-21 11:00:51 UTC

hm the paper says that bind plus bindtools do not use this libs, so are there any packages in gentoo which use em?

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-01-21 17:16:45 UTC

The vulnerable file
  lib/bind/inet/inet_network.c

does not get compiled with this USE combination:
[ebuild   R   ] net-dns/bind-9.4.1_p1  USE="berkdb idn ipv6 ldap ssl threads urandom -dlz -doc -mysql -odbc -postgres -resolvconf (-selinux)" 0 kB [1]

The file lib/Makefile.in says:
SUBDIRS =       isc isccc dns isccfg bind9 lwres tests

The "bind" (not bind9) directory is not included there, so bind itself would be safe. Bind herd, do you agree here?

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-01-21 17:50:21 UTC

Created attachment 141492 [details]
List of tarballs containing inet_network.c

All packages that contain inet_network.c:

* net-dns/bind
* sys-freebsd/freebsd-contrib
* sys-freebsd/freebsd-lib
* sys-libs/newlib

And whoever needs
./openbsd-lib-3.8.tar.bz2:lib/libc/net/inet_network.c

Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-02-06 22:32:20 UTC

(In reply to comment #2)

> The "bind" (not bind9) directory is not included there, so bind itself would be
> safe. Bind herd, do you agree here?
> 

*ping*

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-02-11 21:43:27 UTC

Lu, it seems newlib is also affected by this. Please advise here.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-26 20:48:56 UTC

Any news on this one?

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-04 13:52:52 UTC

(In reply to comment #4)
> (In reply to comment #2)
> 
> > The "bind" (not bind9) directory is not included there, so bind itself would be
> > safe. Bind herd, do you agree here?
> > 
> 
> *ping*
> 

timeout :(
It's been almost one month now...

Comment 8 Jakub Moc (RETIRED) gentoo-dev

2008-03-28 15:20:02 UTC

*** Bug 211089 has been marked as a duplicate of this bug. ***

Comment 9 Jakub Moc (RETIRED) gentoo-dev

2008-03-28 15:23:06 UTC

(In reply to comment #4)
> Bind herd, do you agree here?

There's no herd here, mjolnir retired (Bug 159513) and voxus probably doesn't read the alias mail at all.

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2008-05-03 19:54:13 UTC

(In reply to comment #2)
> The "bind" (not bind9) directory is not included there, so bind itself would be
> safe. Bind herd, do you agree here?
> 

yep

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-05-06 14:29:04 UTC

(In reply to comment #3)
> Created an attachment (id=141492) [edit]
> List of tarballs containing inet_network.c
> 
> All packages that contain inet_network.c:
> 
> * net-dns/bind
> * sys-freebsd/freebsd-contrib
> * sys-freebsd/freebsd-lib
> * sys-libs/newlib
> 
> And whoever needs
> ./openbsd-lib-3.8.tar.bz2:lib/libc/net/inet_network.c
> 

So bind seems ok, but what about the 3 others? Is there anything to do? please advise.

Comment 12 Alexis Ballier gentoo-dev

2008-05-17 21:56:54 UTC

> > * sys-freebsd/freebsd-contrib
> > * sys-freebsd/freebsd-lib

I dont think we use bind in bsd, but we had:
http://security.freebsd.org/advisories/FreeBSD-SA-08:02.libc.asc
which is patched in freebsd-lib-6.2-r4

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2010-10-07 22:26:02 UTC

sys-libs/newlib is masked, so closing as invalid