Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 206847 (CVE-2008-0122) - net-dns/bind-* libbind "inet_network()" Off-By-One Vulnerability (CVE-2008-0122)
Summary: net-dns/bind-* libbind "inet_network()" Off-By-One Vulnerability (CVE-2008-0122)
Status: RESOLVED INVALID
Alias: CVE-2008-0122
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/28579/
Whiteboard: [invalid]
Keywords:
: 211089 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-01-21 11:00 UTC by Lars Hartmann
Modified: 2010-10-07 22:26 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
List of tarballs containing inet_network.c (inet_network.packages,1.71 KB, text/plain)
2008-01-21 17:50 UTC, Robert Buchholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-01-21 11:00:05 UTC
A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system.

The vulnerability affects applications linked against libbind and is related to:
SA28367

NOTE: The applications included in BIND 8 and 9 do not call the vulnerable function.

Solution:
Please see vendor advisory for patch information.

Provided and/or discovered by:
The vendor credits Nate Eldredge.

Original Advisory:
http://www.isc.org/index.pl?/sw/bind/bind-security.php

Other References:
SA28367:
http://secunia.com/advisories/28367/
Comment 1 Lars Hartmann 2008-01-21 11:00:51 UTC
hm the paper says that bind plus bindtools do not use this libs, so are there any packages in gentoo which use em?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-21 17:16:45 UTC
The vulnerable file
  lib/bind/inet/inet_network.c

does not get compiled with this USE combination:
[ebuild   R   ] net-dns/bind-9.4.1_p1  USE="berkdb idn ipv6 ldap ssl threads urandom -dlz -doc -mysql -odbc -postgres -resolvconf (-selinux)" 0 kB [1]

The file lib/Makefile.in says:
SUBDIRS =       isc isccc dns isccfg bind9 lwres tests

The "bind" (not bind9) directory is not included there, so bind itself would be safe. Bind herd, do you agree here?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-01-21 17:50:21 UTC
Created attachment 141492 [details]
List of tarballs containing inet_network.c

All packages that contain inet_network.c:

* net-dns/bind
* sys-freebsd/freebsd-contrib
* sys-freebsd/freebsd-lib
* sys-libs/newlib

And whoever needs
./openbsd-lib-3.8.tar.bz2:lib/libc/net/inet_network.c
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-06 22:32:20 UTC
(In reply to comment #2)

> The "bind" (not bind9) directory is not included there, so bind itself would be
> safe. Bind herd, do you agree here?
> 

*ping*
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 21:43:27 UTC
Lu, it seems newlib is also affected by this. Please advise here.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 20:48:56 UTC
Any news on this one?
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-04 13:52:52 UTC
(In reply to comment #4)
> (In reply to comment #2)
> 
> > The "bind" (not bind9) directory is not included there, so bind itself would be
> > safe. Bind herd, do you agree here?
> > 
> 
> *ping*
> 

timeout :(
It's been almost one month now...

Comment 8 Jakub Moc (RETIRED) gentoo-dev 2008-03-28 15:20:02 UTC
*** Bug 211089 has been marked as a duplicate of this bug. ***
Comment 9 Jakub Moc (RETIRED) gentoo-dev 2008-03-28 15:23:06 UTC
(In reply to comment #4)
> Bind herd, do you agree here?

There's no herd here, mjolnir retired (Bug 159513) and voxus probably doesn't read the alias mail at all.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-03 19:54:13 UTC
(In reply to comment #2)
> The "bind" (not bind9) directory is not included there, so bind itself would be
> safe. Bind herd, do you agree here?
> 

yep
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-06 14:29:04 UTC
(In reply to comment #3)
> Created an attachment (id=141492) [edit]
> List of tarballs containing inet_network.c
> 
> All packages that contain inet_network.c:
> 
> * net-dns/bind
> * sys-freebsd/freebsd-contrib
> * sys-freebsd/freebsd-lib
> * sys-libs/newlib
> 
> And whoever needs
> ./openbsd-lib-3.8.tar.bz2:lib/libc/net/inet_network.c
> 

So bind seems ok, but what about the 3 others? Is there anything to do? please advise.
Comment 12 Alexis Ballier gentoo-dev 2008-05-17 21:56:54 UTC
> > * sys-freebsd/freebsd-contrib
> > * sys-freebsd/freebsd-lib

I dont think we use bind in bsd, but we had:
http://security.freebsd.org/advisories/FreeBSD-SA-08:02.libc.asc
which is patched in freebsd-lib-6.2-r4
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-07 22:26:02 UTC
sys-libs/newlib is masked, so closing as invalid