Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635514 (CVE-2017-15908) - <sys-apps/systemd-233-r5: Remote DNS server can cause infinite loop through custom crafted DNS NSEC resource record
Summary: <sys-apps/systemd-233-r5: Remote DNS server can cause infinite loop through c...
Alias: CVE-2017-15908
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2017-9217
  Show dependency tree
Reported: 2017-10-26 16:37 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-11-24 21:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-10-26 16:37:30 UTC
CVE-2017-15908 (

In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service. 


Note: A patch is available upstream, however the commit has not been included in any releases yet.
Comment 1 Larry the Git Cow gentoo-dev 2017-10-26 21:37:17 UTC
The bug has been referenced in the following commit(s):

commit 06c2355e8eca30994fa0416793e2e04efd652c41
Author:     Mike Gilbert <>
AuthorDate: 2017-10-26 21:36:27 +0000
Commit:     Mike Gilbert <>
CommitDate: 2017-10-26 21:36:45 +0000

    sys-apps/systemd: backport fix for CVE-2017-15908
    Package-Manager: Portage-2.3.11_p4, Repoman-2.3.3_p62

 sys-apps/systemd/files/CVE-2017-15908.patch        |  39 ++
 sys-apps/systemd/systemd-233-r5.ebuild             | 461 +++++++++++++++++++++
 .../{systemd-235.ebuild => systemd-235-r1.ebuild}  |   1 +
 3 files changed, 501 insertions(+)}
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-10-27 13:50:08 UTC
x86 stable
Comment 3 Aleksandr Wagner (Kivak) 2017-11-08 17:22:51 UTC
systemd-233-r6 is in the tree and contains the fix for this CVE. Stabilization has occurred on bug 635718.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-24 21:50:52 UTC
GLSA Vote: No

cleanup will happen in bug 635718