Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635718 (CVE-2017-9217) - <sys-apps/systemd-233-r6: Denial of Service via crafted DNS response with an empty question section
Summary: <sys-apps/systemd-233-r6: Denial of Service via crafted DNS response with an ...
Status: RESOLVED FIXED
Alias: CVE-2017-9217
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/systemd/systemd/co...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-15908
  Show dependency tree
 
Reported: 2017-10-28 18:27 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-20 15:15 UTC (History)
1 user (show)

See Also:
Package list:
sys-apps/systemd-233-r6
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-28 18:27:04 UTC
CVE-2017-9217 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9217):
  systemd-resolved through 233 allows remote attackers to cause a denial of
  service (daemon crash) via a crafted DNS response with an empty question
  section.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-28 18:28:50 UTC
@Maintainers fix is available in 235, please call for stabilization when ready.

Thank you
Comment 2 Larry the Git Cow gentoo-dev 2017-10-28 18:58:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e698f887553690f3172ab1c1cabf36296dd901e

commit 2e698f887553690f3172ab1c1cabf36296dd901e
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2017-10-28 18:57:31 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2017-10-28 18:58:29 +0000

    sys-apps/systemd: backport fix for CVE-2017-9217
    
    Bug: https://bugs.gentoo.org/635718
    Package-Manager: Portage-2.3.12_p5, Repoman-2.3.3_p75

 sys-apps/systemd/files/CVE-2017-9217.patch |  28 ++
 sys-apps/systemd/systemd-233-r6.ebuild     | 462 +++++++++++++++++++++++++++++
 2 files changed, 490 insertions(+)}
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 20:48:30 UTC
ia64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 20:54:16 UTC
ppc/ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-10-29 15:55:53 UTC
amd64 stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-10-29 21:08:35 UTC
x86 stable
Comment 7 Tobias Klausmann gentoo-dev 2017-11-08 12:54:19 UTC
Stable on alpha.
Comment 8 Aleksandr Wagner (Kivak) 2017-11-08 17:20:21 UTC
@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.

@ Security: Please vote on glsa.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-12 14:05:37 UTC
@arm ping, we need you to finish stabilization before proceeding.

Thank you
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-19 20:35:46 UTC
ping @arm.
Comment 11 Markus Meier gentoo-dev 2017-11-24 06:03:41 UTC
arm stable, all arches done.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-24 21:51:04 UTC
GLSA Vote: No

@maintainer(s), please drop the vulnerable versions.
Comment 13 Larry the Git Cow gentoo-dev 2017-12-17 19:03:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3baee2f1beb124c37f0307acd2124f92218dae0c

commit 3baee2f1beb124c37f0307acd2124f92218dae0c
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2017-12-17 19:02:49 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2017-12-17 19:03:15 +0000

    sys-apps/systemd: remove old
    
    Bug: https://bugs.gentoo.org/635718
    Package-Manager: Portage-2.3.19_p1, Repoman-2.3.6_p35

 sys-apps/systemd/systemd-233-r4.ebuild | 460 --------------------------------
 sys-apps/systemd/systemd-233-r5.ebuild | 461 ---------------------------------
 2 files changed, 921 deletions(-)}
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-20 15:15:30 UTC
Tree is clean.