Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620928 (CVE-2017-9430) - <net-analyzer/dnstracer-1.9-r2 : Stack-buffer overflow via a long name argument in command line
Summary: <net-analyzer/dnstracer-1.9-r2 : Stack-buffer overflow via a long name argume...
Status: RESOLVED FIXED
Alias: CVE-2017-9430
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-05 15:11 UTC by Agostino Sarubbo
Modified: 2018-04-08 13:30 UTC (History)
1 user (show)

See Also:
Package list:
=net-analyzer/dnstracer-1.9-r2
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-05 15:11:15 UTC
From ${URL} :

Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name 
argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string.

References:

https://cxsecurity.com/issue/WLB-2017060030
https://www.exploit-db.com/exploits/42115/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-02-07 23:27:31 UTC
@arches, please stabilize.
Comment 2 Agostino Sarubbo gentoo-dev 2018-02-09 08:39:50 UTC
amd64 stable
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-02-10 00:32:55 UTC
x86 stable
Comment 4 Sergei Trofimovich gentoo-dev 2018-02-10 17:42:23 UTC
commit 949f332373007d13d147ceaa10863926f5e21a86
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Sat Feb 10 10:53:42 2018 +0100

    net-analyzer/dnstracer: Stable for HPPA too.
Comment 5 Sergei Trofimovich gentoo-dev 2018-02-18 19:49:32 UTC
ia64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2018-03-08 21:26:47 UTC
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2018-04-08 10:47:53 UTC
arm stable, all arches done.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-08 13:26:46 UTC
CVE calls out a DoS.  No PoC for ACE/RCE found.

Downgraded.

GLSA Vote: No
Comment 9 Larry the Git Cow gentoo-dev 2018-04-08 13:30:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85f923455730d39bb7722b54b58a606cc8d2acd7

commit 85f923455730d39bb7722b54b58a606cc8d2acd7
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-08 13:29:18 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-08 13:30:21 +0000

    net-analyzer/dnstracer: drop vulnerable
    
    Bug: https://bugs.gentoo.org/620928
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 net-analyzer/dnstracer/dnstracer-1.9-r1.ebuild | 19 -------------------
 1 file changed, 19 deletions(-)}