Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622874 (CVE-2017-9445) - <sys-apps/systemd-233-r3: systemd-resolved: Out-of-bounds write via crafted TCP payload (CVE-2017-9445)
Summary: <sys-apps/systemd-233-r3: systemd-resolved: Out-of-bounds write via crafted T...
Status: RESOLVED FIXED
Alias: CVE-2017-9445
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-1000082
Blocks: CVE-2016-7795, CVE-2016-7796 623536
  Show dependency tree
 
Reported: 2017-06-27 20:42 UTC by GLSAMaker/CVETool Bot
Modified: 2017-10-08 19:52 UTC (History)
2 users (show)

See Also:
Package list:
sys-libs/libseccomp-2.3.2 arm sys-apps/systemd-233-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-27 20:42:49 UTC
CVE-2017-9445 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9445):
  Out-of-bounds write in systemd-resolved with crafted TCP payload.


Certain sizes passed to dns_packet_new can cause it to allocate a buffer
that's too small. A page-aligned number - sizeof(DnsPacket) +
sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016
on x86 will result in an allocation of 4096 bytes, but 108 bytes of this
are for the DnsPacket struct.

A malicious DNS server can exploit this by responding with a specially
crafted TCP payload to trick systemd-resolved in to allocating a buffer
that's too small, and subsequently write arbitrary data beyond the end
of it.

Introduced by: https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37
Comment 1 Mike Gilbert gentoo-dev 2017-06-28 17:03:17 UTC
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d6384e102e34db05c2897b20d63587173f141c5

commit 6d6384e102e34db05c2897b20d63587173f141c5
Author: Mike Gilbert <floppym@gentoo.org>
Date:   Wed Jun 28 13:01:09 2017 -0400

    sys-apps/systemd: backport fix for CVE-2017-9445

    Bug: https://bugs.gentoo.org/622874
    Package-Manager: Portage-2.3.6_p9, Repoman-2.3.2_p77

 sys-apps/systemd/files/233-CVE-2017-9445.patch | 178 ++++++++++
 sys-apps/systemd/systemd-233-r2.ebuild         | 460 +++++++++++++++++++++++++
 2 files changed, 638 insertions(+)
Comment 2 Mike Gilbert gentoo-dev 2017-06-28 20:32:49 UTC
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9a542b09cb0ee4c3b085881190bed393f4ece03

commit e9a542b09cb0ee4c3b085881190bed393f4ece03
Author: Mike Gilbert <floppym@gentoo.org>
Date:   Wed Jun 28 16:30:47 2017 -0400

    sys-apps/systemd: update CVE-2017-9445 patch after upstream revert

    Package-Manager: Portage-2.3.6_p9, Repoman-2.3.2_p77

 sys-apps/systemd/files/233-CVE-2017-9445.patch     | 29 ----------------------
 ...systemd-233-r2.ebuild => systemd-233-r3.ebuild} |  0
 2 files changed, 29 deletions(-)
Comment 3 Richard Freeman gentoo-dev 2017-06-28 22:16:04 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-30 11:13:45 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2017-07-07 06:19:04 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-07-07 09:12:16 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-07-07 13:27:38 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-07-07 14:53:02 UTC
ppc64 stable
Comment 9 Tobias Klausmann gentoo-dev 2017-07-16 11:12:45 UTC
Stable on alpha.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 19:52:56 UTC
GLSA Vote: No