Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87r4705mka.fsf@redhat.com>
Date: Tue, 18 Feb 2014 18:59:33 +0100
From: Martin Prpic <mprpic@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings

Hi, can a CVE be assigned to the following issue?

It was reported that MaraDNS's recursive resolver, Deadwood, suffers
from a flaw where string bounds checking was not done correctly under
certain circumstances. As a result, it was possible for a remote
attacker to send Deadwood a "packet of death", which would cause
Deadwood to crash. Upstream notes that it currently appears that this
attack can only be exploited by an IP address with a permission to
perform recursive queries against Deadwood.

It looks like these are the appropriate patches in git:

https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093
https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3

References:

http://samiam.org/blog/2014-02-12.html
http://secunia.com/advisories/57033/
https://bugzilla.redhat.com/show_bug.cgi?id=1066609

-- 
Martin Prpič / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.