Bug 1463609 (CVE-2017-9445)

Summary: CVE-2017-9445 systemd: Out-of-bounds write in systemd-resolved due to allocating too small buffer in dns_packet_new
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alick9188, dkholia, johannbg, lnykryn, msekleta, muadda, security-response-team, slawomir, ssahani, s, systemd-maint-list, systemd-maint, zbyszek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in the way systemd-resolved daemon handled processing of DNS responses. A remote attacker could potentially use this flaw to crash the daemon or execute arbitrary code in the context of the daemon process.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-29 10:47:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1465610, 1465728    
Bug Blocks: 1463610    
Attachments:
Description Flags
Proposed patch none

Description Adam Mariš 2017-06-21 10:22:11 UTC
An out-of-bounds write in systemd-resolved due to allocating buffer that is too small in dns_packet_new was found. Malicious DNS server can exploit this by responding with specially crafted TCP payload to write arbitrary data beyond the allocated buffer.

Comment 1 Adam Mariš 2017-06-21 10:22:15 UTC
Acknowledgments:

Name: Chris Coulson (Canonical)

Comment 2 Adam Mariš 2017-06-21 10:28:42 UTC
Created attachment 1290017 [details]
Proposed patch

Comment 6 Dhiru Kholia 2017-06-23 06:57:12 UTC
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7.

Comment 8 Dhiru Kholia 2017-06-28 03:59:08 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1465728]

Comment 10 Andrej Nemec 2017-06-28 09:26:48 UTC
References:

http://seclists.org/oss-sec/2017/q2/618