Bug 1483870 (CVE-2016-7069)

Summary: CVE-2016-7069 dnsdist: Crafted backend responses can cause a denial of service
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ruben, sander
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnsdist 1.2.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-31 13:42:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1483872, 1483873    
Bug Blocks:    

Description Adam Mariš 2017-08-22 07:38:32 UTC 
An issue has been found in dnsdist in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding the response to the initial client. On a 32-bit system, the pointer arithmetic used when parsing the received response to remove that record might trigger an undefined behavior leading to a crash.

dnsdist up to and including 1.1.0 is affected on 32-bit systems. dnsdist 1.2.0 is not affected, dnsdist on 64-bit systems is not affected.

Reference:

https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-01.html
Comment 1 Adam Mariš 2017-08-22 07:39:09 UTC 
Created dnsdist tracking bugs for this issue:

Affects: epel-7 [bug 1483873]
Affects: fedora-all [bug 1483872]
Comment 2 Ruben Kerkhof 2018-05-31 13:42:21 UTC 
This was fixed in dnsdist-1.2.0-1.el7 and dnsdist-1.2.0-1.fc26