Bug 429149 (CVE-2008-0122)

Summary: CVE-2008-0122 libbind off-by-one buffer overflow
Product: [Other] Security Response Reporter: Adam Tkac <atkac>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly, ovasik, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:11:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 429534, 430473, 658349    
Bug Blocks:    
Description Flags
patch for this issue none

Comment 3 Tomas Hoger 2008-01-17 16:46:15 UTC

Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and
7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via crafted input that
triggers memory corruption.

Affected code is also used by ISC Bind library, which is affected by this
problem too.

Comment 4 Adam Tkac 2008-01-17 16:47:54 UTC
Created attachment 292030 [details]
patch for this issue

Comment 5 Tomas Hoger 2008-01-18 16:58:04 UTC
Issue is already public for libbind:


Comment 6 Tomas Hoger 2008-01-18 17:05:06 UTC
GNU libc implementation seems to be based on the very same BSD code used by
FreeBSD and ISC Bind, but has this change applied in all versions shipped with
Red Hat Enterprise Linux (the oldest version is 2.2.4).

From inet/inet_net.c:

        if (!digit)
                return (INADDR_NONE);
        if (pp >= parts + 4 || val > 0xff)
                return (INADDR_NONE);
        if (*cp == '.') {
                *pp++ = val, cp++;
                goto again;

Comment 7 Mark J. Cox 2008-01-21 11:42:46 UTC

This issue did not affect the versions of GNU libc as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

This issue affects the versions of libbind as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any
shipped applications.  The Red Hat Security Response Team has therefore rated
this issue as having low security impact, a future update may address this flaw. 

Comment 9 Fedora Update System 2008-01-22 16:01:27 UTC
bind-9.4.2-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2008-01-27 11:07:29 UTC
This problem allows an attacker to write 1 unsigned long int value (4 or 8
bytes, depending on the platform used) beyond the end of the buffer.  This
overwrite is too short to modify function return address, so this problem does
not seem to be easily exploitable or verifiable using reproducer.

Comment 15 Vincent Danen 2010-12-23 16:11:22 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0300)