Bug 1455493 – CVE-2017-9217 systemd: Null pointer dereference in dns_packet_is_reply_for function

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1455493 - (CVE-2017-9217) CVE-2017-9217 systemd: Null pointer dereference in dns_packet_is_reply_for function

Summary:	CVE-2017-9217 systemd: Null pointer dereference in dns_packet_is_reply_for fu...

Status:	NEW

Aliases:	CVE-2017-9217

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20170520,reported=2...
Keywords:	Security

Depends On:	1455495
Blocks:	1457410
	Show dependency tree / graph

Reported:	2017-05-25 06:38 EDT by Adam Mariš
Modified:	2017-06-02 05:03 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-05-25 06:38:15 EDT

systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.

Upstream bug:

https://github.com/systemd/systemd/pull/5998

Upstream patch:

https://github.com/systemd/systemd/pull/6020/commits/9e74e781f176f3b930d9c202e20532f011a5d7bc

Comment 1 Adam Mariš 2017-05-25 06:38:49 EDT

Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1455495]

Comment 4 Adam Mariš 2017-06-02 05:01:53 EDT

Analysis:

The issue was introduced in systemd v225 by following commit:

https://github.com/systemd/systemd/commit/f52e61da047d7fc74e83f12dbbf87e0cbcc51c73

The vulnerable code (dereferencing p->question->n_keys without first asserting on p->question) was first introduced in dns_transaction_process_reply function and later transferred to dns_packet_is_reply_for while doing refactoring in the following commit:

https://github.com/systemd/systemd/commit/8af5b883227ac8dfa796742b9edcc1647a5d4d6c

RHEL-7 ships systemd v219 that does not have this vulnerability.

Comment 5 Adam Mariš 2017-06-02 05:03:45 EDT

Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7.

Note You need to log in before you can comment on or make changes to this bug.