Bug 1455493 (CVE-2017-9217) - CVE-2017-9217 systemd: Null pointer dereference in dns_packet_is_reply_for function
Summary: CVE-2017-9217 systemd: Null pointer dereference in dns_packet_is_reply_for fu...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-9217
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1455495
Blocks: 1457410
TreeView+ depends on / blocked
 
Reported: 2017-05-25 10:38 UTC by Adam Mariš
Modified: 2021-02-17 02:06 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:13:27 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-05-25 10:38:15 UTC
systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.

Upstream bug:

https://github.com/systemd/systemd/pull/5998

Upstream patch:

https://github.com/systemd/systemd/pull/6020/commits/9e74e781f176f3b930d9c202e20532f011a5d7bc

Comment 1 Adam Mariš 2017-05-25 10:38:49 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1455495]

Comment 4 Adam Mariš 2017-06-02 09:01:53 UTC
Analysis:

The issue was introduced in systemd v225 by following commit:

https://github.com/systemd/systemd/commit/f52e61da047d7fc74e83f12dbbf87e0cbcc51c73

The vulnerable code (dereferencing p->question->n_keys without first asserting on p->question) was first introduced in dns_transaction_process_reply function and later transferred to dns_packet_is_reply_for while doing refactoring in the following commit:

https://github.com/systemd/systemd/commit/8af5b883227ac8dfa796742b9edcc1647a5d4d6c

RHEL-7 ships systemd v219 that does not have this vulnerability.

Comment 5 Adam Mariš 2017-06-02 09:03:45 UTC
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7.


Note You need to log in before you can comment on or make changes to this bug.