Bug 429149 (CVE-2008-0122) - CVE-2008-0122 libbind off-by-one buffer overflow
Summary: CVE-2008-0122 libbind off-by-one buffer overflow
Status: CLOSED ERRATA
Alias: CVE-2008-0122
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=redhat,reported=20080117,publi...
Keywords: Security
Depends On: 429534 430473 658349
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-17 16:23 UTC by Adam Tkac
Modified: 2016-03-09 14:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 16:11:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for this issue (607 bytes, patch)
2008-01-17 16:47 UTC, Adam Tkac
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0300 normal SHIPPED_LIVE Moderate: bind security, bug fix, and enhancement update 2008-05-21 14:17:18 UTC

Comment 3 Tomas Hoger 2008-01-17 16:46:15 UTC
CVE-2008-0122:

Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and
7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via crafted input that
triggers memory corruption.


Affected code is also used by ISC Bind library, which is affected by this
problem too.

Comment 4 Adam Tkac 2008-01-17 16:47:54 UTC
Created attachment 292030 [details]
patch for this issue

Comment 5 Tomas Hoger 2008-01-18 16:58:04 UTC
Issue is already public for libbind:

http://marc.info/?l=bind-announce&m=120067515802939&w=2

Comment 6 Tomas Hoger 2008-01-18 17:05:06 UTC
GNU libc implementation seems to be based on the very same BSD code used by
FreeBSD and ISC Bind, but has this change applied in all versions shipped with
Red Hat Enterprise Linux (the oldest version is 2.2.4).


From inet/inet_net.c:

        if (!digit)
                return (INADDR_NONE);
        if (pp >= parts + 4 || val > 0xff)
                return (INADDR_NONE);
        if (*cp == '.') {
                *pp++ = val, cp++;
                goto again;
        }


Comment 7 Mark J. Cox 2008-01-21 11:42:46 UTC
Statement:

This issue did not affect the versions of GNU libc as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

This issue affects the versions of libbind as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any
shipped applications.  The Red Hat Security Response Team has therefore rated
this issue as having low security impact, a future update may address this flaw. 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0122

Comment 9 Fedora Update System 2008-01-22 16:01:27 UTC
bind-9.4.2-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2008-01-27 11:07:29 UTC
This problem allows an attacker to write 1 unsigned long int value (4 or 8
bytes, depending on the platform used) beyond the end of the buffer.  This
overwrite is too short to modify function return address, so this problem does
not seem to be easily exploitable or verifiable using reproducer.


Comment 15 Vincent Danen 2010-12-23 16:11:22 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0300)


Note You need to log in before you can comment on or make changes to this bug.