CVE-2008-0122: Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. Affected code is also used by ISC Bind library, which is affected by this problem too.
Created attachment 292030 [details] patch for this issue
Issue is already public for libbind: http://marc.info/?l=bind-announce&m=120067515802939&w=2
GNU libc implementation seems to be based on the very same BSD code used by FreeBSD and ISC Bind, but has this change applied in all versions shipped with Red Hat Enterprise Linux (the oldest version is 2.2.4). From inet/inet_net.c: if (!digit) return (INADDR_NONE); if (pp >= parts + 4 || val > 0xff) return (INADDR_NONE); if (*cp == '.') { *pp++ = val, cp++; goto again; }
Statement: This issue did not affect the versions of GNU libc as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affects the versions of libbind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any shipped applications. The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0122
bind-9.4.2-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This problem allows an attacker to write 1 unsigned long int value (4 or 8 bytes, depending on the platform used) beyond the end of the buffer. This overwrite is too short to modify function return address, so this problem does not seem to be easily exploitable or verifiable using reproducer.
This was addressed via: Red Hat Enterprise Linux version 5 (RHSA-2008:0300)