Bug 429149 - (CVE-2008-0122) CVE-2008-0122 libbind off-by-one buffer overflow
CVE-2008-0122 libbind off-by-one buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,reported=20080117,publi...
: Security
Depends On: 429534 430473 658349
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-17 11:23 EST by Adam Tkac
Modified: 2016-03-09 09:35 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 11:11:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for this issue (607 bytes, patch)
2008-01-17 11:47 EST, Adam Tkac
no flags Details | Diff

  None (edit)
Comment 3 Tomas Hoger 2008-01-17 11:46:15 EST
CVE-2008-0122:

Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and
7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via crafted input that
triggers memory corruption.


Affected code is also used by ISC Bind library, which is affected by this
problem too.
Comment 4 Adam Tkac 2008-01-17 11:47:54 EST
Created attachment 292030 [details]
patch for this issue
Comment 5 Tomas Hoger 2008-01-18 11:58:04 EST
Issue is already public for libbind:

http://marc.info/?l=bind-announce&m=120067515802939&w=2
Comment 6 Tomas Hoger 2008-01-18 12:05:06 EST
GNU libc implementation seems to be based on the very same BSD code used by
FreeBSD and ISC Bind, but has this change applied in all versions shipped with
Red Hat Enterprise Linux (the oldest version is 2.2.4).


From inet/inet_net.c:

        if (!digit)
                return (INADDR_NONE);
        if (pp >= parts + 4 || val > 0xff)
                return (INADDR_NONE);
        if (*cp == '.') {
                *pp++ = val, cp++;
                goto again;
        }
Comment 7 Mark J. Cox (Product Security) 2008-01-21 06:42:46 EST
Statement:

This issue did not affect the versions of GNU libc as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

This issue affects the versions of libbind as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any
shipped applications.  The Red Hat Security Response Team has therefore rated
this issue as having low security impact, a future update may address this flaw. 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0122
Comment 9 Fedora Update System 2008-01-22 11:01:27 EST
bind-9.4.2-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-01-27 06:07:29 EST
This problem allows an attacker to write 1 unsigned long int value (4 or 8
bytes, depending on the platform used) beyond the end of the buffer.  This
overwrite is too short to modify function return address, so this problem does
not seem to be easily exploitable or verifiable using reproducer.
Comment 15 Vincent Danen 2010-12-23 11:11:22 EST
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0300)

Note You need to log in before you can comment on or make changes to this bug.