Bug 673573 - (CVE-2011-0520) CVE-2011-0520 MaraDNS: Heap-based buffer overflow by processing long DNS hostname with a large number of labels
CVE-2011-0520 MaraDNS: Heap-based buffer overflow by processing long DNS host...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20110123,reported=20110123,sou...
: Security
: 688987 (view as bug list)
Depends On: 673574
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-28 14:36 EST by Jan Lieskovsky
Modified: 2016-06-10 18:33 EDT (History)
5 users (show)

See Also:
Fixed In Version: maradns 1.3.07.11, maradns 1.4.06
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-10 18:33:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-01-28 14:36:18 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0520 to
the following vulnerability:

The compress_add_dlabel_points function in dns/Compress.c in MaraDNS
1.4.03, 1.4.05, and probably other versions allows remote attackers to
cause a denial of service (segmentation fault) and possibly execute
arbitrary code via a long DNS hostname with a large number of labels,
which triggers a heap-based buffer overflow.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0520
[2] http://www.openwall.com/lists/oss-security/2011/01/24/1
[3] http://www.openwall.com/lists/oss-security/2011/01/24/6
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610834
[5] http://www.securityfocus.com/bid/45966
[6] http://osvdb.org/70630
[7] http://secunia.com/advisories/43027
[8] http://xforce.iss.net/xforce/xfdb/64885
Comment 1 Jan Lieskovsky 2011-01-28 14:40:55 EST
Was not able to reproduce the issue based on reproducer details:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610834#5

on maradns-1.3.07.09-3.fc12.i686 version, but look into the relevant
code part suggest:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610834#28

this version is affected, and we should fix it.
Comment 2 Jan Lieskovsky 2011-01-28 14:41:56 EST
Created maradns tracking bugs for this issue

Affects: fedora-all [bug 673574]
Comment 3 Tomas Hoger 2011-01-30 06:31:07 EST
Upstream post with more details and the fix:
  http://woodlane.webconquest.com/pipermail/list/2011-January/000784.html

Fixed upstream in versions 1.4.06 and 1.3.07.11.
Comment 4 Vincent Danen 2011-03-18 15:09:28 EDT
*** Bug 688987 has been marked as a duplicate of this bug. ***
Comment 5 Vincent Danen 2012-08-25 13:06:08 EDT
This is still unfixed in Fedora 16, no longer shipped in Fedora 17+.

Note You need to log in before you can comment on or make changes to this bug.