systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section. Upstream bug: https://github.com/systemd/systemd/pull/5998 Upstream patch: https://github.com/systemd/systemd/pull/6020/commits/9e74e781f176f3b930d9c202e20532f011a5d7bc
Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1455495]
Analysis: The issue was introduced in systemd v225 by following commit: https://github.com/systemd/systemd/commit/f52e61da047d7fc74e83f12dbbf87e0cbcc51c73 The vulnerable code (dereferencing p->question->n_keys without first asserting on p->question) was first introduced in dns_transaction_process_reply function and later transferred to dns_packet_is_reply_for while doing refactoring in the following commit: https://github.com/systemd/systemd/commit/8af5b883227ac8dfa796742b9edcc1647a5d4d6c RHEL-7 ships systemd v219 that does not have this vulnerability.
Statement: This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7.