Bug 1463609 (CVE-2017-9445) - CVE-2017-9445 systemd: Out-of-bounds write in systemd-resolved due to allocating too small buffer in dns_packet_new
Summary: CVE-2017-9445 systemd: Out-of-bounds write in systemd-resolved due to allocat...
Status: CLOSED NOTABUG
Alias: CVE-2017-9445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170627,repo...
Keywords: Security
Depends On: 1465610 1465728
Blocks: 1463610
TreeView+ depends on / blocked
 
Reported: 2017-06-21 10:22 UTC by Adam Mariš
Modified: 2019-06-08 22:05 UTC (History)
13 users (show)

(edit)
An out-of-bounds write flaw was found in the way systemd-resolved daemon handled processing of DNS responses. A remote attacker could potentially use this flaw to crash the daemon or execute arbitrary code in the context of the daemon process.
Clone Of:
(edit)
Last Closed: 2017-06-29 10:47:34 UTC


Attachments (Terms of Use)
Proposed patch (1.78 KB, patch)
2017-06-21 10:28 UTC, Adam Mariš
no flags Details | Diff

Description Adam Mariš 2017-06-21 10:22:11 UTC
An out-of-bounds write in systemd-resolved due to allocating buffer that is too small in dns_packet_new was found. Malicious DNS server can exploit this by responding with specially crafted TCP payload to write arbitrary data beyond the allocated buffer.

Comment 1 Adam Mariš 2017-06-21 10:22:15 UTC
Acknowledgments:

Name: Chris Coulson (Canonical)

Comment 2 Adam Mariš 2017-06-21 10:28 UTC
Created attachment 1290017 [details]
Proposed patch

Comment 6 Dhiru Kholia 2017-06-23 06:57:12 UTC
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7.

Comment 8 Dhiru Kholia 2017-06-28 03:59:08 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1465728]

Comment 10 Andrej Nemec 2017-06-28 09:26:48 UTC
References:

http://seclists.org/oss-sec/2017/q2/618


Note You need to log in before you can comment on or make changes to this bug.