Bug#844121: CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports

tags 844121 + wontfix notfound 844121 2.0.13-1.2 thanks Hi all In meanwhile the CVEs were properly rejected by MITRE. I'm closing this bugreport now. Regards, Salvatore

Bug#844121: CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports

Thank you for verifying this is not a bug. I would rather have a false bug report than have a real security issue out there that I’m not aware of. I should explain why the MaraDNS code is so messy and hard to follow: Back in 2001, there was precisely one and only one open-source DNS server:

Bug#844121: CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports [VR-554]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, The CERT/CC is tracking this as VR-554, please retain VR-554 in the subject of future replies related to this issue. Considering the issue and CVE IDs are already being publicly discussed, we are unlikely to take further action at this

Bug#844121: CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports

Sam and others, I most deeply apologize, you are right in your assessment. I somehow missed the extra four additional sanity checks at the beginning of the getudp() function that seems to catch the error conditions on those input buffers. Cheers, -- Ondřej Surý Knot DNS

Bug#844121: CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports

CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports. Here’s the deal: The reporter had to patch MaraDNS before he was able to crash her. The patch, however, treats MaraDNS’ special buffer-overflow-resistant “js_string” as if it were an ordinary string — but it’s not.