Public bug reported:
Binary package hint: libnet-dns-perl
the XS implementation puts the return code of netdns_dn_expand into an
unsigned int instead of an int, so that it never finds out if the
function returned an error (e.g. <0).
The PP implementation goes into and endless loop exhausting the stack on
a mailformed DNS packet, where the string compression causes and endless
loop (e.g. the pointer in www.example.<pointer> points to 'www' again etc).
Both problems have been fixed in the attached diff which also contains a
test for this problem.
This allows remote attackers to cause a denial of service (stack consumption)
via a malformed compressed DNS packet with self-referencing pointers, which
triggers an infinite loop.
** Affects: libnet-dns-perl (Ubuntu)
Importance: High
Status: Fix Released
** Affects: libnet-dns-perl (Ubuntu Dapper)
Importance: Undecided
Status: New
** Affects: libnet-dns-perl (Ubuntu Edgy)
Importance: Undecided
Status: New
** Affects: libnet-dns-perl (Ubuntu Feisty)
Importance: High
Status: Confirmed
** Visibility changed to: Public
--
Bugs in dn_expand (XS and PP) on mailformed packages
https://bugs.launchpad.net/bugs/125236
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
