BIND Security Advisory notification-Severity - Low VU#203611, CVE-2008-0122 (also submitted as CVE-2007-6251)

ISC Customer Support sue_graves at isc.org
Fri Jan 18 15:49:08 UTC 2008


Please Note:
This vulnerability, already released by FreeBSD, is considered to be
very low risk, and ISC is publishing this as an advisory only and
will put the fix into the next release of BIND.
Those using Operating Systems with embedded BIND software utilizing the
BIND8 lib resolver should read the following to determine if you feel
you may be at risk.
__________________________________________________________________

Internet Systems Consortium Security Advisory.
BIND: buffer overflow in inet_network()
18 January 2008

Versions affected:

	BIND 8 (all versions)
	BIND 9.0 (all versions)
	BIND 9.1 (all versions)
	BIND 9.2 (all versions)
	BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4
	BIND 9.4.0, 9.4.1, 9.4.2
	BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6,
	     9.5.0a7, 9.5.0b1

Severity: Low

Description:

	An off-by-one error in the inet_network() function in libbind
	could lead to memory corruption with certain inputs.

Impact:

	Applications linked against libbind which call inet_network()
	with untrusted inputs could lead to a denial-of-service or
	potentially code execution.

	None of the applications shipped with BIND 8 or BIND 9 call
	inet_network().

Workaround:

	None

Fix:

	Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released.

	Otherwise, apply the patch below to:

	BIND 9: lib/bind/inet/inet_network.c
	BIND 8: lib/inet/inet_network.c


	Questions should be addressed to bind9-bugs at isc.org.

CVE:CVE-2008-0122 (also submitted as CVE-2007-6251)
VU#203611

Acknowledgement:

	ISC would like to thank Nate Eldredge for reporting this.
	

Revision History:

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5	Wed Apr 27 04:56:21 2005
+++ inet_network.c	Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}





More information about the bind-announce mailing list