[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] buffer overflow in resolver library functions (RedHat addendum)



On Thu, Jul 25, 2002 at 08:02:09PM -0700, Martin Siegert wrote:
> Topic
> =====
> buffer overflow in DNS resolver libraries functions.
> 
> Problem Description
> ===================
> A buffer overflow vulnerability has been found in the way some resolver
> library functions handle the resolution of network names and addresses
> via DNS (as per Internet RFC 1011). These resolver functions included
> in the GNU libc library and the libbind library distributed with the
> bind packages.
> 
> The bug itself is a buffer overflow that can be exploited if an attacker
> sets up a malicious DNS server that sends multiple CNAME records in a
> DNS response. This could lead to the execution of aribitrary code.
> 
> A system is vulnerable only to this issue, if the "networks" database
> in /etc/nsswitch.conf includes the "dns" entry.
> 
> Affected Systems
> ================
> glibc versions 2.2.5 and earlier
> versions of libbind from all bind 4 versions from 4.8.3 prior to 4.9.9
>                          all bind 8 versions prior to 8.2.6
>                          all bind 8 versions from 8.3.x prior to 8.3.3
>                          bind 9.2.0 and 9.2.1
> 
> Workaround
> ==========
> remove "dns" from the "networks" line in /etc/nsswitch.conf, i.e., set
> 
> networks:   files
> 
> in /etc/nsswitch.conf. For most distributions this is the default anyway.
> Thus you are unlikely to be vulnerable to this issue.
> 
> Solution
> ========
> upgrade glibc to a patched version
> upgrade the package that contains libbind to either version 4.9.9,
> 8.2.6, or 8.3.3 (there is no updated version for bind 9 yet. However,
> bind 9 uses a copy of the bind 8.3.x resolver library. Thus, the
> resolver library (lib/bind) from bind-8.3.3 can be used to patch bind 9
> versions).

In the first version of this advisory RedHat did not provide any updated
packages for the bind vulnerabilities. Below you find the missing update
information.

RedHat 6.x
----------
rpm -Fvh bind-9.2.1-0.6x.3.i386.rpm \
         bind-devel-9.2.1-0.6x.3.i386.rpm \
         bind-utils-9.2.1-0.6x.3.i386.rpm

RedHat 7.0
----------
rpm -Fvh bind-9.2.1-0.70.2.i386.rpm \
         bind-devel-9.2.1-0.70.2.i386.rpm \
         bind-utils-9.2.1-0.70.2.i386.rpm

RedHat 7.1
----------
rpm -Fvh bind-9.2.1-0.71.1.i386.rpm \
         bind-devel-9.2.1-0.71.1.i386.rpm \
         bind-utils-9.2.1-0.71.1.i386.rpm

RedHat 7.2, 7.3
---------------
rpm -Fvh bind-9.2.1-1.7x.2.i386.rpm \
         bind-devel-9.2.1-1.7x.2.i386.rpm \
         bind-utils-9.2.1-1.7x.2.i386.rpm