From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Jul 9 12:30:05 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 434EE1065672 for ; Wed, 9 Jul 2008 12:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2285C8FC2C for ; Wed, 9 Jul 2008 12:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m69CU4Yo027986 for ; Wed, 9 Jul 2008 12:30:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m69CU4Jh027983; Wed, 9 Jul 2008 12:30:04 GMT (envelope-from gnats) Resent-Date: Wed, 9 Jul 2008 12:30:04 GMT Resent-Message-Id: <200807091230.m69CU4Jh027983@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dennis Yusupoff Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09CA1106566B for ; Wed, 9 Jul 2008 12:26:20 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id EFAF68FC19 for ; Wed, 9 Jul 2008 12:26:19 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m69CQJUs070381 for ; Wed, 9 Jul 2008 12:26:19 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m69CQIua070380; Wed, 9 Jul 2008 12:26:18 GMT (envelope-from nobody) Message-Id: <200807091226.m69CQIua070380@www.freebsd.org> Date: Wed, 9 Jul 2008 12:26:18 GMT From: Dennis Yusupoff To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/125433: BIND: buffer overflow in inet_network() X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 12:30:05 -0000 >Number: 125433 >Category: ports >Synopsis: BIND: buffer overflow in inet_network() >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 09 12:30:04 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Dennis Yusupoff >Release: No matter >Organization: Ozerki.Net ISP >Environment: No matter >Description: Description: An off-by-one error in the inet_network() function in libbind could lead to memory corruption with certain inputs. Impact: Applications linked against libbind which call inet_network() with untrusted inputs could lead to a denial-of-service or potentially code execution. http://www.isc.org/index.pl?/sw/bind/index.php >How-To-Repeat: >Fix: Solution: Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released. Otherwise, apply the patch below to: BIND 9: lib/bind/inet/inet_network.c BIND 8: lib/inet/inet_network.c Index: inet_network.c diff -u inet_network.c:1.5 inet_network.c:1.6 --- inet_network.c:1.5 Wed Apr 27 04:56:21 2005 +++ inet_network.c Tue Jan 15 04:02:01 2008 @@ -84,9 +84,9 @@ } if (!digit) return (INADDR_NONE); + if (pp >= parts + 4 || val > 0xffU) + return (INADDR_NONE); if (*cp == '.') { - if (pp >= parts + 4 || val > 0xffU) - return (INADDR_NONE); *pp++ = val, cp++; goto again; } Questions should be addressed to bind9-bugs@isc.org. Acknowledgements: ISC would like to thank Nate Eldredge for reporting this. >Release-Note: >Audit-Trail: >Unformatted: