|Summary:||net/mDNSResponder resolv.conf parsing has a buffer overflow, also leaks fd|
|Product:||Ports & Packages||Reporter:||Juli Mallett <jmallett>|
|Component:||Individual Port(s)||Assignee:||Rene Ladan <rene>|
|Severity:||Affects Only Me||CC:||bsdashsan|
Description Juli Mallett 2010-05-26 06:07:50 UTC
mdnsd will crash on some systems with a corrupt stack and once that's fixed it will still leak a file descriptor when parsing resolv.conf. The crash is because scanf is used with %10s for a buffer that is only 10 chars long. The buffer size needs increased to 11 chars to hold the trailing NUL. To fix the leak, an fclose needs added. Fix: Apply attached patch in mDNSPosix. Patch attached with submission follows: How-To-Repeat: Run mdnsd on an unlucky system.
Comment 1 Rene Ladan 2010-06-15 20:50:20 UTC
Responsible Changed From-To: freebsd-ports-bugs->rene Grab, superseeded by ports/147657 ?
Comment 2 Rene Ladan 2010-06-22 17:25:59 UTC
The problem report is still valid. Can you point to a CVE entry so that I can write a VuXML entry? I didn't find any at entries relating to this problem at http://web.nvd.nist.gov/view/vuln/search-results?cid=3 Rene
Comment 3 Rene Ladan 2010-06-22 17:26:45 UTC
State Changed From-To: open->feedback Waiting for CVE entry, not in the National Vulnerability Database.
Comment 4 dfilter service 2010-06-27 22:14:42 UTC
rene 2010-06-27 21:14:28 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Document mDNSResponder -- corrupted stack crash when parsing bad resolv.conf This only happens on a system where one has a system where resolv.conf is writable by an untrusted user or where mdnsd is setuid and can be tricked into opening an alternate resolv.conf. PR: ports/147007 Submitted by: jmallett@ Approved by: tabthorpe (mentor) Feature safe: yes Revision Changes Path 1.2174 +32 -1 ports/security/vuxml/vuln.xml _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "firstname.lastname@example.org"
Comment 5 dfilter service 2010-08-01 20:12:27 UTC
rene 2010-08-01 19:12:18 UTC FreeBSD ports repository Modified files: net/mDNSResponder Makefile distinfo Added files: net/mDNSResponder/files mdnsd.in patch-mDNSPosix_mDNSPosix.c Removed files: net/mDNSResponder/files mdnsd.sh.in Log: - Fix a potential buffer overflow and file descriptor leak.  - Update to 214.3  - Rename mdnsd.sh to mdnsd  - Remove duplicate MAKE_JOBS_UNSAFE  - Simplify manpage installation  - Pass maintainership to submitter  PR: ports/147007  ports/147657  Submitted by: jmallett  Sunpoet Po-Chuan Hsieh [sunpoet sunpoet.net]  Approved by: tabthorpe (mentor) Security: ports/147007 Revision Changes Path 1.26 +16 -25 ports/net/mDNSResponder/Makefile 1.8 +3 -3 ports/net/mDNSResponder/distinfo 1.1 +22 -0 ports/net/mDNSResponder/files/mdnsd.in (new) 1.7 +0 -19 ports/net/mDNSResponder/files/mdnsd.sh.in (dead) 1.1 +19 -0 ports/net/mDNSResponder/files/patch-mDNSPosix_mDNSPosix.c (new) _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "firstname.lastname@example.org"
Comment 6 Rene Ladan 2010-08-01 20:13:13 UTC
State Changed From-To: feedback->closed Committed, thanks