SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#203611

inet_network() off-by-one buffer overflow

Overview

The inet_network() resolver function contains an off-by-one buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

The inet_network() function takes a character string representation for an internet address and returns the internet network number in integer form. inet_network() is implemented by various libbind, libc, and GNU libc versions. Applications that link against a vulnerable version of inet_network() may be vulnerable to a one-byte overflow.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

III. Solution

Apply an update

    FreeBSD libc - Apply the patch in FreeBSD Security Advisory FreeBSD-SA-08:02.libc
    GNU libc - This issue was resolved on February 11, 2000 in the main (diff) and glibc 2.1 (diff) branches
    libbind - This issue will be resolved in libbind 9.3.5, 9.4.3, 2.5.0b2, or later. A patch is also available in the ISC Advisory


Systems Affected
VendorStatusDate Updated
Apple Computer, Inc.Not Vulnerable25-Jan-2008
BlueCat Networks, Inc.Not Vulnerable28-Apr-2008
CentOSUnknown17-Jan-2008
Check Point Software TechnologiesUnknown17-Jan-2008
Conectiva Inc.Unknown17-Jan-2008
Cray Inc.Unknown17-Jan-2008
Debian GNU/LinuxUnknown21-Jan-2008
EMC CorporationUnknown17-Jan-2008
Engarde Secure LinuxUnknown17-Jan-2008
F5 Networks, Inc.Unknown17-Jan-2008
Fedora ProjectUnknown17-Jan-2008
FreeBSD, Inc.Vulnerable25-Jan-2008
FujitsuUnknown17-Jan-2008
Gentoo LinuxUnknown17-Jan-2008
Gnu ADNSUnknown17-Jan-2008
GNU glibcVulnerable25-Jan-2008
Hewlett-Packard CompanyNot Vulnerable31-Jan-2008
HitachiUnknown17-Jan-2008
IBM CorporationUnknown17-Jan-2008
IBM Corporation (zseries)Unknown17-Jan-2008
IBM eServerUnknown17-Jan-2008
InfobloxNot Vulnerable31-Jan-2008
Ingrian Networks, Inc.Not Vulnerable29-Jan-2008
Internet Software ConsortiumUnknown10-Dec-2007
Juniper Networks, Inc.Unknown17-Jan-2008
Lucent TechnologiesUnknown17-Jan-2008
Mandriva, Inc.Not Vulnerable21-Jan-2008
Men & MiceUnknown17-Jan-2008
Metasolv Software, Inc.Unknown17-Jan-2008
Microsoft CorporationNot Vulnerable18-Jan-2008
MontaVista Software, Inc.Unknown17-Jan-2008
NEC CorporationUnknown17-Jan-2008
NetBSDUnknown17-Jan-2008
Nortel Networks, Inc.Unknown17-Jan-2008
Novell, Inc.Unknown17-Jan-2008
OpenBSDVulnerable21-Jan-2008
Openwall GNU/*/LinuxUnknown17-Jan-2008
QNX, Software Systems, Inc.Unknown17-Jan-2008
Red Hat, Inc.Unknown17-Jan-2008
ShadowsupportUnknown17-Jan-2008
Silicon Graphics, Inc.Unknown17-Jan-2008
Slackware Linux Inc.Unknown17-Jan-2008
Sony CorporationUnknown17-Jan-2008
Sun Microsystems, Inc.Unknown17-Jan-2008
SUSE LinuxUnknown17-Jan-2008
The SCO GroupUnknown17-Jan-2008
Trustix Secure LinuxUnknown17-Jan-2008
TurbolinuxUnknown17-Jan-2008
UbuntuUnknown17-Jan-2008
UnisysUnknown17-Jan-2008
Wind River Systems, Inc.Unknown17-Jan-2008

References


http://security.freebsd.org/advisories/FreeBSD-SA-08:02.libc.asc
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.6.2.1&r2=1.6.2.2&cvsroot=glibc&f=h
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.8&r2=1.9&cvsroot=glibc&f=h
http://www.securityfocus.com/bid/27283
http://securitytracker.com/alerts/2008/Jan/1019189.html
http://secunia.com/advisories/28367
http://xforce.iss.net/xforce/xfdb/39670

Credit

Thanks to Mark Andrews of ISC for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public12/10/2007
Date First Published01/25/2008 01:35:01 PM
Date Last Updated04/28/2008
CERT Advisory 
CVE NameCVE-2008-0122
US-CERT Technical Alerts 
Metric0.76
Document Revision13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader