GNU glibc Information for VU#542971

Multiple vendors' Domain Name System (DNS) stub resolvers vulnerable to buffer overflow via network name and address lookups

Status

Affected

Vendor Statement

For resolving host names and addresses via DNS, Version 2.1.2 and earlier versions of the GNU C Library are vulnerable. Later versions are not vulnerable.

For the less commonly used action of resolving network names and addresses via DNS as per Internet RFC 1011, Version 2.2.5 and earlier versions are vulnerable.

To work around the problems, modify the file /etc/nsswitch.conf so that it contains "hosts:" and "networks:" lines that do not mention "dns". For example, you might use the following lines in your /etc/nsswitch.conf file:

# This "networks:" line omits "dns" to work around a bug in glibc
# 2.2.5 and earlier.
networks: files nisplus


# This "hosts:" line omits "dns" to work around a bug in glibc 2.1.2
# and earlier.
hosts: nisplus [NOTFOUND=return] files

[CERT/CC: This workaround will break network and host resolution that is not provided through some other means, such as database files (/etc/hosts, /etc/networks) or NIS. In most cases, resolution for non-local networks and hosts will be disabled.]
Most GNU/Linux distributions with glibc 2.1.3 and later ship with a line like "networks: files" in /etc/nsswitch.conf and thus unless this line is changed they are not vulnerable.

To fix the problem instead of working around it, we suggest upgrading to Version 2.1.3 or later, and applying the following patch, taking care to relink any statically linked applications that use the affected functions. This patch can also be found at:

<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/resolv/nss_dns/dns-network.c.diff?r1=1.10&r2=1.10.2.1&cvsroot=glibc>

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.10
retrieving revision 1.10.2.1
diff -u -r1.10 -r1.10.2.1
--- libc/resolv/nss_dns/dns-network.c 2001/07/06 04:55:39 1.10
+++ libc/resolv/nss_dns/dns-network.c 2002/07/02 09:38:29 1.10.2.1
@@ -328,7 +328,9 @@
   }
 cp += n;
 *alias_pointer++ = bp;
-  bp += strlen (bp) + 1;
+  n = strlen (bp) + 1;
+  bp += n;
+  linebuflen -= n;
 result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
 ++have_answer;
}

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

One aspect of this vulnerability that involves host name and address lookups was addressed in glibc version 2.1.3 in October 1999:

[ftp://ftp.gnu.org/gnu/glibc/glibc-2.1.2-2.1.3.diff.gz]

+1999-10-25  Ulrich Drepper  <drepper@cygnus.com>
+
+       * resolv/gethnamaddr.c: Account bytes needed for alignment in
+       buflen.  Patch by Olaf Kirch <okir@lst.de>.

<elided>

@@ -424,6 +424,10 @@ getanswer(answer, anslen, qname, qtype)
                                buflen -= nn;
                        }
 
+                       /* XXX: when incrementing bp, we have to decrement
+                        * buflen by the same amount --okir */
+                       buflen -= sizeof(align) - ((u_long)bp % sizeof(align));
+
                        bp += sizeof(align) - ((u_long)bp % sizeof(align));
 
                        if (bp + n >= &hostbuf[sizeof hostbuf]) {
A second problem, a buffer overflow handling DNS answers for network names and addresses (VU#542971), affects current versions of glibc (2.2.5 and previous).

If you have feedback, comments, or additional information about this vulnerability, please send us email.