ISC Information for VU#738331

Domain Name System (DNS) resolver libraries vulnerable to read buffer overflow

Status

Affected

Vendor Statement

Internet Software Consortium Security Advisary.
LIBBIND/LIBRESOLV: Denial of Service.
8 August 2002

Versions affected:
BIND 4 prior to 4.9.10
BIND 8 prior to 8.2.5
Severity: SERIOUS
Exploitable: Remotely
Type: Denial of service

Description:

When looking up address (gethostbyname(), gethostbyaddr()
etc.) a less than maximum sized buffer is passed to
res_search() / res_query().  If the answer is too large
to fit in the buffer the size of buffer required is
returned along with the part of the message that will fit.
This value is not checked and is passed to getanswer which
then may read past the end of the buffer depending up the
contents in the answer section.

THIS DOES NOT AFFECT THE NAMESERVER.

THIS CAN BE TRANSMITTED THROUGH CACHES.

BIND 9 is NOT affected.
BIND 8.3.x is NOT affected.

This bug may exist in other applications that call the
DNS directly.

Workarounds:

None.  Upgrade and re-linking required.

Impact:

Applications linked against vulnerable versions of the
libraries may die with segmentation violations /
bus errors.

Fix:

Upgrade to BIND 4.9.10 or preferably BIND 8.3.3.

BIND 4 is officially deprecated.  Only security
fixes will be issued for BIND 4.

For application writers.  Use a maximum sized buffer (64k),
be prepared to redo the calls res_search(), res_query(),
res_send(), res_nsearch(), res_nquery() and res_send()
with a bigger buffer or take the minimum of the answer
buffer size and the value returned by these calls and
be aware that the answer is truncated.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.