Gentoo Archives: gentoo-announce

From: Chris Reffett <creffett@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201401-25 ] ldns: Arbitrary code execution
Date: Tue, 21 Jan 2014 21:09:59
Message-Id: 52DEE18F.2040300@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201401-25
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: ldns: Arbitrary code execution
9 Date: January 21, 2014
10 Bugs: #384249
11 ID: 201401-25
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A heap-based buffer overflow in ldns might allow remote attackers to
19 execute arbitrary code or cause a Denial of Service condition.
20
21 Background
22 ==========
23
24 ldns is a fast DNS library with the goal to simplify DNS programming
25 and to allow developers to easily create software conforming to current
26 RFCs and Internet drafts.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 net-libs/ldns < 1.6.11 >= 1.6.11
35
36 Description
37 ===========
38
39 ldns contains a heap-based buffer overflow in the
40 ldns_rr_new_frm_str_internal function.
41
42 Impact
43 ======
44
45 A remote attacker could execute arbitrary code or cause a Denial of
46 Service condition with a crafted Resource Record.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All ldns users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=net-libs/ldns-1.6.11"
60
61 Packages which depend on this library may need to be recompiled. Tools
62 such as revdep-rebuild may assist in identifying these packages.
63
64 NOTE: This is a legacy GLSA. Updates for all affected architectures are
65 available since October 11, 2011. It is likely that your system is
66 already no longer affected by this issue.
67
68 References
69 ==========
70
71 [ 1 ] CVE-2011-3581
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3581
73
74 Availability
75 ============
76
77 This GLSA and any updates to it are available for viewing at
78 the Gentoo Security Website:
79
80 http://security.gentoo.org/glsa/glsa-201401-25.xml
81
82 Concerns?
83 =========
84
85 Security is a primary focus of Gentoo Linux and ensuring the
86 confidentiality and security of our users' machines is of utmost
87 importance to us. Any security concerns should be addressed to
88 security@g.o or alternatively, you may file a bug at
89 https://bugs.gentoo.org.
90
91 License
92 =======
93
94 Copyright 2014 Gentoo Foundation, Inc; referenced text
95 belongs to its owner(s).
96
97 The contents of this document are licensed under the
98 Creative Commons - Attribution / Share Alike license.
99
100 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature