OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
BIND Security Advisory notification-Severity - Low VU#203611, CVE-2008-0122 (also submitted as CVE-2007-6251)

From: ISC Customer Support (sue_gravesisc.org)
Date: Fri Jan 18 2008 - 09:49:08 CST

Please Note:
This vulnerability, already released by FreeBSD, is considered to be
very low risk, and ISC is publishing this as an advisory only and
will put the fix into the next release of BIND.
Those using Operating Systems with embedded BIND software utilizing the
BIND8 lib resolver should read the following to determine if you feel
you may be at risk.
__________________________________________________________________

Internet Systems Consortium Security Advisory.
BIND: buffer overflow in inet_network()
18 January 2008

Versions affected:

        BIND 8 (all versions)
        BIND 9.0 (all versions)
        BIND 9.1 (all versions)
        BIND 9.2 (all versions)
        BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4
        BIND 9.4.0, 9.4.1, 9.4.2
        BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6,
             9.5.0a7, 9.5.0b1

Severity: Low

Description:

        An off-by-one error in the inet_network() function in libbind
        could lead to memory corruption with certain inputs.

Impact:

        Applications linked against libbind which call inet_network()
        with untrusted inputs could lead to a denial-of-service or
        potentially code execution.

        None of the applications shipped with BIND 8 or BIND 9 call
        inet_network().

Workaround:

        None

Fix:

        Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released.

        Otherwise, apply the patch below to:

        BIND 9: lib/bind/inet/inet_network.c
        BIND 8: lib/inet/inet_network.c

        Questions should be addressed to bind9-bugsisc.org.

CVE:CVE-2008-0122 (also submitted as CVE-2007-6251)
VU#203611

Acknowledgement:

        ISC would like to thank Nate Eldredge for reporting this.
        

Revision History:

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5 Wed Apr 27 04:56:21 2005
+++ inet_network.c Tue Jan 15 04:02:01 2008
-84,9 +84,9
         }
         if (!digit)
                 return (INADDR_NONE);
+ if (pp >= parts + 4 || val > 0xffU)
+ return (INADDR_NONE);
         if (*cp == '.') {
- if (pp >= parts + 4 || val > 0xffU)
- return (INADDR_NONE);
                 *pp++ = val, cp++;
                 goto again;
         }