Software Engineering Institute

Notified:  November 12, 2002 Updated: February 25, 2003

Status

Affected

Vendor Statement

Affected Systems: Mac OS X and Mac OS X Server

Mitigating Factors: BIND is not enabled by default on Mac OS X or Mac OS X Server.

Apple is working on a software update to address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Security Update 2002-11-21:

<http://www.apple.com/support/security/security_updates.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: January 16, 2003

Status

Affected

Vendor Statement

Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are also vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version of the GNU C Library. This patch is also available from the following URL:

<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/resolv/nss_dns/dns-network.c.diff?r1=1.17&r2=1.15&cvsroot=glibc>

2002-11-18  Roland McGrath  <roland@redhat.com>

        * resolv/nss_dns/dns-network.c (getanswer_r): In BYNAME case, search
        all aliases for one that matches the "<dotted-quad>.IN-ADDR.ARPA" form.
        Do the parsing inline instead of copying strings and calling
        inet_network, and properly skip all alias names not matching the form.

2002-11-14  Paul Eggert  <eggert@twinsun.com>

        * resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer
        overflow when skipping the question part and when unpacking aliases.

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.15
retrieving revision 1.17
diff -u -r1.15 -r1.17
--- libc/resolv/nss_dns/dns-network.c   2002/10/17 21:49:12     1.15
+++ libc/resolv/nss_dns/dns-network.c   2002/11/19 06:40:16     1.17
@@ -283,7 +283,15 @@

   /* Skip the question part.  */
   while (question_count-- > 0)
-    cp += __dn_skipname (cp, end_of_message) + QFIXEDSZ;
+    {
+      int n = __dn_skipname (cp, end_of_message);
+      if (n < 0 || end_of_message - (cp + n) < QFIXEDSZ)
+       {
+         __set_h_errno (NO_RECOVERY);
+         return NSS_STATUS_UNAVAIL;
+       }
+      cp += n + QFIXEDSZ;
+    }

   alias_pointer = result->n_aliases = &net_data->aliases[0];
   *alias_pointer = NULL;
@@ -344,64 +352,94 @@
              return NSS_STATUS_UNAVAIL;
            }
          cp += n;
-         *alias_pointer++ = bp;
-         n = strlen (bp) + 1;
-         bp += n;
-         linebuflen -= n;
-         result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
-         ++have_answer;
+         if (alias_pointer + 2 < &net_data->aliases[MAX_NR_ALIASES])
+           {
+             *alias_pointer++ = bp;
+             n = strlen (bp) + 1;
+             bp += n;
+             linebuflen -= n;
+             result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
+             ++have_answer;
+           }
        }
     }

   if (have_answer)
     {
-      char *tmp;
-      int len;
-      char *in, *cp, *rp, *wp;
-      int cnt, first_flag;
-
       *alias_pointer = NULL;
       switch (net_i)
        {
        case BYADDR:
-         result->n_name = result->n_aliases[0];
+         result->n_name = *result->n_aliases++;
          result->n_net = 0L;
-         break;
-       case BYNAME:
-         len = strlen (result->n_aliases[0]);
-         tmp = (char *) alloca (len + 1);
-         tmp[len] = 0;
-         wp = &tmp[len - 1];
-
-         rp = in = result->n_aliases[0];
-         result->n_name = ans;
-
-         first_flag = 1;
-         for (cnt = 0; cnt < 4; ++cnt)
-           {
-             char *startp;
+         return NSS_STATUS_SUCCESS;

-             startp = rp;
-             while (*rp != '.')
-               ++rp;
-             if (rp - startp > 1 || *startp != '0' || !first_flag)
-               {
-                 first_flag = 0;
-                 if (cnt > 0)
-                   *wp-- = '.';
-                 cp = rp;
-                 while (cp > startp)
-                   *wp-- = *--cp;
-               }
-             in = rp + 1;
-           }
-
-         result->n_net = inet_network (wp);
+       case BYNAME:
+         {
+           char **ap = result->n_aliases++;
+           while (*ap != NULL)
+             {
+               /* Check each alias name for being of the forms:
+                  4.3.2.1.in-addr.arpa         = net 1.2.3.4
+                  3.2.1.in-addr.arpa           = net 0.1.2.3
+                  2.1.in-addr.arpa             = net 0.0.1.2
+                  1.in-addr.arpa               = net 0.0.0.1
+               */
+               uint32_t val = 0;       /* Accumulator for n_net value.  */
+               unsigned int shift = 0; /* Which part we are parsing now.  */
+               const char *p = *ap; /* Consuming the string.  */
+               do
+                 {
+                   /* Match the leading 0 or 0[xX] base indicator.  */
+                   unsigned int base = 10;
+                   if (*p == '0' && p[1] != '.')
+                     {
+                       base = 8;
+                       ++p;
+                       if (*p == 'x' || *p == 'X')
+                         {
+                           base = 16;
+                           ++p;
+                           if (*p == '.')
+                             break; /* No digit here.  Give up on alias.  */
+                         }
+                       if (*p == '\0')
+                         break;
+                     }
+
+                   uint32_t part = 0; /* Accumulates this part's number.  */
+                   do
+                     {
+                       if (isdigit (*p) && (*p - '0' < base))
+                         part = (part * base) + (*p - '0');
+                       else if (base == 16 && isxdigit (*p))
+                         part = (part << 4) + 10 + (tolower (*p) - 'a');
+                       ++p;
+                     } while (*p != '\0' && *p != '.');
+
+                   if (*p != '.')
+                     break;    /* Bad form.  Give up on this name.  */
+
+                   /* Install this as the next more significant byte.  */
+                   val |= part << shift;
+                   shift += 8;
+                   ++p;
+
+                   /* If we are out of digits now, there are two cases:
+                      1. We are done with digits and now see "in-addr.arpa".
+                      2. This is not the droid we are looking for.  */
+                   if (!isdigit (*p) && !strcasecmp (p, "in-addr.arpa"))
+                     {
+                       result->n_net = val;
+                       return NSS_STATUS_SUCCESS;
+                     }
+
+                   /* Keep going when we have seen fewer than 4 parts.  */
+                 } while (shift < 32);
+             }
+         }
          break;
        }
-
-      ++result->n_aliases;
-      return NSS_STATUS_SUCCESS;
     }

   __set_h_errno (TRY_AGAIN);

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: February 27, 2003

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to the named and DNS resolver issues in releases 4.3.3, 5.1.0 and 5.2.0. The following APARs are available:

AIX 4.3.3 APAR IY37088 (available)AIX 5.1.0 APAR IY37091 (available)AIX 5.2.0 APAR IY37289 (available)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: November 15, 2002

Status

Affected

Vendor Statement

VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups (VU#852283 - CAN-2002-1219 / VU#229595 - CAN-2002-1220 / VU#581682 - CAN-2002-1221/ VU#844360 - CAN-2002-0029) was addressed in Policy Services 4.2 Service Pack 1 efix 1. The vulnerability can be avoided by upgrading to Policy Services 4.2 Service Pack 1 efix 1 from MetaSolv Policy Services 4.1 and 4.2 (base). The efix includes all ISC sanctioned patches to BIND 8.2.6. to remedy this vulnerability. Please contact MetaSolv Global Customer Care supporthd@metasolv.com for assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: November 14, 2002

Status

Affected

Vendor Statement

BIND 4.9.10-OW2 includes the patch provided by ISC and thus has the two vulnerabilities affecting BIND 4 fixed. Previous versions of BIND 4.9.x-OW patches, if used properly, significantly reduced the impact of the "named" vulnerability. The patches are available at their usual location:

http://www.openwall.com/bind/

A patch against BIND 4.9.11 will appear as soon as this version is officially released, although it will likely be effectively the same as the currently available 4.9.10-OW2.

It hasn't been fully researched whether the resolver code in glibc, and in particular on Openwall GNU/*/Linux, shares any of the newly discovered BIND 4 resolver library vulnerabilities. Analysis is in progress.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: December 05, 2002

Status

Affected

Vendor Statement

Please see SGI Security Advisory 20021201-01-P.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: November 15, 2002

Status

Affected

Vendor Statement

The Solaris DNS resolver library (libresolv(3LIB)) is affected by VU#844360 in the following supported versions of Solaris:

Solaris 2.6

Patches are being generated for all of the above releases. Sun will be publishing a Sun Alert for this issue at the following location shortly:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F48818

The patches will be available from:

http://sunsolve.sun.com/securitypatch

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.