Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNSResolver Libraries
In article <[🔎] 87y9cv2sie.fsf@labatt.uhoreg.ca>
hubert@uhoreg.ca writes:
>> Jeff> libc6 is indeed a big package and the Pine announcement seems
>> Jeff> rather general, if we are lucky, Debians libresolv.so wont need an
>> Jeff> update.
>>
>> The Pine announcement only mentions the libc from BSD-based systems,
>> which is different from Linux's glibc, I believe.
No, it's problem on all resolver libraries originated from BIND, not
except glibc.
I got an information from a web bbs. It says that some parts of the
FreeBSD's patch
<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch>
was already applied
<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/resolv/nss_dns/dns-host.c.diff?r1=1.15&r2=1.16&cvsroot=glibc&f=h>
, but not a part.
I attached the lack part of the patch with the mail. It is for
glibc-2.2.5, but it also need to apply potato's glibc.
--
NOKUBI Takatsugu
E-mail: knok@daionet.gr.jp
knok@namazu.org / knok@debian.org
--- glibc-2.2.5/resolv/nss_dns/dns-network.c.org 2001-07-06 13:55:39.000000000 +0900
+++ glibc-2.2.5/resolv/nss_dns/dns-network.c 2002-06-28 21:42:26.000000000 +0900
@@ -328,7 +328,9 @@
}
cp += n;
*alias_pointer++ = bp;
- bp += strlen (bp) + 1;
+ n = strlen(bp) + 1;
+ bp += n;
+ linebuflen -= n;
result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
++have_answer;
}
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: