This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/18784] New: res_query and related function crash for special record type queries (CVE-2015-5180)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 07 Aug 2015 08:55:14 +0000
- Subject: [Bug network/18784] New: res_query and related function crash for special record type queries (CVE-2015-5180)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18784
Bug ID: 18784
Summary: res_query and related function crash for special
record type queries (CVE-2015-5180)
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
Created attachment 8492
--> https://sourceware.org/bugzilla/attachment.cgi?id=8492&action=edit
CVE-2015-5180.c
If T_UNSPEC (62321) is passed to functions such as res_query as a record type ,
libresolv will dereference a NULL pointer, crashing the process. This is a
very minor security vulnerability because it is conceivable that the RR type is
supplied by an untrusted party.
The expected behavior is that libresolv sends a TYPE62321 query to the
configured forwarders because it is a valid record type as far as DNS is
concerned.
I am not sure how to fix this. The inband signaling should probably removed.
For that, the external functions could check for a valid RR type (in the range
from 0 to 65535), and T_UNSPEC (which is fortunately not part of the API/ABI)
could be switched to a value not within that range.
--
You are receiving this mail because:
You are on the CC list for the bug.