ldns: CVE-2017-1000231: Memory corruption in ldns_rr_new_frm_fp_l (double free)

Debian Bug report logs - #882015
ldns: CVE-2017-1000231: Memory corruption in ldns_rr_new_frm_fp_l (double free)

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ldns: CVE-2017-1000231: Memory corruption in ldns_rr_new_frm_fp_l (double free)

Date: Fri, 17 Nov 2017 17:34:19 +0100

Source: ldns
Version: 1.7.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256

Hi,

the following vulnerability was published for ldns.

CVE-2017-1000231[0]:
| A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified
| impact and attack vectors.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000231
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000231
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
[2] https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 882015-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 882015-close@bugs.debian.org

Subject: Bug#882015: fixed in ldns 1.7.0-4

Date: Sun, 10 Mar 2019 22:34:40 +0000

Source: ldns
Source-Version: 1.7.0-4

We believe that the bug you reported is fixed in the latest version of
ldns, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882015@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated ldns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 Mar 2019 21:56:02 +0000
Source: ldns
Architecture: source
Version: 1.7.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 882014 882015 899938
Changes:
 ldns (1.7.0-4) unstable; urgency=medium
 .
   * Fix invalid maintainer (Closes: #899938)
   * Add two upstream patches to address security issues:
    + CVE-2017-1000231: Memory corruption in ldns_rr_new_frm_fp_l
      (Closes: #882015)
    + CVE-2017-1000232: Memory corruption in ldns_str2rdf_long_str
      (Closes: #882014)
   * Bump debhelper compat to v12
   * Update the Vcs-* links to salsa.d.o
   * Bump the policy to the latest version (no change)
   * Add upstream Homepage link to d/control
   * Disable GOST and enable Ed25519 algorithm (see draft-wouters-sury-dnsop-algorithm-update)
Checksums-Sha1:
 424de753975c2dfcc5cdf72b21973ac9ac37e584 2320 ldns_1.7.0-4.dsc
 9e7c6803cf3dd11af8666bf5bc75cf1ec5834fdd 11788 ldns_1.7.0-4.debian.tar.xz
 7d1c877b8abf90edb371fcb88064617b9796a56f 9209 ldns_1.7.0-4_amd64.buildinfo
Checksums-Sha256:
 c82bb90ad9f9965f828c2cc20fb24ce0638169f5ed4befc923239029d5f8bc03 2320 ldns_1.7.0-4.dsc
 8dd896321444e8d026ac76f8c07be7add457cdbb75a4a14f71071906fc9cd0f6 11788 ldns_1.7.0-4.debian.tar.xz
 aad4536ad6ec5c17bd59747e0d05bc3497676a4bfe0c94b507590fee214a1c65 9209 ldns_1.7.0-4_amd64.buildinfo
Files:
 95bde799161182d0d35fed599689e967 2320 net optional ldns_1.7.0-4.dsc
 fcb5d13447a923b333f41a222f01afb1 11788 net optional ldns_1.7.0-4.debian.tar.xz
 fe1612eca694f46dac718b1d0751d25a 9209 net optional ldns_1.7.0-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAlyFjoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcL3YA//WVaiV6QX9U/4n40PJINbl7OoWYewbsRDWlc8iFFUcbwvxn1N35DqKW/W
Hqxta6A6ESz2Js8rLSmjpG76Hgg6w4glzwTDeaP2XTp8z/tpQRiDe/SL6rTX/MdY
wjo7ojvvGH5/m0nDUj6UqQEhfZGPP6g9Tz3kaZE/O7OzrsAgLfAD1xKmskkXJuKi
3Oc+ul+rGLO7yLSqITKvFDhEB1wRZ7i49aU5MSg0T8HTsbbFl/kQDn6h54Ska/j4
mLg1lirXNWqtY2dGzkxHVuuBQ5pOIVDqdle+yQ3gzrYSc0hYKaWMajr0QBQXRroY
t8qJeH8FapTS46SOvtryxf4mIE7S4j+eUIWhnt7T5dTGQj2MAfRbLZ9WfaTuoNFg
NwA2YrniU7R/dkO8grkaSMZphyvbxUDzwRmAwmtgJZ3edyBjUy5g+NM1M/WW63xT
FEU+99bbAmeNfwcvl7i/QywodEbSIvbUVJfsu4KHtMDpXVXOwqTgrNOeVONimUM2
QlbqgybScSn14jbNZu1cKEzE1o6+b3DqNnbKQMo5UGt1MN04dt76JsNtWMOyWQPX
eoRe5vfBGX59j0zPF6CVR/22cULUq7JZVvsMfCgbMrfSwPUmJ96xfRC9FG6kLMgU
J5a0XUEJ+wQLnUCczFWT3aGywRJVR9PkrOCqcpQDnJyO45KNlak=
=dkpv
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.