[Group.of.nepali.translators] [Bug 1695546] Re: Out of bounds write in resolved with crafted TCP responses

2017-07-20 Thread Launchpad Bug Tracker 
This bug was fixed in the package systemd - 229-4ubuntu19

---
systemd (229-4ubuntu19) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: partially
revert, by removing ExecStart|StopPost lines, as these are not needed on
xenial and generate warnings in the journal. (LP: #1704677)

systemd (229-4ubuntu18) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: if resolved
is going to be started, make sure this blocks network-online.target.
(LP: #1673860)
  * networkd: cherry-pick support for setting bridge port's priority
(LP: #1668347)
  * Cherrypick upstream commit to enable system use kernel maximum limit for
RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
  * Cherrypick upstream patch for platform predictable interface names.
(LP: #1686784)
  * resolved: fix null pointer dereference crash (LP: #1621396)
  * Cherrypick core/timer downgrade message about random time addition
(LP: #1692136)
  * SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546)
- CVE-2017-9445
  * Cherry-pick subset of patches to introduce infinity value in logind.conf
for UserTasksMax (LP: #1651518)

 -- Dimitri John Ledkov   Mon, 17 Jul 2017 17:00:42
+0100

** Changed in: systemd (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1695546

Title:
  Out of bounds write in resolved with crafted TCP responses

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Fix Released
Status in systemd source package in Yakkety:
  Fix Released
Status in systemd source package in Zesty:
  Fix Released
Status in systemd source package in Artful:
  Fix Released

Bug description:
  [Impact]
  Certain sizes passed to dns_packet_new can cause it to allocate a buffer 
that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + 
sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 
80. Eg, calling dns_packet_new with a size of 4016 will result in an allocation 
of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.

  A malicious DNS server can exploit this by responding with a specially
  crafted TCP payload to trick systemd-resolved in to allocating a
  buffer that's too small, and subsequently write arbitrary data beyond
  the end of it.

  To demonstrate this you can run the attached python script. This is a
  mock DNS server that sends a response where the first two bytes of the
  TCP payload specify a size of 4016 (note, this size is picked to
  trigger an out of bounds write on x86 - you'll probably need to pick a
  different number for x86-64). You'll need to temporarily set your DNS
  server to 127.0.0.1.

  [Testcase]
  Launch the attached script on i386, point resolved at the started dns server, 
execute a dns query via resolved observe that it crashes.
  Upgrade systemd package and observe that resolved no longer crashes.

  [Regression Potential]
  Low, resolved is not used by default in xenial. This is a bug fix to 
resolved, in case somebody does use resolved in xenial.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1695546/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1695546] Re: Out of bounds write in resolved with crafted TCP responses

2017-07-10 Thread Dimitri John Ledkov 
** Also affects: systemd (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: systemd (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: systemd (Ubuntu Artful)
   Importance: High
 Assignee: Dimitri John Ledkov (xnox)
   Status: Fix Released

** Also affects: systemd (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: systemd (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: systemd (Ubuntu Yakkety)
   Status: New => Fix Released

** Changed in: systemd (Ubuntu Zesty)
   Status: New => Fix Released

** Description changed:

- Certain sizes passed to dns_packet_new can cause it to allocate a buffer
- that's too small. A page-aligned number - sizeof(DnsPacket) +
- sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
- page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016
- will result in an allocation of 4096 bytes, but 108 bytes of this are
- for the DnsPacket struct.
+ [Impact]
+ Certain sizes passed to dns_packet_new can cause it to allocate a buffer 
that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + 
sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 
80. Eg, calling dns_packet_new with a size of 4016 will result in an allocation 
of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.
  
  A malicious DNS server can exploit this by responding with a specially
  crafted TCP payload to trick systemd-resolved in to allocating a buffer
  that's too small, and subsequently write arbitrary data beyond the end
  of it.
  
  To demonstrate this you can run the attached python script. This is a
  mock DNS server that sends a response where the first two bytes of the
  TCP payload specify a size of 4016 (note, this size is picked to trigger
  an out of bounds write on x86 - you'll probably need to pick a different
  number for x86-64). You'll need to temporarily set your DNS server to
  127.0.0.1.
+ 
+ [Testcase]
+ Launch the attached script on i386, point resolved at the started dns server, 
execute a dns query via resolved observe that it crashes.
+ Upgrade systemd package and observe that resolved no longer crashes.
+ 
+ [Regression Potential]
+ Low, resolved is not used by default in xenial. This is a bug fix to 
resolved, in case somebody does use resolved in xenial.

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1695546

Title:
  Out of bounds write in resolved with crafted TCP responses

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Confirmed
Status in systemd source package in Yakkety:
  Fix Released
Status in systemd source package in Zesty:
  Fix Released
Status in systemd source package in Artful:
  Fix Released

Bug description:
  [Impact]
  Certain sizes passed to dns_packet_new can cause it to allocate a buffer 
that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + 
sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 
80. Eg, calling dns_packet_new with a size of 4016 will result in an allocation 
of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.

  A malicious DNS server can exploit this by responding with a specially
  crafted TCP payload to trick systemd-resolved in to allocating a
  buffer that's too small, and subsequently write arbitrary data beyond
  the end of it.

  To demonstrate this you can run the attached python script. This is a
  mock DNS server that sends a response where the first two bytes of the
  TCP payload specify a size of 4016 (note, this size is picked to
  trigger an out of bounds write on x86 - you'll probably need to pick a
  different number for x86-64). You'll need to temporarily set your DNS
  server to 127.0.0.1.

  [Testcase]
  Launch the attached script on i386, point resolved at the started dns server, 
execute a dns query via resolved observe that it crashes.
  Upgrade systemd package and observe that resolved no longer crashes.

  [Regression Potential]
  Low, resolved is not used by default in xenial. This is a bug fix to 
resolved, in case somebody does use resolved in xenial.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1695546/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp