Bug#863277: systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()

Salvatore Bonaccorso carnil at debian.org
Wed May 24 19:27:22 BST 2017

Source: systemd
Version: 232-23
Severity: important
Tags: patch upstream security
Forwarded: https://github.com/systemd/systemd/pull/5998


the following vulnerability was published for systemd.

| systemd-resolved through 233 allows remote attackers to cause a denial
| of service (daemon crash) via a crafted DNS response with an empty
| question section.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9217
[1] https://github.com/systemd/systemd/pull/5998
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
[3] https://bugzilla.novell.com/show_bug.cgi?id=1040614

Please adjust the affected versions in the BTS as needed. I think the
version in jessie should not be affected; unless I'm wrong (and then
please correct me) the resolved: DNS client stub resolver was only
introduced post v216, and the issue maybe even later (post v219). But
would be greatly appreciated if you can confirm that.


More information about the Pkg-systemd-maintainers mailing list