Bug#863277: systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()
Salvatore Bonaccorso
carnil at debian.org
Mon May 29 13:10:26 BST 2017
Hi Michael,
On Mon, May 29, 2017 at 02:04:17PM +0200, Michael Biebl wrote:
> Hi Salvatore!
>
> On Wed, 24 May 2017 20:27:22 +0200 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: systemd
> > Version: 232-23
> > Severity: important
> > Tags: patch upstream security
> > Forwarded: https://github.com/systemd/systemd/pull/5998
> >
> > Hi,
> >
> > the following vulnerability was published for systemd.
> >
> > CVE-2017-9217[0]:
> > | systemd-resolved through 233 allows remote attackers to cause a denial
> > | of service (daemon crash) via a crafted DNS response with an empty
> > | question section.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2017-9217
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9217
> > [1] https://github.com/systemd/systemd/pull/5998
> > [2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
> > [3] https://bugzilla.novell.com/show_bug.cgi?id=1040614
> >
> > Please adjust the affected versions in the BTS as needed. I think the
> > version in jessie should not be affected; unless I'm wrong (and then
> > please correct me) the resolved: DNS client stub resolver was only
> > introduced post v216, and the issue maybe even later (post v219). But
> > would be greatly appreciated if you can confirm that.
>
> I've marked it as found in v217-1, as this was the first version after
> v216 uploaded to the archive. It doesn't matter to much if it's v217 or
> v219 I think. Those uploads all landed in experimental at that time.
Ack thanks.
> As for the bug itself: We don't enable resolved by default in Debian: Do
> you think this bug is important enough that we should get this into 9.0?
> I'd have to ask for an unlock request then.
>
> Otherwise I'd just queue this fix in the stretch branch and try to get
> this into 9.1.
*If* you have other fixes which should go in stretch, then it might be
good to include it. Otherwise I agree, can be fixed in buster and then
in stretch via a point release!
> For now, I'll apply this fix to v233 which is currently in experimental.
Ok!
Regards,
Salvatore
More information about the Pkg-systemd-maintainers
mailing list