Re: Buffer overflow and DoS i BIND

From: Steven M. Christey (coley@LINUS.MITRE.ORG)
Date: 07/11/02


Date:         Thu, 11 Jul 2002 03:04:40 -0400
From: "Steven M. Christey" <coley@LINUS.MITRE.ORG>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

It is important to note that this issue applies to more than BIND.

As described in the CERT advisory, this can also affect network
applications that use C libraries like libc and glibc, or derived
code.

As I read it, it may also affect client programs, as implied by CERT:
"[There is a] buffer overflow vulnerability in the way the resolver
handles DNS responses... any DNS resolver implementation that derives
code from either of these libraries may also be vulnerable. Network
applications that makes [sic] use of vulnerable resolver libraries are
likely to be affected, therefore this problem is not limited to DNS or
BIND servers." The problem ultimately stems from a single codebase.

- Steve



Relevant Pages

  • Re: OpenVMS Security
    ... > Andrew Harrison SUNUK Consultancy wrote: ... it says in words as clear as possible that this only affects Bind ... > Now the Compaq response from the same advisory: ... after the CERT advisory which they responded to ?? ...
    (comp.os.vms)
  • Re: A new kind of security needed
    ... Providing primitives to subdivie applications isn't easy, but once you've done that you still have to rewrite lots of applications to take advantage of it, and in a way that shows a lot more application programmer discipline. ... your view of the 'filesystem' is fully mutable. ... Both files and directories can be bind targets, and the source of the bind can as easily be a program as a file or directory; the ability to create secure synthetic filesystems just naturally falls out of this paradigm. ...
    (FreeBSD-Security)
  • login_ldap security announcement
    ... Information Management has found a serious issue ... "An unauthenticated bind results in an anonymous authorization. ... As a number of LDAP applications mistakenly generate ... authentication service this is probably what most people want. ...
    (Bugtraq)
  • Re: A new kind of security needed
    ... your view of the 'filesystem' is fully mutable. ... Both files and directories can be bind targets, and the source of the bind can as easily be a program as a file or directory; the ability to create secure synthetic filesystems just naturally falls out of this paradigm. ... UNIX presupposes lots of special-purpose applications doing rather specific and well-defined things, and that is a decreasingly accurate reflection of the way people write applications. ...
    (FreeBSD-Security)
  • Using ADO with data from a binary file
    ... imports data from other applications to our DB. ... Some data are *.dbf so no problem. ... But some are custom binary files that I need to parse. ... it there a way to bind an array of structures to db-control? ...
    (microsoft.public.vb.database.ado)