OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-29 15:56:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Stack overflow in Trust-DNS when parsing DNS packet

Browse Source
This commit is contained in:
Ossi Herrala
2018-10-11 15:55:18 +03:00
parent b2125b68a5
commit d6b9d03e45
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
crates/trust-dns-proto/RUSTSEC-0000-0000.toml Normal file
View File

@@ -0,0 +1,60 @@
[advisory]
# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN"
# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs.
id = "RUSTSEC-0000-0000"
# Name of the affected crate (mandatory)
package = "trust-dns-proto"
# Disclosure date of the advisory as an RFC 3339 date (mandatory)
date = "2017-10-09"
# Single-line description of a vulnerability (mandatory)
title = "Stack overflow when parsing malicious DNS packet"
# Enter a short-form description of the vulnerability here (mandatory)
description = """
There's a stack overflow leading to a crash when Trust-DNS's parses a
malicious DNS packet.
Affected versions of this crate did not properly handle parsing of DNS message
compression (RFC1035 section 4.1.4). The parser could be tricked into infinite
loop when a compression offset pointed back to the same domain name to be
parsed.
This allows an attacker to craft a malicious DNS packet which when consumed
with Trust-DNS could cause stack overflow and crash the affected software.
The flaw was corrected by trust-dns-proto 0.4.3 and upcoming 0.5.0 release.
"""
# Versions which include fixes for this vulnerability (mandatory)
patched_versions = [">= 0.4.3", ">= 0.5.0-alpha.3" ]
# Versions which were never vulnerable (optional)
#unaffected_versions = ["< 1.1.0"]
# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
# a change log entry, or a blogpost announcing the release (optional)
# url = ""
# Keywords which describe this vulnerability, similar to Cargo (optional)
keywords = [ "stack-overflow", "crash" ]
# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
# Request a CVE for your RustSec vulns: https://iwantacve.org/
#aliases = ["CVE-2018-XXXX"]
# References to related vulnerabilities (optional)
# e.g. CVE for a C library wrapped by a -sys crate)
#references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
# CPU architectures impacted by this vulnerability (optional)
# For a list of CPU architecture strings, see the "platforms" crate:
# <https://docs.rs/platforms/latest/platforms/target/enum.Arch.html>
#affected_arch = ["x86", "x86_64"]
# Operating systems impacted by this vulnerability (optional)
# For a list of OS strings, see the "platforms" crate:
# <https://docs.rs/platforms/latest/platforms/target/enum.OS.html>
#affected_os = ["windows"]