[Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
Alexander E. Patrakov
patrakov at gmail.com
Tue May 3 17:45:00 BST 2016
2016-05-03 20:37 GMT+05:00 Simon Kelley <simon at thekelleys.org.uk>:
> I'm pretty sure that this is fixed in the current code.
It is indeed fixed in git! But distributions (including Ubuntu and
Arch) are still distributing a vulnerable version and are probably
unaware of it. Could you please apply for a CVE ID (if it doesn't
already exist) so that they fix their packages?
>
> From the CHANGELOG:
>
> Fix crash when an A or AAAA record is defined locally,
> in a hosts file, and an upstream server sends a reply
> that the same name is empty. Thanks to Edwin Török for
> the patch.
>
>> dig @127.0.0.1 crashme.broken-record.chickenkiller.com. AAAA
>>
>> The crash is in cache_insert(), which is called from extract_addresses().
--
Alexander E. Patrakov
More information about the Dnsmasq-discuss
mailing list