GLSA-200605-10 : pdnsd: Denial of Service and potential arbitrary code execution

critical Nessus Plugin ID 21352

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200605-10 (pdnsd: Denial of Service and potential arbitrary code execution)

The pdnsd team has discovered an unspecified buffer overflow vulnerability. The PROTOS DNS Test Suite, by the Oulu University Secure Programming Group (OUSPG), has also revealed a memory leak error within the handling of the QTYPE and QCLASS DNS queries, leading to consumption of large amounts of memory.
Impact :

An attacker can craft malicious DNS queries leading to a Denial of Service, and potentially the execution of arbitrary code.
Workaround :

There is no known workaround at this time.

Solution

All pdnsd users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=net-dns/pdnsd-1.2.4-r1'

See Also

https://security.gentoo.org/glsa/200605-10

Plugin Details

Severity: Critical

ID: 21352

File Name: gentoo_GLSA-200605-10.nasl

Version: 1.16

Type: local

Published: 5/13/2006

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:pdnsd, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/10/2006

Vulnerability Publication Date: 1/10/2006

Reference Information

CVE: CVE-2006-2076, CVE-2006-2077

GLSA: 200605-10