Users login

Create an account »


Users login

Home » Hacking News » CLA-2002:507-Resolver libraries vulnerabilities

CLA-2002:507-Resolver libraries vulnerabilities

by Nikola Strahija on July 12th, 2002 There is a buffer overflow vulnerability[1,4] in several DNS resolver libraries that affect all applications linked to these libraries. In Conectiva Linux the vulnerability affects the libbind library included in the BIND[2] distribution and a resolver library included with glibc.

A remote attacker who is able to send malicious DNS responses to
vulnerable machines could exploit this vulnerability and potentially
execute arbitrary code with the privileges of the application making
use of the vulnerable resolver library.

Regarding the BIND 9.x packages distributed with Conectiva Linux 7.0
and 8, the "libbind" library is not included nor generated, which
means that these packages are not vulnerable to this problem.

The 8.2 BIND packages shipped with Conectiva Linux 6.0, on the other
hand, use the libbind library in their utilities and are being
upgraded to the 8.2.6 version which was released by ISC[3] to address
this problem. Please note that the "named" daemon is believed to be
*not* vulnerable to this problem, even in versions prior to 8.2.6.

Glibc has this vulnerability in the getnetby* family of functions
when the system is configured to use dns to resolve network names. In
the default installation, however, this is disabled in the
/etc/nsswitch.conf configuration file:

Example of a vulnerable system:
networks: files dns

System without this vulnerability exposed (default nsswitch
networks: files

It is recommended that all users upgrade the glibc packages. If an
upgrade is not possible at this time, please review the
/etc/nsswitch.conf file and make sure your configuration is not

Conectiva Linux 6.0 BIND users should also upgrade the bind packages.
After the upgrade the service will be automatically restarted if it
was already running.

After upgrading the glibc packages, all programs linked against it
need to be restarted in order to use the newly installed files. A
list of such programs can be obtained by executing the following
command (the "lsof" package has to be installed):

lsof | grep libc.*;

The first column will show the name of the program that will need to
be restarted. If there is any doubt about which service needs a
restart, then a reboot is recommended.



Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »