CVE-2017-9430

NameCVE-2017-9430
DescriptionStack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnstracer (PTS)jessie1.9-4vulnerable
buster, stretch, sid1.9-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dnstracersource(unstable)(unfixed)unimportant

Notes

Crash in CLI tool, disputable if any exposed service makes use of dnstrace.
One scenario would be to have a web application that launches dnstracer
with user supplied name strings to evaluate.

Search for package or bug name: Reporting problems