Candidate: CVE-2017-9107
PublicDate: 2020-06-18 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9107
 http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=278f8eee581c4c4a0ddd0f98c4dc8c2974cf6b90
Description:
 An issue was discovered in adns before 1.5.2. It overruns reading a buffer
 if a domain ends with backslash. If the query domain ended with \, and
 adns_qf_quoteok_query was specified, qdparselabel would read additional
 bytes from the buffer and try to treat them as the escape sequence. It
 would depart the input buffer and start processing many bytes of arbitrary
 heap data as if it were the query domain. Eventually it would run out of
 input or find some other kind of error, and declare the query domain
 invalid. But before then it might outrun available memory and crash. In
 principle this could be a denial of service attack.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_adns:
upstream_adns: needs-triage
precise/esm_adns: DNE
trusty_adns: ignored (out of standard support)
trusty/esm_adns: DNE
xenial_adns: ignored (end of standard support, was needed)
bionic_adns: needed
eoan_adns: ignored (reached end-of-life)
focal_adns: needed
groovy_adns: not-affected (1.6.0-2)
hirsute_adns: not-affected (1.6.0-2)
impish_adns: not-affected (1.6.0-2)
jammy_adns: not-affected (1.6.0-2)
devel_adns: not-affected (1.6.0-2)