CVE-2017-13704

CWE-20 — Improper Input Validation CWE-190 — Integer Overflow7 documents7 sources

Severity

7.5HIGH

EPSS

79.3%

top 0.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thekelleys Dnsmasq Canonical Ubuntu Linux Debian Debian Linux +5 more

Timeline

PublishedOct 3

Latest updateMay 14

Description

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶Debiandnsmasq< 2.78-1+3

▶NVDthekelleys/dnsmasq2.77

▶NVDnovell/leap42.2, 42.3+1

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

Also affects: Debian Linux 7.0, 7.1, 9.0, Fedora 27, Ubuntu Linux 14.04, 16.04, 17.04

🔴Vulnerability Details

GHSA

GHSA-mprq-hpvv-8wcc: In dnsmasq before 2↗2022-05-14

▶

OSV

CVE-2017-13704: In dnsmasq before 2↗2017-10-03

▶

CVEList

CVE-2017-13704: In dnsmasq before 2↗2017-10-02

▶

📋Vendor Advisories

Red Hat

dnsmasq: Size parameter overflow via large DNS query↗2017-08-21

▶

Debian

CVE-2017-13704: dnsmasq - In dnsmasq before 2.78, if the DNS packet size does not match the expected size,...↗2017

▶

💬Community

Bugzilla

CVE-2017-13704 dnsmasq: Size parameter overflow via large DNS query↗2017-09-26

▶