10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.015 Low
EPSS
Percentile
86.9%
The inet_network()
resolver function contains an off-by-one buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The inet_network()
function takes a character string representation for an internet address and returns the internet network number in integer form. inet_network()
is implemented by various libbind, libc, and GNU libc versions. Applications that link against a vulnerable version of inet_network()
may be vulnerable to a one-byte overflow.
A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.
Apply an update
FreeBSD libc - Apply the patch in FreeBSD Security Advisory FreeBSD-SA-08:02.libc GNU libc- This issue was resolved on February 11, 2000 in the main (diff) and glibc 2.1 (diff) branches libbind - This issue will be resolved in libbind 9.3.5, 9.4.3, 2.5.0b2, or later. A patch is also available in the ISC Advisory
203611
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 17, 2008 Updated: January 25, 2008
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Apply the patch in FreeBSD Security Advisory FreeBSD-SA-08:02.libc
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23203611 Feedback>).
Notified: January 17, 2008 Updated: January 25, 2008
Affected
The GNU C library is not vulnerable. Ulrich Drepper contributed a fix for that bug on 2000-02-11, shortly after importing the code from BIND 8.2.2.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 21, 2008
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
libbind is available in the OpenBSD ports repository.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23203611 Feedback>).
Notified: January 17, 2008 Updated: January 25, 2008
Not Affected
The issue described in CVE-2008-0122 does not affect Apple products.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: April 28, 2008
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 31, 2008
Not Affected
Regarding the ISC report concerning a vulnerability in libbind:
The function inet_network() contains a 1-byte overflow. However,
HP is not affected by this 1-byte overflow in inet_network(), because our
inet_network() API implementation in HP-UX (B.11.11, B.11.23, B.11.31) is
different than other operating systems.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 31, 2008
Not Affected
We have evaluated our exposure to exploit #VU203611 (CVE-2008-0122) and have determined we are not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 29, 2008
Not Affected
Ingrian networks products are not succeptible to this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 21, 2008
Not Affected
Mandriva does not provide libbind, and no applications are linked against it therefore Mandriva is not vulnerabe to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 18, 2008
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 21, 2008
Unknown
To our knowledge, this vulnerability has already been fixed in the GNU libc resolver in 2000; no current Debian release is affected as a result.
The bind-dev package contains a copy of the vulnerable BIND 8 code, but it is not used by Debian.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: December 10, 2007 Updated: December 10, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: January 17, 2008 Updated: January 17, 2008
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
View all 51 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Mark Andrews of ISC for reporting this vulnerability.
This document was written by Will Dormann.
CVE IDs: | CVE-2008-0122 |
---|---|
Severity Metric: | 0.76 Date Public: |
secunia.com/advisories/28367
security.freebsd.org/advisories/FreeBSD-SA-08:02.libc.asc
securitytracker.com/alerts/2008/Jan/1019189.html
sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.6.2.1&r2=1.6.2.2&cvsroot=glibc&f=h
sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.8&r2=1.9&cvsroot=glibc&f=h
www.securityfocus.com/bid/27283
xforce.iss.net/xforce/xfdb/39670