5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
75.9%
An issue was discovered in adns before 1.5.2. adns_rr_info mishandles a
bogus *datap. The general pattern for formatting integers is to sprintf
into a fixed-size buffer. This is correct if the input is in the right
range; if it isn’t, the buffer may be overrun (depending on the sizes of
the types on the current platform). Of course the inputs ought to be right.
And there are pointers in there too, so perhaps one could say that the
caller ought to check these things. It may be better to require the caller
to make the pointer structure right, but to have the code here be defensive
about (and tolerate with an error but without crashing) out-of-range
integer values. So: it should defend each of these integer conversion sites
with a check for the actual permitted range, and return adns_s_invaliddata
if not. The lack of this check causes the SOA sign extension bug to be a
serious security problem: the sign extended SOA value is out of range, and
overruns the buffer when reconverted. This is related to sign extending SOA
32-bit integer fields, and use of a signed data type.
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
75.9%