CVE-2017-9430 on Dnstracer 1.9

Hello Jon,

We prioritized this as vulnerability as a 'low'[0] issue, so we're unlikely to issue an update for this issue until either more issues in dnstracer are discovered or perhaps if someone prepares an update that we can sponsor.

Do you rely upon calling this tool in an unsafe manner in one of your tools? Or, does one of our tools in main call this tool in an unsafe manner?

Thanks

0: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9430.html

Hi, I am the maintainer of dnstracer in Debian.

What shall we do about this bug report?

I do agree with Seth Arnold that this is a low vulnerability because you need to expose dnstracer publicly in an unsafe manner.

Shall we close the report as the exploitation is not very likely to happen or would you prefer that we integrate the proposed fix directly into the Debian packaging?

As said I don't have any strong opinion on this and both looks good to me.

Regards.

Hi,

I also agree that we could ignore this vulnerability. The exploitation of this vulnerability will rarely happen and even if it happens, it cannot be used to gain privileged access to the system.

Best regards,
Jon

> On Dec 8, 2023, at 05:26, Aloïs Micard <email address hidden> wrote:
>
> Hi, I am the maintainer of dnstracer in Debian.
>
> What shall we do about this bug report?
>
> I do agree with Seth Arnold that this is a low vulnerability because you
> need to expose dnstracer publicly in an unsafe manner.
>
> Shall we close the report as the exploitation is not very likely to
> happen or would you prefer that we integrate the proposed fix directly
> into the Debian packaging?
>
> As said I don't have any strong opinion on this and both looks good to
> me.
>
> Regards.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1734279
>
> Title:
> CVE-2017-9430 on Dnstracer 1.9
>
> Status in dnstracer package in Ubuntu:
> Triaged
>
> Bug description:
> Stack-based buffer overflow in dnstracer through 1.9 allows attackers to execute arbitrary code via a command line with a long name argument that is mishandled in a strcpy call for argv[0].
> Vulnerability: http://jolama.es/temas/dnstracer-exploit/index.php
> Fix: https://github.com/j0lama/Dnstracer-1.9-Fix
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/dnstracer/+bug/1734279/+subscriptions
>

Aloïs, thank you for watching the bugs for this package in Ubuntu!

> What shall we do about this bug report?

From a bug triage perspective, if the plan is that the package will eventually be fixed (whether by patching in packaging or from a new upstream release) then I suggest that we keep the Ubuntu bug task open in the Triaged state until the fix lands in Ubuntu. Then change it to Fix Released. That way others can see the status easily - what this particular bug task is supposed to be tracking is whether or not the bug exists in the development release of Ubuntu.

If the expectation is that the package will never be fixed, then Won't Fix is the correct status to use.

I don't have an opinion on taking steps to fix it any sooner. That's something we can do if someone volunteers, but it sounds like nobody so far considers it important enough, so I suggest we can just wait.