CVE-2017-13704

HIGH

Canonical Ubuntu Linux < 2.77 - Improper Input Validation

Title source: rule
STIX 2.1

Description

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash.

References (12)

Core 12
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039474
Issue Tracking, Third Party Advisory x_refsource_confirm
https://access.redhat.com/security/vulnerabilities/3199382
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101085
Release Notes, Vendor Advisory x_refsource_confirm
http://thekelleys.org.uk/dnsmasq/CHANGELOG
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101977

Scores

CVSS v3 7.5
EPSS 0.7932
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20
Status published
Products (13)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.04
debian/debian_linux 7.0
debian/debian_linux 7.1
debian/debian_linux 9.0
fedoraproject/fedora 27
novell/leap 42.2
novell/leap 42.3
redhat/enterprise_linux_desktop 7.0
... and 3 more
Published Oct 03, 2017
Tracked Since Feb 18, 2026