GNU C Library Buffer Overflow Vulnerability in TSIG Record Handling

A buffer overflow vulnerability has been identified in the GNU C Library (glibc) versions 2.2 and newer. The issue arises in the deprecated functions ns_printrrf, ns_printrr, and fp_nquery, which fail to properly validate the length of caller-supplied buffers when processing TSIG records. This oversight can lead to out-of-bounds writes, potentially overwriting memory and causing application crashes. The vulnerability is not present in the default DNS resolver operation but affects public DNS packet-printing APIs that may be used to process untrusted DNS messages.

Impact

Exploitation of this vulnerability causes a buffer overflow by writing past the allocated buffer limits, which can lead to memory corruption. In applications compiled with buffer overflow protections, this out-of-bounds write can trigger a process termination due to a failed assertion.

Reproduction

The vulnerability can be reproduced by calling the ns_sprintrrf function with a TSIG record that includes a crafted RDATA field. The attached proof-of-concept demonstrates this exploitation by using a malformed DNS response that exploits the lack of length validation, causing the application to write beyond the intended buffer limits.

Remediation

Users are advised to avoid using the affected functions, as they have been deprecated since glibc version 2.34. Applications should be updated to remove reliance on these interfaces.