Author: Jon Oberheide Date: Sun, February 18th, 2007 Summary ======= Application: libevent Affected Versions: 1.2 - 1.2a Vendor Website: http://monkey.org/~provos/libevent/ Type of Vulnerability: Denial of Service - Remote Background ========== The libevent API provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. Furthermore, libevent also support callbacks due to signals or regular timeouts. libevent is meant to replace the event loop found in event driven network servers. An application just needs to call event_dispatch() and then add or remove events dynamically without having to change the event loop. Currently, libevent supports /dev/poll, kqueue(2), select(2), poll(2) and epoll(4). Recently, support for non-blocking DNS resolution was added to libevent. Description =========== A bug exists in the parsing of DNS responses in libevent, specifically in the handling of label pointers. Label pointers in DNS are meant to cut down on redundant information and overall response size by allowing a label to reference an arbitrary byte offset in the packet. If a pointer references its own offset, a pointer loop is formed. libevent's parsing code does not properly handle such pointer loops. Impact ====== A malicious resolver, authoritative server, or inline attacker can send a DNS reply containing a pointer loop, causing libevent's DNS parsing to enter an endless loop, effectively DoS'ing the service. Resolution ========== Applications utilizing the DNS resolution functionality of libevent should upgrade to version >= 1.3. -- Jon Oberheide GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE