CVE-2008-0122

Name	CVE-2008-0122
Description	Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bind9 (PTS)	jessie, jessie (lts)	1:9.9.5.dfsg-9+deb8u30	fixed
	stretch (security)	1:9.10.3.dfsg.P4-12.3+deb9u12	fixed
	stretch (lts), stretch	1:9.10.3.dfsg.P4-12.3+deb9u15	fixed
	buster	1:9.11.5.P4+dfsg-5.1+deb10u7	fixed
	buster (security)	1:9.11.5.P4+dfsg-5.1+deb10u10	fixed
	bullseye	1:9.16.44-1~deb11u1	fixed
	bullseye (security)	1:9.16.48-1	fixed
	bookworm	1:9.18.19-1~deb12u1	fixed
	bookworm (security)	1:9.18.24-1	fixed
	sid, trixie	1:9.19.21-1	fixed
glibc (PTS)	jessie, jessie (lts)	2.19-18+deb8u12	fixed
	stretch (security)	2.24-11+deb9u1	fixed
	stretch (lts), stretch	2.24-11+deb9u5	fixed
	buster	2.28-10+deb10u1	fixed
	buster (security)	2.28-10+deb10u2	fixed
	bullseye	2.31-13+deb11u8	fixed
	bullseye (security)	2.31-13+deb11u9	fixed
	bookworm	2.36-9+deb12u4	fixed
	bookworm (security)	2.36-9+deb12u6	fixed
	sid, trixie	2.37-18	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
bind	source	(unstable)	(unfixed)
bind9	source	(unstable)	(not affected)
glibc	source	(unstable)	2.2-1

Notes

[sarge] - bind <no-dsa> (applications will use inet_network in libc)
[etch] - bind <no-dsa> (applications will use inet_network in libc)
- bind9 <not-affected> (does not build libbind)
The fix for the BIND-based resolver in GNU libc was made in 2000.
libbind9 is distinct code, not related to the old libbind.