CVE-2008-0122

Name	CVE-2008-0122
Description	Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bind9 (PTS)	jessie, jessie (lts)	1:9.9.5.dfsg-9+deb8u31	fixed
	stretch (security)	1:9.10.3.dfsg.P4-12.3+deb9u12	fixed
	stretch (lts), stretch	1:9.10.3.dfsg.P4-12.3+deb9u16	fixed
	buster, buster (lts)	1:9.11.5.P4+dfsg-5.1+deb10u13	fixed
	buster (security)	1:9.11.5.P4+dfsg-5.1+deb10u11	fixed
	bullseye	1:9.16.50-1~deb11u2	fixed
	bullseye (security)	1:9.16.50-1~deb11u1	fixed
	bookworm (security), bookworm	1:9.18.28-1~deb12u2	fixed
	sid, trixie	1:9.20.2-1	fixed
glibc (PTS)	jessie, jessie (lts)	2.19-18+deb8u14	fixed
	stretch (security)	2.24-11+deb9u1	fixed
	stretch (lts), stretch	2.24-11+deb9u7	fixed
	buster (security), buster, buster (lts)	2.28-10+deb10u4	fixed
	bullseye	2.31-13+deb11u11	fixed
	bullseye (security)	2.31-13+deb11u10	fixed
	bookworm	2.36-9+deb12u8	fixed
	bookworm (security)	2.36-9+deb12u7	fixed
	sid, trixie	2.40-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
bind	source	(unstable)	(unfixed)
bind9	source	(unstable)	(not affected)
glibc	source	(unstable)	2.2-1

Notes

[sarge] - bind <no-dsa> (applications will use inet_network in libc)
[etch] - bind <no-dsa> (applications will use inet_network in libc)
- bind9 <not-affected> (does not build libbind)
The fix for the BIND-based resolver in GNU libc was made in 2000.
libbind9 is distinct code, not related to the old libbind.