CVE-2017-13704

Description

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash.

How to fix CVE-2017-13704

To remediate CVE-2017-13704, upgrade the affected package to a fixed version below.

Alpine/dnsmasq—upgrade to 2.78-r0 or later
—upgrade to 2.78-1 or later

Is CVE-2017-13704 being exploited?

Likely — EPSS is 77.8%, placing CVE-2017-13704 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 2.78-r0
from 0, < 2.78-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2017-13704
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-13704