CVE-2017-1000378

Name of the Vulnerable Software and Affected Versions NetBSD versions 7.1 and earlier

Description The issue is related to the qsort() function in NetBSD, which is recursive and not randomized. This allows an attacker to construct a pathological input array that causes the function to recurse deterministically, consuming arbitrary amounts of stack memory. This can be used to manipulate stack memory and assist in arbitrary code execution attacks. The exploitation of this issue may enable a remote attacker to execute arbitrary code by using a specially crafted input array.

Recommendations For NetBSD version 7.1 and earlier, consider disabling the use of the qsort() function until a patch is available. As a temporary workaround, restrict the input to the qsort() function to prevent the construction of pathological input arrays. At the moment, there is no information about a newer version that contains a fix for this vulnerability.