CVE-2014-3484: 
Linux Debian vulnerability analysis and mitigation

Multiple stack-based buffer overflows were discovered in the __dn_expand function in network/dn_expand.c in musl libc versions 0.9.13 through 1.0.3 and 1.1.x before 1.1.2. The vulnerability was identified in June 2014 and assigned CVE-2014-3484. The issue affects programs linked against musl libc that make DNS queries through standard interfaces like getaddrinfo, getnameinfo, gethostbyname, and gethostbyaddr (Openwall Musl).

The vulnerability stems from incorrect validation of remaining output buffer space, introduced in commit fcc522c92335783293ac19df318415cd97fbf66b. This allows malformed input to write past the end of the buffer. Additionally, the loop detection logic failed to account for infinite loops with no output, which could cause the function to hang. The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can be triggered if an attacker controls one of the configured nameservers in resolv.conf or can inject forged UDP packets with controlled contents. This could lead to arbitrary code execution or denial of service through infinite loops. The attack difficulty is considered moderate to high, being most feasible when the attacker has already compromised network infrastructure components like nameservers or routers (Openwall OSS).

The issue was fixed in musl libc versions 1.0.3 and 1.1.2. While using a local caching nameserver may provide some mitigation, the recommended solution is to patch to a fixed version. A patch was made available for all affected versions through the musl_dn_expand_overflow_fix_v2.diff file (Openwall Musl).