Bug#518169: marked as done (djbdns<=1.05 lets AXFRed subdomains overwrite domains)

Fri, 04 Sep 2009 12:07:44 -0700 

Your message dated Fri, 04 Sep 2009 18:31:51 +0000
with message-id <e1mjdzf-00062p...@ries.debian.org>
and subject line Bug#518169: fixed in djbdns 1:1.05-4+lenny1
has caused the Debian Bug report #518169,
regarding djbdns<=1.05 lets AXFRed subdomains overwrite domains
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
518169: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518169
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: djbdns
Version: 1:1.05-4
Severity: grave
Tags: security
Justification: user security hole

Message-ID: <20090304013421.60368.qm...@cr.yp.to>
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains
To: d...@list.cr.yp.to
From: "D. J. Bernstein" <d...@cr.yp.to>

If the administrator of example.com publishes the example.com DNS data
through tinydns and axfrdns, and includes data for sub.example.com
transferred from an untrusted third party, then that third party can
control cache entries for example.com, not just sub.example.com. This is
the result of a bug in djbdns pointed out by Matthew Dempsky. (In short,
axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the
expected security policy in a reasonable situation, so it is a security
hole in djbdns. Third-party DNS service is discouraged in the djbdns
documentation but is nevertheless supported. Dempsky is hereby awarded
$1000.

The next release of djbdns will be backed by a new security guarantee.
In the meantime, if any users are in the situation described above,
those users are advised to apply Dempsky's patch and requested to accept
my apologies. The patch is also recommended for other users; it corrects
the bug without any side effects. A copy of the patch appears below.

---D. J. Bernstein 
   Research Professor, Computer Science, University of Illinois at Chicago


--- response.c.orig     2009-02-24 21:04:06.000000000 -0800
+++ response.c  2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
         uint16_pack_big(buf,49152 + name_ptr[i]);
         return response_addbytes(buf,2);
       }
-    if (dlen <= 128)
+    if ((dlen <= 128) && (response_len < 16384))
       if (name_num < NAMES) {
        byte_copy(name[name_num],dlen,d);
        name_ptr[name_num] = response_len;

--- End Message ---
--- Begin Message --- 
Source: djbdns
Source-Version: 1:1.05-4+lenny1

We believe that the bug you reported is fixed in the latest version of
djbdns, which is due to be installed in the Debian FTP archive:

dbndns_1.05-4+lenny1_i386.deb
  to pool/main/d/djbdns/dbndns_1.05-4+lenny1_i386.deb
djbdns_1.05-4+lenny1.diff.gz
  to pool/main/d/djbdns/djbdns_1.05-4+lenny1.diff.gz
djbdns_1.05-4+lenny1.dsc
  to pool/main/d/djbdns/djbdns_1.05-4+lenny1.dsc
djbdns_1.05-4+lenny1_i386.deb
  to pool/main/d/djbdns/djbdns_1.05-4+lenny1_i386.deb
dnscache-run_1.05-4+lenny1_all.deb
  to pool/main/d/djbdns/dnscache-run_1.05-4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <p...@smarden.org> (supplier of updated djbdns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 04 Mar 2009 15:57:16 +0000
Source: djbdns
Binary: djbdns dbndns dnscache-run
Architecture: source all i386
Version: 1:1.05-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Gerrit Pape <p...@smarden.org>
Changed-By: Gerrit Pape <p...@smarden.org>
Description: 
 dbndns     - Debian fork of djbdns, a collection of Domain Name System tools
 djbdns     - a collection of Domain Name System tools
 dnscache-run - djbdns dnscache service
Closes: 517631 517631 518169 518169
Changes: 
 djbdns (1:1.05-4+lenny1) stable-security; urgency=high
 .
   * debian/diff/0002-djbdns-misformats-some-long-response...diff: new;
     djbdns misformats some long response packets; patch and example
     attack (closes: #518169, #517631).
   * dbndns/diff/0003-djbdns-misformats-some-long-response...diff: new;
     djbdns misformats some long response packets; patch and example
     attack (closes: #518169, #517631).
Checksums-Sha1: 
 c5803f4e60a1d1ee85b108463874b43d4aebaf3a 1237 djbdns_1.05-4+lenny1.dsc
 2efdb3a039d0c548f40936aa9cb30829e0ce8c3d 85648 djbdns_1.05.orig.tar.gz
 2b82cee735f3c45100e33aa3815f2c216ad543d5 52796 djbdns_1.05-4+lenny1.diff.gz
 d40fafcbdf0bf279756c515d2605bcf74a11de80 11892 
dnscache-run_1.05-4+lenny1_all.deb
 4357cb96a02861677a1766e98ea3a5063b652138 237334 djbdns_1.05-4+lenny1_i386.deb
 64c82737f512eac13f26f8adf9e1b5c90ef92e44 269360 dbndns_1.05-4+lenny1_i386.deb
Checksums-Sha256: 
 e6bc44fa4c62016c747a379e892eb28d485b580ca595412c9cb0fc7c722a452d 1237 
djbdns_1.05-4+lenny1.dsc
 3ccd826a02f3cde39be088e1fc6aed9fd57756b8f970de5dc99fcd2d92536b48 85648 
djbdns_1.05.orig.tar.gz
 46959cc26becf20a9deb637582cd16b8bcc5d60ddf97d0f0efc10d814b13aeab 52796 
djbdns_1.05-4+lenny1.diff.gz
 25e2a69b8ab1c13aadf97cf08cfbd1e7cd1ebd72a1f686190b3cee89683ed221 11892 
dnscache-run_1.05-4+lenny1_all.deb
 302d64a078577841594017100c90602fbab737f10f5cdfaa65db6eeddbd54610 237334 
djbdns_1.05-4+lenny1_i386.deb
 16688374bac2b2af143bcba4ba913d933c9d7b910f1e4f7d22d05818ef22b184 269360 
dbndns_1.05-4+lenny1_i386.deb
Files: 
 b7dc377faa3cc915a4fc4c831188c536 1237 net optional djbdns_1.05-4+lenny1.dsc
 3147c5cd56832aa3b41955c7a51cbeb2 85648 net optional djbdns_1.05.orig.tar.gz
 aa741f98a1c7d7b64f49b3ec3d69646d 52796 net optional 
djbdns_1.05-4+lenny1.diff.gz
 0f09b110a5a7ea7090dfc315a8a07195 11892 net optional 
dnscache-run_1.05-4+lenny1_all.deb
 ea0f66d842ce13a6a989efb387745813 237334 net optional 
djbdns_1.05-4+lenny1_i386.deb
 cb87c5c2b60dbb6e2bc30b6e47ea5beb 269360 net optional 
dbndns_1.05-4+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKWMHxAAoJECIIoQCMVaAcDLQH/iV0I54SN6HNP3zne3k0iCIa
uktrhHOEFQ0xUuVfXFg8xA8vsHSxpue2iTZd8MFSDLCQAT6LuBSAYnCXd2cys7pJ
KKe8SHtXV4yMT4QPFMb7G9S+mvCc9+Rs4VZo2YtgkZ9qvoipqa1nEQwOPqVE7mdy
+qKzBNStklsga4KvQvvXkTjEGqPbhuQeJrAn5cATys1N5Gg/+KRWXJsmXZN22R/D
hOsRdAKQ0a/ujFOdvE5PvLSLA9Ks7cQZpz1vTqsVm3aj86cSMy06gbkTqIPzHPZ6
aczZitDL2tUn1mTCkf0MImdSjNd5pPcekv5zYj1nenMz9I6o1QgTg7AnQySNwNk=
=VgU2
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to