On Sun, Aug 02, 2020 at 10:28:04PM +0200, Moritz Mühlenhoff wrote: > Hi Peter, > > On Mon, Jul 27, 2020 at 05:20:23PM +0300, Peter Pentchev wrote: > > Now... related to that. I am not sure whether Moritz Muehlenhoff, when > > reopening this bug, was aware of the fact that Dmitry Bogatov included > > two patches from Jeff King that address the cache poisoning attack - > > and actually, the patches were mentioned in this bug log by Matija Nalis > > back in 2010. Moritz, is it possible that you had missed the inclusion > > of these two patches, or do you believe that they, by themselves, are > > still not enough to address this problem? If so, that would indeed be > > kind of unfortunate, since it is my impression that these particular > > patches are considered the best way to handle this among users of > > Prof. Bernstein's software. > > I only reopened the bug since there was a discussion on debian-devel about > the fact that bugs in removed-and-then-reintroduced packages don't get > automatically reopened and remembered that long-standing bug. The changelog > made by Dmitry Bogatov doesn't mention it either. If that specific bug is > believed to be fixed by these two patches, then I trust you on that. So > feel free to mark the bug as closed in 1:1.05-10, then.
Thanks for your reply! Yes, I think I will do that, since IMHO the problem is indeed mitigated as much as possible by these patches. > The fact that djbdns has no active upstream is a different concern, though, > especially in the wake of the whole qmail disaster. Following it, Georgi > Guninski > raised a few issues on oss-security e.g. > (https://www.openwall.com/lists/oss-security/2020/06/01/1) and without an > active upstream noone ever addressed or investigated them. Ah, I wasn't aware of this thread, thanks for pointing it out! I will reply to his last message, since one of the problems is nonexistent and the other one is not really exploitable except in a very narrow, specific case (the "make a CDB file" routines are only used by the tools that create the tinydns/axfrdns/rbldns data files, they are never invoked with any network input, so the only problem scenario would be somebody, e.g. a hosting provider, using automated tools to create a CDB file that is very, very, very close to the 4 GB limit, and not noticing that the file is very close to the (well-documented) limit in time. But, yeah, I may look at other uses of alloc() in the djbdns source code... and I do kind of get your point in general, not about this specific case. I think that Prof. Bernstein considers djbdns to be feature-complete and bug-free, at least in his own understanding of both these terms; I think that if any really serious problems should appear, he will comment on them. Unfortunately, this leaves the maintainers of djbdns in the various packaging systems with the responsibility to evaluate and mitigate things that he does not really consider to be really serious problems, you are right about that. Well, all I can say is that I have really liked djbdns ever since it first came out (I was already using qmail, daemontools, and other pieces of Prof. Bernstein's software; I have since moved on to replacements for most of them, but I still find the djbdns command-line query tools easier to use in most cases, usually only falling back to a fully-fledged hundred-character dig command line), and I will try my best to keep it usable in Debian. Again, thanks for your work on this bug, both before and now, and sorry that this reply came out a bit longer than I intended... G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
