Bug#406465: marked as done ([bind backend] TXT record parsing overflow with special characters)

Fri, 09 Mar 2007 17:12:33 -0800 

Your message dated Sat, 10 Mar 2007 01:02:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#406465: fixed in pdns 2.9.20-8
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: pdns-server
Version: 2.9.20-7
Severity: serious
Tags: security

(serious because what I see looks like a buffer overflow, however, I
didn't look into the code yet, so I make no claims as to whether this is
exploitable)

Having a TXT record in a bind-backend zone file that contains a
parentizes "(" character, causes all kinds of weird things.

Firstly, the zone fails to serve. Syslog says:
Jan 11 11:40:47 foo pdns[29515]: Zone 'a-eskwadraat.nl' 
(/etc/powerdns/zonefiles/db.nl.a-eskwadraat) reloaded

but all queries including zone transfers result in servfail:
Jan 11 11:40:47 foo pdns[29515]: Not authoritative for 'foo.a-eskwadraat.nl', 
sending servfail to 127.0.0.1 (recursion was desired)

After replacing

foo TXT "("

with

foo TXT "paren-open"

and reloading, I get the following:

| foo:/etc/powerdns# dig  foo.a-eskwadraat.nl TXT @localhost
| 
| ; <<>> DiG 9.3.3 <<>> foo.a-eskwadraat.nl TXT @localhost
| ; (1 server found)
| ;; global options:  printcmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8804
| ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
| 
| ;; QUESTION SECTION:
| ;foo.a-eskwadraat.nl.           IN      TXT
| 
| ;; ANSWER SECTION:
| foo.a-eskwadraat.nl.    3600    IN      TXT     "paren-open"
| foo.a-eskwadraat.nl.    3600    IN      TXT     "foo a 1.2.3.4\010@ ns
| ns1.xel.nl. ns ns3.xel.nl.\010$ttl 1d@ in soa ns.a-eskwadraat.nl.
| sysop.a-eskwadraat.nl. ( 2006110910 6h 30m 4w 1d"

This is interesting, because the data listed here comes from the *old*
zonefile (afaics). Also, of course the TXT record shouldn't suddenly
contain literal zonefile data like this.

Powerdns should really treat such TXT record strings as opaque strings,
and not treat characters in them specially.

--Jeroen

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

--- End Message ---
--- Begin Message --- 
Source: pdns
Source-Version: 2.9.20-8

We believe that the bug you reported is fixed in the latest version of
pdns, which is due to be installed in the Debian FTP archive:

pdns-backend-geo_2.9.20-8_i386.deb
  to pool/main/p/pdns/pdns-backend-geo_2.9.20-8_i386.deb
pdns-backend-ldap_2.9.20-8_i386.deb
  to pool/main/p/pdns/pdns-backend-ldap_2.9.20-8_i386.deb
pdns-backend-mysql_2.9.20-8_i386.deb
  to pool/main/p/pdns/pdns-backend-mysql_2.9.20-8_i386.deb
pdns-backend-pgsql_2.9.20-8_i386.deb
  to pool/main/p/pdns/pdns-backend-pgsql_2.9.20-8_i386.deb
pdns-backend-pipe_2.9.20-8_i386.deb
  to pool/main/p/pdns/pdns-backend-pipe_2.9.20-8_i386.deb
pdns-backend-sqlite_2.9.20-8_i386.deb
  to pool/main/p/pdns/pdns-backend-sqlite_2.9.20-8_i386.deb
pdns-doc_2.9.20-8_all.deb
  to pool/main/p/pdns/pdns-doc_2.9.20-8_all.deb
pdns-server_2.9.20-8_i386.deb
  to pool/main/p/pdns/pdns-server_2.9.20-8_i386.deb
pdns_2.9.20-8.diff.gz
  to pool/main/p/pdns/pdns_2.9.20-8.diff.gz
pdns_2.9.20-8.dsc
  to pool/main/p/pdns/pdns_2.9.20-8.dsc
pdns_2.9.20-8_all.deb
  to pool/main/p/pdns/pdns_2.9.20-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <[EMAIL PROTECTED]> (supplier of updated pdns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 10 Mar 2007 01:20:58 +0100
Source: pdns
Binary: pdns-server pdns-backend-ldap pdns-backend-pipe pdns-backend-geo 
pdns-backend-mysql pdns pdns-backend-pgsql pdns-backend-sqlite pdns-doc
Architecture: source i386 all
Version: 2.9.20-8
Distribution: unstable
Urgency: high
Maintainer: Debian PowerDNS Maintainers <[EMAIL PROTECTED]>
Changed-By: Matthijs Mohlmann <[EMAIL PROTECTED]>
Description: 
 pdns       - meta package for the pdns nameserver
 pdns-backend-geo - geo backend for PowerDNS
 pdns-backend-ldap - LDAP backend for PowerDNS
 pdns-backend-mysql - generic mysql backend for PowerDNS
 pdns-backend-pgsql - generic PostgreSQL backend for PowerDNS
 pdns-backend-pipe - pipe/coprocess backend for PowerDNS
 pdns-backend-sqlite - sqlite backend for PowerDNS
 pdns-doc   - PowerDNS manual
 pdns-server - extremely powerful and versatile nameserver
Closes: 406465 408726 413756
Changes: 
 pdns (2.9.20-8) unstable; urgency=high
 .
   [ Christoph Haas ]
   * Updated czech translation (Closes: #408726)
   * New galician translation (Closes: #413756)
   * Added patch for potential buffer overflow, high urgency (Closes: #406465)
 .
   [ Matthijs Mohlmann ]
   * LDAP backend changes
     - Supports SOA autocalculation
     - Handles dc=* correctly
Files: 
 1a434fa38e9289f4c586fe0710b255d7 1117 net extra pdns_2.9.20-8.dsc
 a5d80bc85be48d94b8042ad520667c2e 50660 net extra pdns_2.9.20-8.diff.gz
 8a00d716e2794d3e09595ef2e5c73ab5 708290 net extra pdns-server_2.9.20-8_i386.deb
 64b97409aafe451c0ef250acc48806cd 78846 net extra 
pdns-backend-pipe_2.9.20-8_i386.deb
 503ff8e219e5a022105cb371995936cb 216788 net extra 
pdns-backend-ldap_2.9.20-8_i386.deb
 d245d1fd8d1f687afc38b22f66ad973b 105090 net extra 
pdns-backend-geo_2.9.20-8_i386.deb
 f67252b41b3dfa488715fad44dff4eb6 66398 net extra 
pdns-backend-mysql_2.9.20-8_i386.deb
 8b0cc55d82ccbd8c6e662f915c3b88ed 70060 net extra 
pdns-backend-pgsql_2.9.20-8_i386.deb
 27df36282805e9d4b7380ca1d2ced642 63542 net extra 
pdns-backend-sqlite_2.9.20-8_i386.deb
 fcf464f2237a5a76088eb263b4522f80 18268 net extra pdns_2.9.20-8_all.deb
 ad493bfc6d7bbf75b7ce031f76582e65 146512 doc extra pdns-doc_2.9.20-8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF8f+S2n1ROIkXqbARAmXLAJ0SVyrkyXvYCw27Y8CR7VZG7/JVRQCgj5zS
t+o7G9Y7Xjhqg+PLBfGnPow=
=E02V
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to