From owner-freebsd-security Wed Jun 26 17:18:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id E80E437CABF for ; Wed, 26 Jun 2002 17:12:09 -0700 (PDT) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5R0C8m0029482; Thu, 27 Jun 2002 10:12:08 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206270012.g5R0C8m0029482@drugs.dv.isc.org> To: Brett Glass Cc: security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-reply-to: Your message of "Wed, 26 Jun 2002 13:33:34 CST." <4.3.2.7.2.20020626133115.022a0d30@localhost> Date: Thu, 27 Jun 2002 10:12:08 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Aaargh. This will affect not only more recent systems but > the older 3.x and embedded systems I maintain for people. > There's no patch for these, and in the case of the embedded > systems that use BSD I can't upgrade. > > Any word on whether one can detect and block such attacks > upstream via an IDS or a proxy at the firewall? > > --Brett Glass Provided you are behind a nameserver you trust that reconstructs the answer you should be fine. BIND 9 reconstucts all answers (excluding forwarded UPDATES). BIND 8 forwards some and reconstructs others. Mark > > At 01:08 PM 6/26/2002, FreeBSD Security Advisories wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >============================================================================ > = > >FreeBSD-SA-02:28.resolv Security Advisor > y > > The FreeBSD Projec > t > > > >Topic: buffer overflow in resolver > > > >Category: core > >Module: libc > >Announced: 2002-06-26 > >Credits: Joost Pol > >Affects: All releases prior to and including 4.6-RELEASE > >Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) > > 2002-06-26 08:44:24 UTC (RELENG_4_6) > > 2002-06-26 18:53:20 UTC (RELENG_4_5) > >FreeBSD only: NO > > > >I. Background > > > >The resolver implements functions for making, sending and interpreting > >query and reply messages with Internet domain name servers. > >Hostnames, IP addresses, and other information are queried using the > >resolver. > > > >II. Problem Description > > > >DNS messages have specific byte alignment requirements, resulting in > >padding in messages. In a few instances in the resolver code, this > >padding is not taken into account when computing available buffer > >space. As a result, the parsing of a DNS message may result in a > >buffer overrun of up to a few bytes for each record included in the > >message. > > > >III. Impact > > > >An attacker (either a malicious domain name server or an agent that > >can spoof DNS messages) may produce a specially crafted DNS message > >that will exploit this bug when parsed by an application using the > >resolver. It may be possible for such an exploit to result in the > >execution of arbitrary code with the privileges of the resolver-using > >application. Though no exploits are known to exist today, since > >practically all Internet applications utilize the resolver, the > >severity of this issue is high. > > > >IV. Workaround > > > >There is currently no workaround. > > > >V. Solution > > > >Do one of the following: > > > >1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 > >or RELENG_4_5 security branch dated after the correction date > >(4.6-RELEASE-p1 or 4.5-RELEASE-p7). > > > >2) To patch your present system: > > > >The following patch has been verified to apply to FreeBSD 4.5 and > >FreeBSD 4.6 systems. > > > >a) Download the relevant patch from the location below, and verify the > >detached PGP signature using your PGP utility. > > > ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch > ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch > .asc > > > >b) Execute the following commands as root: > > > ># cd /usr/src > ># patch < /path/to/patch > > > >c) Recompile the operating systems as described in > >. > > > >Note that any statically linked applications that are not part of > >the base system (i.e. from the Ports Collection or other 3rd-party > >sources) must be recompiled. > > > >VI. Correction details > > > >The following list contains the revision numbers of each file that was > >corrected in FreeBSD. > > > >Path Revision > > Branch > >- ------------------------------------------------------------------------- > >src/lib/libc/net/gethostbydns.c > > RELENG_4 1.27.2.2 > > RELENG_4_6 1.27.10.1 > > RELENG_4_5 1.27.8.1 > >src/lib/libc/net/getnetbydns.c > > RELENG_4 1.13.2.2 > > RELENG_4_6 1.13.2.1.8.1 > > RELENG_4_5 1.13.2.1.6.1 > >src/lib/libc/net/name6.c > > RELENG_4 1.6.2.6 > > RELENG_4_6 1.6.2.5.8.1 > > RELENG_4_5 1.6.2.5.6.1 > >src/sys/conf/newvers.sh > > RELENG_4_6 1.44.2.23.2.2 > > RELENG_4_5 1.44.2.20.2.8 > >- ------------------------------------------------------------------------- > > > >VII. References > > > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.7 (FreeBSD) > > > >iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF > >sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb > >qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8 > >ZGTC8pmqfGI= > >=s76v > >-----END PGP SIGNATURE----- > > > >This is the moderated mailing list freebsd-announce. > >The list contains announcements of new FreeBSD capabilities, > >important events and project milestones. > >See also the FreeBSD Web pages at http://www.freebsd.org > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-announce" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message