From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 08:49:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C9F6106567A for ; Wed, 22 Oct 2008 08:49:24 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.233]) by mx1.freebsd.org (Postfix) with ESMTP id 5BEB28FC23 for ; Wed, 22 Oct 2008 08:49:24 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so2501025rvf.43 for ; Wed, 22 Oct 2008 01:49:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=bQAk+Jp62W2ZSb797rW1XRWIZSpkImdTXCkjSjBvQew=; b=fl/Dah29rFUfnDOnpSkPWEtK1Lxl/pMwEiY3uBkJT7dmYXPlmgJxiJ/sKJ9mT06sLm M5FHnU9xawBxJWL7zGaAhR+UKeugQ6BY1nsmCjX2IkISe4HYfrlwtSfN7JbWWjl9xAB0 87QsBB1YgFtUTYLObfJ9JDubZaXdqy68m08t0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=ToY8505RDppjCCzQCB5HEe9j6c2dhrtqTAHjnYf/gjStass9UUk4Pb2E0Xlq4F3Cmu WX2Sf9FfXqZVsIn3a+VEG2ypFGrNoPehO0WzhVMkYc+reeVW0kS99x5flcJ0kmsYEsf9 JmIaMImW8X30EZvdmyOX7sutXLzY6WdG3Gw0A= Received: by 10.141.53.20 with SMTP id f20mr6291645rvk.128.1224665361742; Wed, 22 Oct 2008 01:49:21 -0700 (PDT) Received: by 10.140.177.10 with HTTP; Wed, 22 Oct 2008 01:49:21 -0700 (PDT) Message-ID: <3cc535c80810220149o3d0fe787w4cace41ee3a8694c@mail.gmail.com> Date: Wed, 22 Oct 2008 10:49:21 +0200 From: "Andy Kosela" Sender: andy.kosela@gmail.com To: freebsd-security@freebsd.org In-Reply-To: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com> X-Google-Sender-Auth: 41af947f10714473 Subject: [Fwd: Kaminsky redux - libspf2 dns parsing bug] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2008 08:49:24 -0000 Some of you probably already heard about this... >From Kaminsky's http://www.doxpara.com/?p=3D1263 ------ I really need to learn to leave DNS alone :) DNS TXT Record Parsing Bug in LibSPF2 A relatively common bug parsing TXT records delivered over DNS, dating at least back to 2002 in Sendmail 8.2.0 and almost certainly much earlier, has been found in LibSPF2, a library frequently used to retrieve SPF (Sender Policy Framework) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption, and should thus be treated as a path to anonymous remote code execution. Of particular note is that the remote code execution would occur on servers specifically designed to receive E-Mail from the Internet, and that these systems may in fact be high volume mail exchangers. This creates privacy implications. It is also the case that a corrupted email server is a useful "jumping off" point for attackers to corrupt desktop machines, since attachments can be corrupted with malware while the containing message stays intact. So there are internal security implications as well, above and beyond corruption of the mail server on the DMZ. Apparently LibSPF2 is actually used to secure quite a bit of mail traffic =96 there's a lot of SPAM out there. Fix is out, see http://www.libspf2.org/index.html or your friendly neighborhood distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for their help with this. ------ --=20 Andy Kosela ora et labora