From owner-freebsd-security Fri May 12 00:24:01 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id AAA13104 for security-outgoing; Fri, 12 May 1995 00:24:01 -0700 Received: from marble.eps.nagoya-u.ac.jp (marble.eps.nagoya-u.ac.jp [133.6.57.68]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id AAA13096 for ; Fri, 12 May 1995 00:23:59 -0700 Received: from marble.eps.nagoya-u.ac.jp (localhost [127.0.0.1]) by marble.eps.nagoya-u.ac.jp (8.6.12+2.4W/3.3W9) with ESMTP id QAA02498 for ; Fri, 12 May 1995 16:23:59 +0900 Message-Id: <199505120723.QAA02498@marble.eps.nagoya-u.ac.jp> To: FreeBSD-security@FreeBSD.org Subject: DNS Security Hole Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Date: Fri, 12 May 1995 16:23:58 +0900 From: KATO Takenori Sender: security-owner@FreeBSD.org Precedence: bulk Resolver in FreeBSD 2.0 Release and FreeBSD-current doesn't support "SUNSECURITY" option which appears in BIND-4.9.2. So I made a patch to support this option. Code in this patch is derived from BIND-4.9.3-BETA17 and its fatal bug is fixed. -------- BEGIN ---------- *** lib/libc/Makefile.orig Mon May 8 23:56:11 1995 --- lib/libc/Makefile Tue May 9 15:05:09 1995 *************** *** 8,14 **** LIB=c SHLIB_MAJOR= 2 SHLIB_MINOR= 1 ! CFLAGS+=-DLIBC_RCS -DSYSLIBC_RCS AINC= -I${.CURDIR}/${MACHINE} CLEANFILES+=tags INSTALL_PIC_ARCHIVE= yes --- 8,14 ---- LIB=c SHLIB_MAJOR= 2 SHLIB_MINOR= 1 ! CFLAGS+=-DLIBC_RCS -DSYSLIBC_RCS -DSUNSECURITY AINC= -I${.CURDIR}/${MACHINE} CLEANFILES+=tags INSTALL_PIC_ARCHIVE= yes *** lib/libc/net/gethostnamadr.c.orig Mon May 8 23:41:11 1995 --- lib/libc/net/gethostnamadr.c Tue May 9 17:24:10 1995 *************** *** 37,42 **** --- 37,46 ---- #include #include #include + #ifdef SUNSECURITY + #include + #include + #endif extern struct hostent * _gethostbyhtname __P((const char *)); extern struct hostent * _gethostbydnsname __P((const char *)); *************** *** 156,161 **** --- 160,171 ---- { struct hostent *hp = 0; int nserv = 0; + #ifdef SUNSECURITY + struct hostent *rhp = 0; + char **haddr; + char hname2[MAXDNAME+1]; + char *addr2; + #endif if (!service_done) init_services(); *************** *** 176,181 **** --- 186,213 ---- } nserv++; } + #ifdef SUNSECURITY + /* + * turn off search as the name should be absolute, + * 'localhost' should be matched by defnames + */ + strncpy(hname2, hp->h_name, MAXDNAME); + hname2[MAXDNAME] = '\0'; + /* if (!(rhp = gethostbyname(hp->h_name))) { ORIGINAL BUG */ + if (!(rhp = gethostbyname(hname2))) { + syslog(LOG_NOTICE|LOG_AUTH, + "gethostbyaddr: No A record for %s (verifying [%s])", + hname2, inet_ntoa(*((struct in_addr *)addr))); + return (NULL); + } + for (haddr = rhp->h_addr_list; *haddr; haddr++) + if (memcmp(*haddr, + addr, INADDRSZ)== 0) + return hp; + syslog(LOG_NOTICE|LOG_AUTH, + "gethostbyaddr: A record of %s != PTR record [%s]", + hname2, inet_ntoa(*((struct in_addr *)addr))); + return (NULL); + #endif return hp; } *** lib/libresolv/Makefile.orig Tue May 9 00:48:56 1995 --- lib/libresolv/Makefile Tue May 9 00:49:19 1995 *************** *** 1,7 **** # @(#)Makefile 8.1 (Berkeley) 6/4/93 LIB=resolv ! CFLAGS+=-DDEBUG -DLIBC_SCCS .PATH: ${.CURDIR}/../libc/net --- 1,7 ---- # @(#)Makefile 8.1 (Berkeley) 6/4/93 LIB=resolv ! CFLAGS+=-DDEBUG -DLIBC_SCCS -DSUNSECURITY .PATH: ${.CURDIR}/../libc/net ---------- END ---------- ---------------- KATO Takenori Dept. Earth Planet. Sci. Nagoya Univ. Nagoya 464-01 Japan E-mail: kato@eclogite.eps.nagoya-u.ac.jp