Skip site navigation (1)Skip section navigation (2) 
Date:      5 Mar 2009 17:47:21 -0500
From:      Howard Goldstein <hg@queue.to>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/132349: dns/djbdns (PATCH) dns/djbdns authority poisoning
Message-ID:  <20090305224721.99422.qmail@cally.queue.to>
Resent-Message-ID: <200903052320.n25NK2CR024913@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         132349
>Category:       ports
>Synopsis:       dns/djbdns (PATCH) dns/djbdns authority poisoning
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 05 23:20:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Howard Goldstein
>Release:        FreeBSD 7.1-STABLE i386
>Organization:
>Environment:
System: FreeBSD cally.queue.to 7.1-STABLE FreeBSD 7.1-STABLE #0: Mon Feb 16 12:31:40 EST 2009 hg@cally.queue.to:/usr/obj/usr/src/sys/CALLY i386


	
>Description:
	
Dempsky reports and DJB confirms authority poisoning vulnerability in 
some tinydns/axfrdns configurations.  See for ex.
http://article.gmane.org/gmane.comp.security.bugtraq/39157


Maintainer, please update.  Thanks!

>How-To-Repeat:
	

See Dempsky's bugtraq email
>Fix:

	

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	dns/djbdns/files/patch-dempsky.response-boundsck
#
echo x - dns/djbdns/files/patch-dempsky.response-boundsck
sed 's/^X//' >dns/djbdns/files/patch-dempsky.response-boundsck << 'aa16f48be84c6056ed15e3d3ca7179c8'
X--- response.c.orig	2001-02-11 16:11:45.000000000 -0500
X+++ response.c	2009-03-05 17:15:10.000000000 -0500
X@@ -34,7 +34,7 @@
X         uint16_pack_big(buf,49152 + name_ptr[i]);
X         return response_addbytes(buf,2);
X       }
X-    if (dlen <= 128)
X+    if ((dlen <= 128) && (response_len < 16384))
X       if (name_num < NAMES) {
X 	byte_copy(name[name_num],dlen,d);
X 	name_ptr[name_num] = response_len;
aa16f48be84c6056ed15e3d3ca7179c8
exit


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090305224721.99422.qmail>