Date: Thu, 21 Jul 2005 15:57:29 +0200 (CEST) From: Natanael Copa <ncopa@users.sourceforge.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/83851: Update port: dns/dnrd Security update Message-ID: <200507211357.j6LDvTXo005024@vmfreebsd.nor.wtbts.org> Resent-Message-ID: <200507211400.j6LE0XxI026313@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83851
>Category: ports
>Synopsis: Update port: dns/dnrd Security update
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 21 14:00:32 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Natanael Copa
>Release: FreeBSD 5.4-RELEASE i386
>Organization:
>Environment:
System: FreeBSD vmfreebsd.example.com 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Buffer and stack overflow in dnrd-2.19 and older.
CAN-2005-2315
CAN-2005-2316
>How-To-Repeat:
1) Buffer overflow (CAN-2005-2315)
* create a buffer, a DNS packet, bigger than 268 (256+12) bytes.
* Fill the buffer with random data.
* Clear the Z and QR flags.
* Send it to dnrd.
* Repeat til dnrd dies.
Impact : this could probably be exploited to perform remote execution.
However, dnrd runs in an chroot environment and runs as non-root.
2) Infinite recursion causes stack overflow (CAN-2005-2316)
* Create a buffer, a DNS packet.
* in the QNAME, use Message compression (see rfc 4.1.4). Set the
pointer to point on another location in the buffer.
* On this new location set another pointer to point pack to the
original QNAME location. In other words, its a circular buffer.
Dnrd will recurse until the stack is overflowed.
To reproduce #2 its important to not have any valid digits between the
loops. It must only contain pointers.
Impact : crash -> DoS
>Fix:
--- dnrd-ports-2.19-2.19.1.diff begins here ---
diff -bruN dnrd.orig/Makefile dnrd/Makefile
--- dnrd.orig/Makefile Tue Jul 19 14:04:35 2005
+++ dnrd/Makefile Tue Jul 19 14:04:52 2005
@@ -6,7 +6,7 @@
#
PORTNAME= dnrd
-PORTVERSION= 2.19
+PORTVERSION= 2.19.1
CATEGORIES= dns
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= dnrd
diff -bruN dnrd.orig/distinfo dnrd/distinfo
--- dnrd.orig/distinfo Tue Jul 19 14:04:35 2005
+++ dnrd/distinfo Thu Jul 21 15:25:47 2005
@@ -1,2 +1,2 @@
-MD5 (dnrd-2.19.tar.gz) = b8749250450f7d8de9a51af035e009eb
-SIZE (dnrd-2.19.tar.gz) = 156241
+MD5 (dnrd-2.19.1.tar.gz) = 58de30f0b09e333ca008444ca25848bc
+SIZE (dnrd-2.19.1.tar.gz) = 157686
--- dnrd-ports-2.19-2.19.1.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507211357.j6LDvTXo005024>