From 10a67fbfe09e5f997792ef2d5abd29707da411ef Mon Sep 17 00:00:00 2001 From: Alejandro Mery Date: Thu, 5 Mar 2009 22:23:45 +0200 Subject: [PATCH] djbdns: added upstream patch against a vulnerability in AXFR --- network/djbdns/AXFR_vulnerability.patch | 58 +++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 network/djbdns/AXFR_vulnerability.patch diff --git a/network/djbdns/AXFR_vulnerability.patch b/network/djbdns/AXFR_vulnerability.patch new file mode 100644 index 000000000..9a2ac5da2 --- /dev/null +++ b/network/djbdns/AXFR_vulnerability.patch @@ -0,0 +1,58 @@ +# --- SDE-COPYRIGHT-NOTE-BEGIN --- +# This copyright note is auto-generated by ./scripts/Create-CopyPatch. +# +# Filename: package/.../djbdns/AXFR_vulnerability.patch +# Copyright (C) 2009 The OpenSDE Project +# +# More information can be found in the files COPYING and README. +# +# This patch file is dual-licensed. It is available under the license the +# patched project is licensed under, as long as it is an OpenSource license +# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms +# of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# --- SDE-COPYRIGHT-NOTE-END --- + +Mailing-List: contact dns-help@list.cr.yp.to; run by ezmlm +Date: 4 Mar 2009 01:34:21 -0000 +Message-ID: <20090304013421.60368.qmail@cr.yp.to> +Mail-Followup-To: dns@list.cr.yp.to +Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. +From: "D. J. Bernstein" +To: dns@list.cr.yp.to +Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains + +If the administrator of example.com publishes the example.com DNS data +through tinydns and axfrdns, and includes data for sub.example.com +transferred from an untrusted third party, then that third party can +control cache entries for example.com, not just sub.example.com. This is +the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, +axfrdns compresses some outgoing DNS packets incorrectly.) + +Even though this bug affects very few users, it is a violation of the +expected security policy in a reasonable situation, so it is a security +hole in djbdns. Third-party DNS service is discouraged in the djbdns +documentation but is nevertheless supported. Dempsky is hereby awarded +$1000. + +The next release of djbdns will be backed by a new security guarantee. +In the meantime, if any users are in the situation described above, +those users are advised to apply Dempsky's patch and requested to accept +my apologies. The patch is also recommended for other users; it corrects +the bug without any side effects. A copy of the patch appears below. + +---D. J. Bernstein + Research Professor, Computer Science, University of Illinois at Chicago + +--- ./response.c.orig 2009-03-05 22:16:18.000000000 +0200 ++++ ./response.c 2009-03-05 22:16:57.000000000 +0200 +@@ -34,7 +34,7 @@ + uint16_pack_big(buf,49152 + name_ptr[i]); + return response_addbytes(buf,2); + } +- if (dlen <= 128) ++ if ((dlen <= 128) && (response_len < 16384)) + if (name_num < NAMES) { + byte_copy(name[name_num],dlen,d); + name_ptr[name_num] = response_len;