Alejandro Mery
16 years ago
1 changed files with 58 additions and 0 deletions
Unified View
Diff Options
@ -0,0 +1,58 @@ |
|||||
|
# --- SDE-COPYRIGHT-NOTE-BEGIN --- |
||||
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch. |
||||
|
# |
||||
|
# Filename: package/.../djbdns/AXFR_vulnerability.patch |
||||
|
# Copyright (C) 2009 The OpenSDE Project |
||||
|
# |
||||
|
# More information can be found in the files COPYING and README. |
||||
|
# |
||||
|
# This patch file is dual-licensed. It is available under the license the |
||||
|
# patched project is licensed under, as long as it is an OpenSource license |
||||
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms |
||||
|
# of the GNU General Public License as published by the Free Software |
||||
|
# Foundation; either version 2 of the License, or (at your option) any later |
||||
|
# version. |
||||
|
# --- SDE-COPYRIGHT-NOTE-END --- |
||||
|
|
||||
|
Mailing-List: contact dns-help@list.cr.yp.to; run by ezmlm |
||||
|
Date: 4 Mar 2009 01:34:21 -0000 |
||||
|
Message-ID: <20090304013421.60368.qmail@cr.yp.to> |
||||
|
Mail-Followup-To: dns@list.cr.yp.to |
||||
|
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. |
||||
|
From: "D. J. Bernstein" <djb@cr.yp.to> |
||||
|
To: dns@list.cr.yp.to |
||||
|
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains |
||||
|
|
||||
|
If the administrator of example.com publishes the example.com DNS data |
||||
|
through tinydns and axfrdns, and includes data for sub.example.com |
||||
|
transferred from an untrusted third party, then that third party can |
||||
|
control cache entries for example.com, not just sub.example.com. This is |
||||
|
the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, |
||||
|
axfrdns compresses some outgoing DNS packets incorrectly.) |
||||
|
|
||||
|
Even though this bug affects very few users, it is a violation of the |
||||
|
expected security policy in a reasonable situation, so it is a security |
||||
|
hole in djbdns. Third-party DNS service is discouraged in the djbdns |
||||
|
documentation but is nevertheless supported. Dempsky is hereby awarded |
||||
|
$1000. |
||||
|
|
||||
|
The next release of djbdns will be backed by a new security guarantee. |
||||
|
In the meantime, if any users are in the situation described above, |
||||
|
those users are advised to apply Dempsky's patch and requested to accept |
||||
|
my apologies. The patch is also recommended for other users; it corrects |
||||
|
the bug without any side effects. A copy of the patch appears below. |
||||
|
|
||||
|
---D. J. Bernstein
|
||||
|
Research Professor, Computer Science, University of Illinois at Chicago |
||||
|
|
||||
|
--- ./response.c.orig 2009-03-05 22:16:18.000000000 +0200
|
||||
|
+++ ./response.c 2009-03-05 22:16:57.000000000 +0200
|
||||
|
@@ -34,7 +34,7 @@
|
||||
|
uint16_pack_big(buf,49152 + name_ptr[i]); |
||||
|
return response_addbytes(buf,2); |
||||
|
} |
||||
|
- if (dlen <= 128)
|
||||
|
+ if ((dlen <= 128) && (response_len < 16384))
|
||||
|
if (name_num < NAMES) { |
||||
|
byte_copy(name[name_num],dlen,d); |
||||
|
name_ptr[name_num] = response_len; |
||||