Alejandro Mery
16 years ago
1 changed files with 58 additions and 0 deletions
@ -0,0 +1,58 @@ |
|||||||
|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
|
||||||
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
||||||
|
#
|
||||||
|
# Filename: package/.../djbdns/AXFR_vulnerability.patch
|
||||||
|
# Copyright (C) 2009 The OpenSDE Project
|
||||||
|
#
|
||||||
|
# More information can be found in the files COPYING and README.
|
||||||
|
#
|
||||||
|
# This patch file is dual-licensed. It is available under the license the
|
||||||
|
# patched project is licensed under, as long as it is an OpenSource license
|
||||||
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
||||||
|
# of the GNU General Public License as published by the Free Software
|
||||||
|
# Foundation; either version 2 of the License, or (at your option) any later
|
||||||
|
# version.
|
||||||
|
# --- SDE-COPYRIGHT-NOTE-END ---
|
||||||
|
|
||||||
|
Mailing-List: contact dns-help@list.cr.yp.to; run by ezmlm
|
||||||
|
Date: 4 Mar 2009 01:34:21 -0000
|
||||||
|
Message-ID: <20090304013421.60368.qmail@cr.yp.to>
|
||||||
|
Mail-Followup-To: dns@list.cr.yp.to
|
||||||
|
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
|
||||||
|
From: "D. J. Bernstein" <djb@cr.yp.to>
|
||||||
|
To: dns@list.cr.yp.to
|
||||||
|
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains
|
||||||
|
|
||||||
|
If the administrator of example.com publishes the example.com DNS data
|
||||||
|
through tinydns and axfrdns, and includes data for sub.example.com
|
||||||
|
transferred from an untrusted third party, then that third party can
|
||||||
|
control cache entries for example.com, not just sub.example.com. This is
|
||||||
|
the result of a bug in djbdns pointed out by Matthew Dempsky. (In short,
|
||||||
|
axfrdns compresses some outgoing DNS packets incorrectly.)
|
||||||
|
|
||||||
|
Even though this bug affects very few users, it is a violation of the
|
||||||
|
expected security policy in a reasonable situation, so it is a security
|
||||||
|
hole in djbdns. Third-party DNS service is discouraged in the djbdns
|
||||||
|
documentation but is nevertheless supported. Dempsky is hereby awarded
|
||||||
|
$1000.
|
||||||
|
|
||||||
|
The next release of djbdns will be backed by a new security guarantee.
|
||||||
|
In the meantime, if any users are in the situation described above,
|
||||||
|
those users are advised to apply Dempsky's patch and requested to accept
|
||||||
|
my apologies. The patch is also recommended for other users; it corrects
|
||||||
|
the bug without any side effects. A copy of the patch appears below.
|
||||||
|
|
||||||
|
---D. J. Bernstein
|
||||||
|
Research Professor, Computer Science, University of Illinois at Chicago
|
||||||
|
|
||||||
|
--- ./response.c.orig 2009-03-05 22:16:18.000000000 +0200
|
||||||
|
+++ ./response.c 2009-03-05 22:16:57.000000000 +0200
|
||||||
|
@@ -34,7 +34,7 @@
|
||||||
|
uint16_pack_big(buf,49152 + name_ptr[i]);
|
||||||
|
return response_addbytes(buf,2);
|
||||||
|
}
|
||||||
|
- if (dlen <= 128)
|
||||||
|
+ if ((dlen <= 128) && (response_len < 16384))
|
||||||
|
if (name_num < NAMES) {
|
||||||
|
byte_copy(name[name_num],dlen,d);
|
||||||
|
name_ptr[name_num] = response_len;
|
||||||
Loading…
Reference in new issue