83851 – Update port: dns/dnrd Security update

Bug 83851 - Update port: dns/dnrd Security update

Summary: Update port: dns/dnrd Security update

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-07-21 15:00 UTC by Natanael Copa
Modified:	2005-07-21 16:43 UTC (History)
CC List:	0 users

See Also:

Attachments
dnrd-ports-2.19-2.19.1.diff (642 bytes, patch) 2005-07-21 15:00 UTC, Natanael Copa	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Natanael Copa 2005-07-21 15:00:32 UTC

	Buffer and stack overflow in dnrd-2.19 and older.
	CAN-2005-2315
	CAN-2005-2316

How-To-Repeat: 	1) Buffer overflow (CAN-2005-2315)

	* create a buffer, a DNS packet, bigger than 268 (256+12) bytes.
	* Fill the buffer with random data.
	* Clear the Z and QR flags.
	* Send it to dnrd.
	* Repeat til dnrd dies.

	Impact : this could probably be exploited to perform remote execution.
	However, dnrd runs in an chroot environment and runs as non-root.

	2) Infinite recursion causes stack overflow (CAN-2005-2316)

	* Create a buffer, a DNS packet.
	* in the QNAME, use Message compression (see rfc 4.1.4). Set the 
	  pointer to point on another location in the buffer.
	* On this new location set another pointer to point pack to the
	  original QNAME location. In other words, its a circular buffer.

	Dnrd will recurse until the stack is overflowed.
	To reproduce #2 its important to not have any valid digits between the
	loops. It must only contain pointers.

	Impact : crash -> DoS

Comment 1 Pav Lucistnik freebsd_committer

2005-07-21 16:43:10 UTC

State Changed
From-To: open->closed

Committed, thanks!