Bug 147007

Summary: net/mDNSResponder resolv.conf parsing has a buffer overflow, also leaks fd
Product: Ports & Packages Reporter: Juli Mallett <jmallett>
Component: Individual Port(s)Assignee: Rene Ladan <rene>
Status: Closed FIXED    
Severity: Affects Only Me CC: bsdashsan
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Juli Mallett freebsd_committer 2010-05-26 06:07:50 UTC
mdnsd will crash on some systems with a corrupt stack and once that's fixed it will still leak a file descriptor when parsing resolv.conf.  The crash is because scanf is used with %10s for a buffer that is only 10 chars long.  The buffer size needs increased to 11 chars to hold the trailing NUL.  To fix the leak, an fclose needs added.

Fix: Apply attached patch in mDNSPosix.

Patch attached with submission follows:
How-To-Repeat: Run mdnsd on an unlucky system.
Comment 1 Rene Ladan freebsd_committer 2010-06-15 20:50:20 UTC
Responsible Changed
From-To: freebsd-ports-bugs->rene

Grab, superseeded by ports/147657 ?
Comment 2 Rene Ladan freebsd_committer 2010-06-22 17:25:59 UTC
The problem report is still valid.

Can you point to a CVE entry so that I can write a VuXML entry?
I didn't find any at entries relating to this problem at
http://web.nvd.nist.gov/view/vuln/search-results?cid=3

Rene
Comment 3 Rene Ladan freebsd_committer 2010-06-22 17:26:45 UTC
State Changed
From-To: open->feedback

Waiting for CVE entry, not in the National Vulnerability Database.
Comment 4 dfilter service freebsd_committer 2010-06-27 22:14:42 UTC
rene        2010-06-27 21:14:28 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Document mDNSResponder -- corrupted stack crash when parsing bad resolv.conf
  
  This only happens on a system where one has a system where
  resolv.conf is writable by an untrusted user or where mdnsd is setuid
  and can be tricked into opening an alternate resolv.conf.
  PR:             ports/147007
  Submitted by:   jmallett@
  Approved by:    tabthorpe (mentor)
  Feature safe:   yes
  
  Revision  Changes    Path
  1.2174    +32 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 dfilter service freebsd_committer 2010-08-01 20:12:27 UTC
rene        2010-08-01 19:12:18 UTC

  FreeBSD ports repository

  Modified files:
    net/mDNSResponder    Makefile distinfo 
  Added files:
    net/mDNSResponder/files mdnsd.in patch-mDNSPosix_mDNSPosix.c 
  Removed files:
    net/mDNSResponder/files mdnsd.sh.in 
  Log:
  - Fix a potential buffer overflow and file descriptor leak. [1]
  - Update to 214.3 [2]
  - Rename mdnsd.sh to mdnsd [2]
  - Remove duplicate MAKE_JOBS_UNSAFE [2]
  - Simplify manpage installation [2]
  - Pass maintainership to submitter [2]
  
  PR:     ports/147007 [1]
          ports/147657 [2]
  Submitted by:   jmallett [1]
                  Sunpoet Po-Chuan Hsieh [sunpoet sunpoet.net] [2]
  Approved by:    tabthorpe (mentor)
  Security:       ports/147007
  
  Revision  Changes    Path
  1.26      +16 -25    ports/net/mDNSResponder/Makefile
  1.8       +3 -3      ports/net/mDNSResponder/distinfo
  1.1       +22 -0     ports/net/mDNSResponder/files/mdnsd.in (new)
  1.7       +0 -19     ports/net/mDNSResponder/files/mdnsd.sh.in (dead)
  1.1       +19 -0     ports/net/mDNSResponder/files/patch-mDNSPosix_mDNSPosix.c (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 Rene Ladan freebsd_committer 2010-08-01 20:13:13 UTC
State Changed
From-To: feedback->closed

Committed, thanks