Bug 83851

Summary: Update port: dns/dnrd Security update
Product: Ports & Packages Reporter: Natanael Copa <ncopa>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
dnrd-ports-2.19-2.19.1.diff none

Description Natanael Copa 2005-07-21 15:00:32 UTC 
	Buffer and stack overflow in dnrd-2.19 and older.
	CAN-2005-2315
	CAN-2005-2316

How-To-Repeat: 	1) Buffer overflow (CAN-2005-2315)

	* create a buffer, a DNS packet, bigger than 268 (256+12) bytes.
	* Fill the buffer with random data.
	* Clear the Z and QR flags.
	* Send it to dnrd.
	* Repeat til dnrd dies.

	Impact : this could probably be exploited to perform remote execution.
	However, dnrd runs in an chroot environment and runs as non-root.

	2) Infinite recursion causes stack overflow (CAN-2005-2316)

	* Create a buffer, a DNS packet.
	* in the QNAME, use Message compression (see rfc 4.1.4). Set the 
	  pointer to point on another location in the buffer.
	* On this new location set another pointer to point pack to the
	  original QNAME location. In other words, its a circular buffer.

	Dnrd will recurse until the stack is overflowed.
	To reproduce #2 its important to not have any valid digits between the
	loops. It must only contain pointers.

	Impact : crash -> DoS
Comment 1 Pav Lucistnik freebsd_committer freebsd_triage 2005-07-21 16:43:10 UTC 
State Changed
From-To: open->closed

Committed, thanks!