A bug exists in the parsing of DNS responses in libevent, specifically in the handling of label pointers. Label pointers in DNS are meant to cut down on redundant information and overall response size by allowing a label to reference an arbitrary byte offset in the packet. If a pointer references its own offset, a pointer loop is formed. libevent's parsing code does not properly handle such pointer loops. Impact ====== A malicious resolver, authoritative server, or inline attacker can send a DNS reply containing a pointer loop, causing libevent's DNS parsing to enter an endless loop, effectively DoS'ing the service. Resolution ========== Applications utilizing the DNS resolution functionality of libevent should upgrade to version >= 1.3. Reproducible: Didn't try http://monkey.org/~provos/libevent/ http://seclists.org/fulldisclosure/2007/Feb/0423.html
I bumped this to 1.3a in portage.
Cool, thanks.
don't forget to let arches stable the package before you go to glsa? status ;-) b3 or b4?
In x86: Fails tests: >>> Source compiled. * Building tests make: Nothing to be done for `test'. * Running tests type: 1, count: 1, ttl: 300: 152.160.49.201 type: 1, count: 1, ttl: 300: 152.160.49.201 type: 1, count: 1, ttl: 300: 152.160.49.201 Running tests: KQUEUE Skipping test DEVPOLL Skipping test POLL test-eof: OKAY test-weof: OKAY test-time: OKAY regress: FAILED SELECT test-eof: OKAY test-weof: OKAY test-time: OKAY regress: FAILED RTSIG Skipping test EPOLL test-eof: OKAY test-weof: OKAY test-time: OKAY regress: FAILED !!! ERROR: dev-libs/libevent-1.3a failed. Call stack: ebuild.sh, line 1614: Called dyn_test ebuild.sh, line 1026: Called qa_call 'src_test' environment, line 1525: Called src_test
dev-libs/libevent-1.3a 1. emerges on x86 2. passes test suite 3. passes collision test 4. net-misc/memcached-1.1.12-r2 emerges with it Portage 2.1.2-r9 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.3 i686) ================================================================= System uname: 2.6.19.3 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 23 Feb 2007 10:00:01 +0000 dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Created attachment 111039 [details, diff] regress_dns.patch The test fails if the user has no IPv6 support. So please apply this patch dependend on USE=ipv6.
x86 stable
Stable for HPPA.
SPARC stable
dev-libs/libevent-1.3a stable on ppc64
ppc stable
alpha stable
amd64 stable
Created attachment 111966 [details] My emerge --info emerge --info Portage 2.1.2-r13 (default-linux/x86/dev/2007.0/desktop, gcc-4.1.2, glibc-2.5-r0, 2.6.20-gentoo i686) ================================================================= System uname: 2.6.20-gentoo i686 Pentium III (Coppermine) Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 03 Mar 2007 02:30:01 +0000 dev-java/java-config: 1.3.7, 2.0.31-r3 dev-lang/python: 2.4.4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.20-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -mfpmath=sse,387 -fomit-frame-pointer -ftracer -msse -mmmx -s -O2 -pipe -fstack-protector -DNDEBUG" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=pentium3 -mfpmath=sse,387 -fomit-frame-pointer -ftracer -msse -mmmx -s -O2 -pipe -fstack-protector -DNDEBUG" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict tbz2" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="pl_PL" LC_ALL="pl_PL" LINGUAS="pl" MAKEOPTS="-j2 -s" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acpi alsa berkdb bitmap-fonts cairo cli cracklib crypt cups dbus dri dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv isdnlog java jpeg kde kerberos libclamav libg++ mad midi mikmod mmx mp3 mpeg ncurses nls nptl nptlonly oav ogg opengl oss pam pcre pdf perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts unicode vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="pl" USERLAND="GNU" VIDEO_CARDS="i810 vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
My problem looks almost the same like yours but I can't compiled my libevent-1.3a. I'm using gentoo without IPv6 but the result with IPv6 is the same like without ... (cd .libs && rm -f libevent-1.3a.so.1 && ln -s libevent-1.3a.so.1.0.3 libevent-1.3a.so.1) (cd .libs && rm -f libevent.so && ln -s libevent-1.3a.so.1.0.3 libevent.so) i686-pc-linux-gnu-ar cru .libs/libevent.a event.o buffer.o evbuffer.o log.o event_tagging.o http.o evdns.o strlcpy.o select.o poll.o epoll.o signal.o i686-pc-linux-gnu-ranlib .libs/libevent.a creating libevent.la (cd .libs && rm -f libevent.la && ln -s ../libevent.la libevent.la) Making all in sample mkdir .libs i686-pc-linux-gnu-gcc -I../compat -o .libs/event-test event-test.o ../.libs/libevent.so ../.libs/libevent.so: undefined reference to `debug_ntoa' collect2: ld returned 1 exit status make[2]: *** [event-test] Error 1 make[2]: *** Waiting for unfinished jobs.... i686-pc-linux-gnu-gcc -I../compat -o .libs/time-test time-test.o ../.libs/libevent.so ../.libs/libevent.so: undefined reference to `debug_ntoa' collect2: ld returned 1 exit status make[2]: *** [time-test] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 !!! ERROR: dev-libs/libevent-1.3a failed. Call stack: ebuild.sh, line 1614: Called dyn_compile ebuild.sh, line 971: Called qa_call 'src_compile' environment, line 1526: Called src_compile ebuild.sh, line 645: Called die
Late. Time to vote. I vote no
@karaluch: please file a new bug since you work with ~x86 which is not security-"supported".
voting no.
Closing without GLSA then. Thanks everybody
arm/ia64/s390 done
