Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 176130

Summary: net-dns/mydns-1.1.0 remote heap overflow (CVE-2007-2362)
Product: Gentoo Security Reporter: mu-b <mu-b>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ember, lars, matsuu
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/25007/
Whiteboard: B3 [noglsa] jaervosz
Package list:
Runtime testing required: ---

Description mu-b 2007-04-26 15:11:22 UTC
The attached PoC causes a remote heap smash in mydns 1.1.0, the bug is found
within the dynamic update code (update.c). Exploitation requires update privs
(which tends not to matter too much if you know an IP address with
privileges to do so), also allow-update = yes must be set in /etc/mydns.conf. 
The attached patch also fixes an stack based off-by-one overflow in update.c.

Example :-
0xb7f27410 in __kernel_vsyscall
    ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0805d0e2 in ?? ()
(gdb) x/i $eip
0x805d0e2 <strcpy@plt+73534>:   rep movsb %ds:(%esi),%es:(%edi)

PoC: http://www.digit-labs.org/files/exploits/mydns-rr-smash.c
Patch: http://www.digit-labs.org/files/patches/mydns-update.c.diff

Reproducible: Always

Steps to Reproduce:
Comment 1 Jonathan Smith (RETIRED) gentoo-dev 2007-04-27 20:17:33 UTC
*** Bug 176281 has been marked as a duplicate of this bug. ***
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-30 09:34:10 UTC
Thx for the notification mu-b.

Matsuu please advise and patch as necessary.
Comment 3 MATSUU Takuto (RETIRED) gentoo-dev 2007-04-30 10:33:35 UTC
mydns-1.1.0-r1 in cvs. the patch is from debian.

http://packages.debian.org/unstable/net/mydns-mysql
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-30 12:26:33 UTC
Thx for the quick response Matsuu.

Arches please test and mark stable. Target keywords are:

mydns-1.1.0-r1.ebuild:KEYWORDS="alpha ~amd64 ~hppa ia64 ~ppc sparc x86"
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-04-30 15:07:18 UTC
ia64 + x86 stable
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-02 13:52:07 UTC
sparc stable.
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-05-02 16:22:41 UTC
alpha stable.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 18:52:02 UTC
This one is ready for GLSA vote. I tend to vote NO.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-03 18:49:59 UTC
/vote NO.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-08 18:13:43 UTC
vote no too - feel free to reopen if you disagree
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-17 14:33:52 UTC
*** Bug 202571 has been marked as a duplicate of this bug. ***