Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 131341 - net-dns/pdnsd < 1.2.4 vulnerable to DoS and possible arbitrary code execution (CVE-2006-207{6|7})
Summary: net-dns/pdnsd < 1.2.4 vulnerable to DoS and possible arbitrary code execution...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.niscc.gov.uk/niscc/docs/re...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-26 07:31 UTC by Daniel Black (RETIRED)
Modified: 2006-11-11 20:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pdnsd.strace (pdnsd.strace,5.63 KB, text/plain)
2006-04-26 20:15 UTC, Thomas Cort (RETIRED)
no flags Details
pdnsd-dbg_file.patch (pdnsd-dbg_file.patch,942 bytes, text/plain)
2006-04-26 20:41 UTC, Thomas Cort (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Black (RETIRED) gentoo-dev 2006-04-26 07:31:34 UTC
1.2.4 is in portage and requires alpha and amd64 keywords to be stable.
Comment 1 Thomas Cort (RETIRED) gentoo-dev 2006-04-26 09:45:05 UTC
I tried this on alpha and src_test failed...

>>> Source compiled.
  7968    1 drwxrwsr-x   4 root     portage       216 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp
1588602    4 -rw-------   1 root     portage         6 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pid
1588589    1 drwxr-sr-x   2 root     portage       144 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd
1588605    0 srw-------   1 root     portage         0 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.status
1588600    4 -rw-r--r--   1 root     portage         8 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.cache
1588603    4 -rw-------   1 root     portage       292 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.debug
177927    1 drwxrwxr-x   2 root     portage        80 Apr 26 12:41 /var/tmp/portage/pdnsd-1.2.4/temp/logging
179402    4 -rw-r--r--   1 root     root          238 Apr 26 12:41 /var/tmp/portage/pdnsd-1.2.4/temp/logging/setup.INFO
181123  104 -rw-rw-r--   1 portage  portage    105816 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/environment
1588601    4 -rw-r--r--   1 root     portage       427 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd.conf.test
179370    4 -rw-rw-r--   1 root     portage       836 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/eclass-debug.log
Error: could not open socket /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.status: Connection refused

!!! ERROR: net-dns/pdnsd-1.2.4 failed.
Call stack:
  ebuild.sh, line 1525:   Called dyn_test
  ebuild.sh, line 976:   Called src_test
  pdnsd-1.2.4.ebuild, line 62:   Called die



# emerge --info
Portage 2.1_pre9-r4 (default-linux/alpha/no-nptl/2.4, gcc-3.4.6, glibc-2.3.6-r3, 2.4.32 alpha)
=================================================================
System uname: 2.4.32 alpha EV56
Gentoo Base System version 1.12.0_pre16
dev-lang/python:     2.3.5, 2.4.2-r1
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.4.26-r1
ACCEPT_KEYWORDS="alpha ~alpha"
AUTOCLEAN="yes"
CBUILD="alpha-unknown-linux-gnu"
CFLAGS="-mieee -pipe -O2 -mcpu=ev56"
CHOST="alpha-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.mirrored.ca/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/java-experimental"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="alpha X aac aalib aim alsa apache2 artworkextra async audacious audiofile bash-completion berkdb binfilter bitmap-fonts bittorrent bl bonjour c++ cairo calendar cdinstall cdparanoia cdr cdrom chroot cli config_wizard cracklib crypt cscope csv ctype cups curl curlwrappers cvs cvsgraph dhcp dillo dri editor eds elf encode epiphany escreen esd ethereal extraicons extras ffmpeg fftw figlet firefox flac ftp gdb gdbm gif glep gnome gnutls gpm grammar gsl gstreamer gtalk gtk gtk2 gtkspell gvim gzip html icq id3 imlib ipv6 jabber javascript jpeg justify ladspa lame libg++ libsexy libwww lite lj logrotate lua mad mapeditor md5sum mikmod motif moznoirc moznomail moznoroaming mozsha1 mp3 mpeg mpeg2 mplayer msn msnextras music ncurses net nethack nls offensive ogg oggvorbis opengl openssh openssl oscar oss pam pcre pdflib perl png python quicktime quotes readline recode reflection reiserfs scp screen sdl session sftp skins sndfile sockets sounds sox speech spell spl ssl subversion symlink syslog tcpd threads truetype truetype-fonts type1-fonts userlocales vcd videos vim vim-with-x vorbis wma wma123 xml xml2 xmlreader xmms xorg xv xvid yahoo zip zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2006-04-26 10:15:21 UTC
fixed in cvs. I had to use yet another sleep. :(
Comment 3 Thomas Cort (RETIRED) gentoo-dev 2006-04-26 12:16:49 UTC
amd64 done.
Comment 4 Thomas Cort (RETIRED) gentoo-dev 2006-04-26 20:15:57 UTC
Created attachment 85581 [details]
pdnsd.strace

With FEATURES="test" it fails on alpha with a segfault. The tests passed on amd64, but for some reason on the 2 alpha systems I tried it on the DEBUG preprocessor macro is defined as 1 and caused a problem. In src/error.c:log_message (where the segfault occurs) if DEBUG > 0 it sets f (the FILE pointer for logging a message) to dbg_file. dbg_file gets opened after init_tcp_socket and in init_tcp_socket messages are logged, so messages are fprintf'd to an uninitialized file pointer. This can be fixed in a number of different ways: 1) open dbg_file sooner (before any functions that call log_message are called) 2) define DEBUG 0 3) set the file pointer to always be strerr. Obviously the 1st choice is the best. I'm working on a patch, I'll attach it soon. Cheers!

(gdb) set args -c "/var/tmp/portage/pdnsd-1.2.4/temp/pdnsd.conf.test" -g -s -d -p "/var/tmp/portage/pdnsd-1.2.4/temp/pid"
(gdb) run
Starting program: /var/tmp/portage/pdnsd-1.2.4/work/pdnsd-1.2.4/src/pdnsd -c "/var/tmp/portage/pdnsd-1.2.4/temp/pdnsd.conf.test" -g -s -d -p "/var/tmp/portage/pdnsd-1.2.4/temp/pid"
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 15602)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 15602)]
0x00000200001370fc in vfprintf () from /lib/libc.so.6.1
(gdb) bt
#0  0x00000200001370fc in vfprintf () from /lib/libc.so.6.1
#1  0x000002000013ffb4 in fprintf () from /lib/libc.so.6.1
#2  0x00000001200172d8 in log_message ()
#3  0x0000000120010470 in init_tcp_socket ()
#4  0x0000000120019ef8 in final_init ()
#5  0x000000012001a488 in main ()
(gdb)
Comment 5 Thomas Cort (RETIRED) gentoo-dev 2006-04-26 20:41:24 UTC
Created attachment 85584 [details]
pdnsd-dbg_file.patch

This patch fixes pdnsd so that it opens the debug file *before* attempting to write to it. With this patch applied all tests passed on the two alphas I tried it with.
Comment 6 Alin Năstac (RETIRED) gentoo-dev 2006-04-27 00:03:59 UTC
fixed in -r1, which has been submitted as stable on x86.
the commited patch is an improved version of the Thomas patch.
Comment 7 Thomas Cort (RETIRED) gentoo-dev 2006-04-27 04:50:58 UTC
pdnsd-1.2.4-r1: alpha and amd64 stable.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-04-27 07:56:48 UTC
sparc stable.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 10:56:35 UTC
Rating and everything
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-29 02:01:50 UTC
ppc stable
Comment 11 Alin Năstac (RETIRED) gentoo-dev 2006-05-01 14:30:28 UTC
I think security could vote on GLSA. Now the stable version on any arch is >=1.2.4.
Sorry for hijacking this bug :(
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2006-05-02 09:25:52 UTC
Alin: heh, want to do security bugwrangling in your spare time ?
I tend to vote yes for DoS on DNS server.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-02 09:52:32 UTC
Half YES from me too.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-05 13:39:04 UTC
yes for me
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-05 21:18:42 UTC
Let's have a GLSA then.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-07 08:58:03 UTC
Adding CVE ids. Note that one concerns a buffer overflow, so we might have to reevaluate the B3 rating.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-07 13:13:34 UTC
let's vote ? i would vote for B1
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2006-05-08 08:36:13 UTC
This should definitely get B1/High
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2006-05-08 10:34:38 UTC
GLSA 200605-08
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2006-05-08 10:44:30 UTC
Oops. GLSA 200605-08 is not about that. Reopening.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-09 22:14:25 UTC
GLSA 200605-10

arm and s390 don't forget to mark stable to benefit from the GLSA.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-09 22:42:06 UTC
And now closing.