Nathanael Copa, the DNRD maintainer, warned me about two overflows in DNRD <= 2.19, a package that is ~ in Gentoo Portage. Impact: remote code execution (with non-root rights in a chroot). This won't result in any GLSA as the package is ~. Natanael will provide us advance access to the new release tarballs and maybe an updated ebuild. I'll ask for CAN numbers from MITRE. When I get them, we'll forward this to vendor-sec for coordinated disclosure, in case any of the v-s members ships it.
(In reply to comment #0) > I'll ask for CAN numbers from MITRE. When I get them, we'll forward this to > vendor-sec for coordinated disclosure, in case any of the v-s members ships it. I have the tarball ready, but I'd like to include the CAN number in the ChangeLog. I will wait with posting the updated tarball so I a can include the CAN number there - unless you would like to have the tarball now. Thanks!
Created attachment 63776 [details] dnrd-2.19.1.ebuild I can upload the ebuild while waiting for the CAN number and tarball.
Created attachment 63777 [details] files/dnrd The /etc/init.d/dnrd script for the dnrd-2.19.1 ebuild. (It's the same as https://bugs.gentoo.org/attachment.cgi?id=63368 from #83281) I posted this since this bug should close #83281.
I asked the CAN numbers to MITRE. Natanael: since the package is ~ we won't do much preparation until this is public. So once you get the CAN numbers you can decide for a release date that I will communicate to vendor-sec (like +48 hours). Ccing our dnrd maintainer so that he knows about the problem. btw chris, you can readd yourself to the metadata.xml :)
Use CAN-2005-2315 for the buffer overflow. Use CAN-2005-2316 for the infinite recursion. Natanael: are you OK with Thursday, July 21, 1400 UTC for public release ? I'll forward the issue to vendor-sec (with you in cc:) if that date is OK with you.
Thursday 21 July 1200 UTC would give me 3 hours instead of 1 before I leave work, just in case. If that causes any problem for you (or for anyone else) 1400 UTC is just fine. Thank you very much for you help.
Created attachment 63816 [details] dnrd-2.19.1.tar.gz This is the tarball that will be officially distributed so you have a chance to test it before the official disclosure.
v-s has been warned. Embargo set to Thursday 21 July 1200 UTC
The ebuild is ready. I'm ready to commit whenever anyone wants to give the heads up. Stable x86 is ready on that as well.
No need for stable x86, seems to only have been ~. If you want ppc to test for the ~ppc flag please attach the updated ebuild to this bug. Otherwise we'll wait a few hours with the commit.
Created attachment 63948 [details] dnrd-2.19.1.ebuild The ebuild
Anarchy has volunteered to handle the ~ppc marking, as my pegasos is pretty outdated... I'll keep it ~x86 for the time being.
~ppc is good to go.
dnrd-2.19.1 is officially released and can be committed to portage. It could be an idea to mask <net-dns/2.19.1 also. Thanks everyone!
(In reply to comment #14) > It could be an idea to mask <net-dns/2.19.1 also. I ment <net-dns/dnrd-2.19.1 of course.
This is now public -> opening. Thx Natanael. ChrisW please do the magic.
Updated, removed older versions, saved the whales, etc.
ChrisW et al++ Since this is ~ -> closing with NO GLSA.