| Summary: | net-dns/pdnsd < 1.2.4 vulnerable to DoS and possible arbitrary code execution (CVE-2006-207{6|7}) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Daniel Black (RETIRED) <dragonheart> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | major | CC: | net-dialup, tcort | ||||||
| Priority: | High | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en | ||||||||
| Whiteboard: | B1 [glsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Attachments: |
|
||||||||
|
Description
Daniel Black (RETIRED)
2006-04-26 07:31:34 UTC
I tried this on alpha and src_test failed... >>> Source compiled. 7968 1 drwxrwsr-x 4 root portage 216 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp 1588602 4 -rw------- 1 root portage 6 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pid 1588589 1 drwxr-sr-x 2 root portage 144 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd 1588605 0 srw------- 1 root portage 0 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.status 1588600 4 -rw-r--r-- 1 root portage 8 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.cache 1588603 4 -rw------- 1 root portage 292 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.debug 177927 1 drwxrwxr-x 2 root portage 80 Apr 26 12:41 /var/tmp/portage/pdnsd-1.2.4/temp/logging 179402 4 -rw-r--r-- 1 root root 238 Apr 26 12:41 /var/tmp/portage/pdnsd-1.2.4/temp/logging/setup.INFO 181123 104 -rw-rw-r-- 1 portage portage 105816 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/environment 1588601 4 -rw-r--r-- 1 root portage 427 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd.conf.test 179370 4 -rw-rw-r-- 1 root portage 836 Apr 26 12:44 /var/tmp/portage/pdnsd-1.2.4/temp/eclass-debug.log Error: could not open socket /var/tmp/portage/pdnsd-1.2.4/temp/pdnsd/pdnsd.status: Connection refused !!! ERROR: net-dns/pdnsd-1.2.4 failed. Call stack: ebuild.sh, line 1525: Called dyn_test ebuild.sh, line 976: Called src_test pdnsd-1.2.4.ebuild, line 62: Called die # emerge --info Portage 2.1_pre9-r4 (default-linux/alpha/no-nptl/2.4, gcc-3.4.6, glibc-2.3.6-r3, 2.4.32 alpha) ================================================================= System uname: 2.4.32 alpha EV56 Gentoo Base System version 1.12.0_pre16 dev-lang/python: 2.3.5, 2.4.2-r1 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.4.26-r1 ACCEPT_KEYWORDS="alpha ~alpha" AUTOCLEAN="yes" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev56" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict test" GENTOO_MIRRORS="http://gentoo.mirrored.ca/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/java-experimental" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="alpha X aac aalib aim alsa apache2 artworkextra async audacious audiofile bash-completion berkdb binfilter bitmap-fonts bittorrent bl bonjour c++ cairo calendar cdinstall cdparanoia cdr cdrom chroot cli config_wizard cracklib crypt cscope csv ctype cups curl curlwrappers cvs cvsgraph dhcp dillo dri editor eds elf encode epiphany escreen esd ethereal extraicons extras ffmpeg fftw figlet firefox flac ftp gdb gdbm gif glep gnome gnutls gpm grammar gsl gstreamer gtalk gtk gtk2 gtkspell gvim gzip html icq id3 imlib ipv6 jabber javascript jpeg justify ladspa lame libg++ libsexy libwww lite lj logrotate lua mad mapeditor md5sum mikmod motif moznoirc moznomail moznoroaming mozsha1 mp3 mpeg mpeg2 mplayer msn msnextras music ncurses net nethack nls offensive ogg oggvorbis opengl openssh openssl oscar oss pam pcre pdflib perl png python quicktime quotes readline recode reflection reiserfs scp screen sdl session sftp skins sndfile sockets sounds sox speech spell spl ssl subversion symlink syslog tcpd threads truetype truetype-fonts type1-fonts userlocales vcd videos vim vim-with-x vorbis wma wma123 xml xml2 xmlreader xmms xorg xv xvid yahoo zip zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS fixed in cvs. I had to use yet another sleep. :( amd64 done. Created attachment 85581 [details]
pdnsd.strace
With FEATURES="test" it fails on alpha with a segfault. The tests passed on amd64, but for some reason on the 2 alpha systems I tried it on the DEBUG preprocessor macro is defined as 1 and caused a problem. In src/error.c:log_message (where the segfault occurs) if DEBUG > 0 it sets f (the FILE pointer for logging a message) to dbg_file. dbg_file gets opened after init_tcp_socket and in init_tcp_socket messages are logged, so messages are fprintf'd to an uninitialized file pointer. This can be fixed in a number of different ways: 1) open dbg_file sooner (before any functions that call log_message are called) 2) define DEBUG 0 3) set the file pointer to always be strerr. Obviously the 1st choice is the best. I'm working on a patch, I'll attach it soon. Cheers!
(gdb) set args -c "/var/tmp/portage/pdnsd-1.2.4/temp/pdnsd.conf.test" -g -s -d -p "/var/tmp/portage/pdnsd-1.2.4/temp/pid"
(gdb) run
Starting program: /var/tmp/portage/pdnsd-1.2.4/work/pdnsd-1.2.4/src/pdnsd -c "/var/tmp/portage/pdnsd-1.2.4/temp/pdnsd.conf.test" -g -s -d -p "/var/tmp/portage/pdnsd-1.2.4/temp/pid"
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 15602)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 15602)]
0x00000200001370fc in vfprintf () from /lib/libc.so.6.1
(gdb) bt
#0 0x00000200001370fc in vfprintf () from /lib/libc.so.6.1
#1 0x000002000013ffb4 in fprintf () from /lib/libc.so.6.1
#2 0x00000001200172d8 in log_message ()
#3 0x0000000120010470 in init_tcp_socket ()
#4 0x0000000120019ef8 in final_init ()
#5 0x000000012001a488 in main ()
(gdb)
Created attachment 85584 [details]
pdnsd-dbg_file.patch
This patch fixes pdnsd so that it opens the debug file *before* attempting to write to it. With this patch applied all tests passed on the two alphas I tried it with.
fixed in -r1, which has been submitted as stable on x86. the commited patch is an improved version of the Thomas patch. pdnsd-1.2.4-r1: alpha and amd64 stable. sparc stable. Rating and everything ppc stable I think security could vote on GLSA. Now the stable version on any arch is >=1.2.4. Sorry for hijacking this bug :( Alin: heh, want to do security bugwrangling in your spare time ? I tend to vote yes for DoS on DNS server. Half YES from me too. yes for me Let's have a GLSA then. Adding CVE ids. Note that one concerns a buffer overflow, so we might have to reevaluate the B3 rating. let's vote ? i would vote for B1 This should definitely get B1/High GLSA 200605-08 Oops. GLSA 200605-08 is not about that. Reopening. GLSA 200605-10 arm and s390 don't forget to mark stable to benefit from the GLSA. And now closing. |