Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 231285

Summary: net-dns/pdnsd < 1.2.7 cache-posoning and p_exec_query DoS (CVE-2008-1447,CVE-2008-4194)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: net-dialup
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Description Flags
pdnsd.conf none

Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-09 10:58:23 UTC
As a caching DNS server, posadis might be affected by the issue too.

Does it use port randomization?

Using this bug to collect information, so we won't forget about it.
Comment 1 Alin Năstac (RETIRED) gentoo-dev 2008-07-09 18:50:26 UTC
net-dialup/pdnsd is very well designed. It uses a random port - more exactly the port is picked up randomly from a configurable port range - and the transaction ID is also selected randomly.
This is based on my personal analysis of the source code.

If it were my bug I would have close it as INVALID, but since it isn't, I let security team deal with it. ;)
Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-07-27 09:14:03 UTC
my understanding is, that only dns caches/resolvers are affected by this vulnerability. AFAIK net-dns/pdnsd is a authoritative nameserver only and thus not affected. 

net-dns/pdns-recursor (the resolver from the people behind pdns) might be affected, however.
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2008-07-27 17:28:17 UTC
Nope, net-dialup/pdnsd is not an authoritative nameserver. This quote is taken from the home page:
pdnsd is a proxy DNS server with permanent caching (the cache contents are written to hard disk on exit) that is designed to cope with unreachable or down DNS servers (for example in dial-in networking).

But since it uses random port numbers as well as random transaction IDs, this piece of software is not affected by the VU#800113 issue.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-06 21:01:03 UTC
quoting homepage: 
"Version 1.2.7-par has been released:
Foremost, this release fixes some security problems. It contains a fix for a "dangling pointer" bug that could cause pdnsd to crash when it received a long reply. It also addresses some of the issues raised in the CERT vulnerability note VU#800113 by making the default of query_port_start equal to 1024, thereby ensuring that source ports are randomly selected by the pdnsd resolver in the range 1024-65535 [...]"

net-dialup, please bump as necessary.
Comment 5 Alin Năstac (RETIRED) gentoo-dev 2008-09-07 10:13:57 UTC
Fixed in cvs.
Arch teams, please stabilize net-dns/pdnsd-1.2.7.
Comment 6 Markus Meier gentoo-dev 2008-09-07 13:17:23 UTC
amd64/x86 stable
Comment 7 Friedrich Oslage (RETIRED) gentoo-dev 2008-09-07 14:58:40 UTC
On sparc: I have 1.2.6-r1 running and it's working fine. After upgrading to 1.2.7(same use-flags, same config) I get "Could not bind to socket: Permission denied" but /var/cache/pdnsd/pdnsd.status is read- and writeable by pdnsd. If I run it as root I get "Out of ports in the range 1024-65535, dropping query!" and it's unable to resolve any domains at all.

# emerge --info
Portage (default-linux/sparc/sparc64/2008.0/server, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r7 sparc64)
System uname: 2.6.25-gentoo-r7 sparc64 sun4u
Timestamp of tree: Sun, 07 Sep 2008 11:36:01 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.5.2-r6
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-mcpu=ultrasparc -O2 -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-mcpu=ultrasparc -O2 -pipe"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox strict test unmerge-orphans userfetch userpriv usersandbox"
LINGUAS="en de"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="apache2 caps cli cracklib cups dri extensions fortran gdbm gpm hpn iconv ipv6 isdnlog logrotate mailwrapper midi mudflap ncurses nls nptl nptlonly openmp pcre ppds pppd qos reflection server session snmp sparc spl ssl symlink tftp threads truetype unicode userlocales vim xml xorg" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias proxy proxy_balancer proxy_connect proxy_ftp proxy_http" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LINGUAS="en de" USERLAND="GNU"
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-09-09 10:22:43 UTC
alpha stable
Comment 9 Alin Năstac (RETIRED) gentoo-dev 2008-09-10 20:14:59 UTC
(In reply to comment #7)
> On sparc: I have 1.2.6-r1 running and it's working fine. After upgrading to
> 1.2.7(same use-flags, same config) I get "Could not bind to socket: Permission
> denied" but /var/cache/pdnsd/pdnsd.status is read- and writeable by pdnsd. If I
> run it as root I get "Out of ports in the range 1024-65535, dropping query!"
> and it's unable to resolve any domains at all.

Which query port range do you use? Attach here a basic config file that doesn't work for you.
Comment 10 Friedrich Oslage (RETIRED) gentoo-dev 2008-09-13 09:51:29 UTC
Created attachment 165323 [details]

It's almost the pdnsd.conf.sample file, all I change is the myisp ip.

if run_as is set to pdnsd:
pdnsd[8053]: Could not bind to socket: Permission denied

if run_as is set to root:
Out of ports in the range 1024-65535, dropping query!

However, if I start "pdnsd --debug" without a config file it works but since it's almost the default config...
Comment 11 Alin Năstac (RETIRED) gentoo-dev 2008-09-13 20:12:00 UTC
The problem lies in -a command line option. When IPv6 support is enabled in your kernel, it will set run_ipv4 to 0, which disables IPv4 support.

It is not a bug, only a default network protocol in case both of them are enabled. Just replace -a option with -4 or switch off ipv6 USE flag for this package.
Comment 12 Friedrich Oslage (RETIRED) gentoo-dev 2008-09-13 21:04:12 UTC
Ah, so it's just me beeing stupid, well, sparc stable then :)
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 12:29:38 UTC
There's also a DoS issue fixed in 1.2.7

2) An error exists within the "p_exec_query()" function in src/dns_query.c when processing long replies with many answer sections. This can be exploited to e.g. crash the service by sending a specially crafted reply.

The vulnerabilities are reported in versions prior to version 1.2.7-par.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:41:33 UTC
ppc stable
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-21 11:45:58 UTC
Ready for vote, I vote YES.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-09-24 15:44:40 UTC
CVE-2008-4194 (
  The p_exec_query function in src/dns_query.c in pdnsd before
  1.2.7-par allows remote attackers to cause a denial of service
  (daemon crash) via a long DNS reply with many entries in the answer
  section, related to a "dangling pointer bug."

Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:15:16 UTC
YES, filed
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2009-01-05 11:14:38 UTC
arm/s390 stable
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2009-01-11 00:48:58 UTC
GLSA 200901-03