Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 398403 (CVE-2012-0206)

Summary: <net-dns/pdns-3.0.1: Denial of Service (CVE-2012-0206)
Product: Gentoo Security Reporter: Marcel Pennewiß <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gentoo, s.hoogeveen, swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://doc.powerdns.com/powerdns-advisory-2012-01.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 398703    
Bug Blocks:    
Attachments:
Description Flags
pdns-2.9.22-CVE-2012-0206.patch
none
pdns-2.9.22-r1.ebuild.patch none

Description Marcel Pennewiß 2012-01-10 15:41:01 UTC
vulnerability causing temporary denial of service (see URL)

Reproducible: Always

Steps to Reproduce:
1. emerge pdns-2.9.22-r1
2. see URL for further details
Comment 1 Marcel Pennewiß 2012-01-10 15:41:48 UTC
Created attachment 298511 [details, diff]
pdns-2.9.22-CVE-2012-0206.patch

patch for 2.9.22
Comment 2 Marcel Pennewiß 2012-01-10 15:44:39 UTC
Created attachment 298513 [details, diff]
pdns-2.9.22-r1.ebuild.patch

patch for current ebuild
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-10 17:12:39 UTC
fixed in: 2.9.22.5 or 3.0.1
Comment 4 Marcel Pennewiß 2012-01-11 10:17:30 UTC
ebuild and patches using 2.9.22.5:
https://subversion.fem.tu-ilmenau.de/repository/fem-overlay/trunk/net-dns/pdns/
Comment 5 Agostino Sarubbo gentoo-dev 2012-01-11 15:50:47 UTC
@swegener, I see the bump in tree, can we go to stabilize?
Comment 6 Sven Wegener gentoo-dev 2012-01-11 22:58:44 UTC
Yes, the only difference between 3.0 and 3.0.1 is the security fix and 3.0 has been in the tree long enough.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-01-12 06:58:57 UTC
Arches, please test and mark stable:
=net-dns/pdns-3.0.1
Target keywords : "amd64 x86"
Comment 8 Sebastiaan Hoogeveen 2012-01-12 11:46:45 UTC
Please note that net-dns/pdns-3.0 was not previously marked stable, and neither should 3.0.1 be imho. While the software runs ok the developers have indicated that it might not yet be suitable for full scale production use and have announced an updated 3.1 version addressing some important issues, see http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000150.html

It might be a better idea to apply the previously supplied patch and create a new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for now.
Comment 9 Marcel Pennewiß 2012-01-12 12:14:05 UTC
(In reply to comment #8)
> It might be a better idea to apply the previously supplied patch and create a
> new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for
> now.

Maybe using 2.9.22.5-tarball (which includes the patch already) can be an suitable solution. IMHO there should be a solution to quick-fix the security issue without upgrading to new version - as long as upstream supports also old version with security fixes...
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-12 17:30:05 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2012-01-12 17:38:27 UTC
@sebastiaan

Feel free to open a new bug with bump of 2.9 and request also a slot if is possible
Comment 12 Sebastiaan Hoogeveen 2012-01-12 18:46:16 UTC
(In reply to comment #11)
> Feel free to open a new bug with bump of 2.9 and request also a slot if is
> possible

I personally am happy not going through this exercise and apply the (very small) patch for 2.9.22 locally or install 2.9.22.5 from source, but stabilising PowerDNS 3.x at this point is imho ill-advised. PowerDNS 3.0 is very different internally from the 2.9 branch, dropping some things such as the LDAP backend from being officially supported.

I do not think Gentoo should force administrators to do a major upgrade of PowerDNS to apply a fix that consists of three lines of source code.
Comment 13 Sven Wegener gentoo-dev 2012-01-12 19:07:55 UTC
For those that want to stay at 2.9.22, I've just also commited 2.9.22.5.
Comment 14 Agostino Sarubbo gentoo-dev 2012-01-12 22:36:15 UTC
Since is not a regression I remove bug 398685 from "Depends on"
Comment 15 Marcel Pennewiß 2012-01-26 10:05:37 UTC
(In reply to comment #13)
> For those that want to stay at 2.9.22, I've just also commited 2.9.22.5.

could you easily bump version to 2.9.22.6 while 2.9.22.5 includes a bug which can cause crashes on busy setup, see http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6

or should i better open a new bug?
Comment 16 Agostino Sarubbo gentoo-dev 2012-01-26 11:53:23 UTC
amd64 stable



@security: please vote.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2012-01-27 05:33:47 UTC
Thanks, folks. GLSA Vote: yes.
Comment 18 Sean Amoss gentoo-dev Security 2012-01-27 14:48:42 UTC
YES, too. New request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 04:55:17 UTC
CVE-2012-0206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0206):
  common_startup.cc in PowerDNS (aka pdns) Authoritative Server before
  2.9.22.5 and 3.x before 3.0.1 allows remote attackers to cause a denial of
  service (packet loop) via a crafted UDP DNS response.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2012-02-22 20:49:47 UTC
This issue was resolved and addressed in
 GLSA 201202-04 at http://security.gentoo.org/glsa/glsa-201202-04.xml
by GLSA coordinator Sean Amoss (ackle).