Summary: | net-misc/dyndnsupdate remote vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Toby Dickenson <toby> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | security-audit |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B2 [glsa masked removed] koon | ||
Package list: | Runtime testing required: | --- |
Description
Toby Dickenson
2005-03-09 13:00:00 UTC
1. I have been unable to contact upstream author; registrations of domains for contact email addresses have lapsed. 2. Googling suggests that no other distributions are including this package. 3. There is already a viable alternative to this package in portage; net-dns/ddclient I suggest adding this package to package.mask, and removing it from portage. Re-assigning to security. Upstream is dead, package has no Gentoo maintainer... Auditors, could you please confirm the package is a mess ? I have nfc how this works... Does the attacker need to setup a malicious server ? Or is dyndnsupdate a listening daemon ? In the latter we'll have to issue a GLSA about this if we dump it. It doesnt listen - exploiting this requires dns cache poisoning, tcp session hijacking, or control over an http proxy. There is no ssl here (unlike most other dyndns clients), so these attacks are not too demanding. The ebuild doesnt run this program automatically, but I guess many users will be running this as root. *I* would want to receive a GLSA for this. Access to the local filesystem looks safe; I dont see any local exploits. Confirmed, it does look exploitable via multiple vectors. dns poisoning would be required though, so not a high priority. I think it should be dropped in favour of the maintained package. the problems start in the argument parsing and get worse from there. bin it. nemo dyndnsupdate-0.6.15 # ./dyndnsupdate -a 127.0.0.1 \ -u $(perl -e 'print "x" x 1024') \ -h bleh -s $(perl -e 'print "x" x 1024') Segmentation fault OK. Upstream is dead, package is a mess, it has no maintainer and alternatives exist. Should be masked prior to removal, and a Masking GLSA should be issued to warn our users to switch to better alternatives. Security please review the masking GLSa draft Masking GLSA 200503-27 Keeping open as enhancement to remember to remove it sometime Probably safe to remove this from the tree now. Removed |