Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 932846

Summary: net-dns/djbdns: locally truncated udp response results in denial-of-service
Product: Gentoo Linux Reporter: Jaco Kroon <jaco>
Component: StabilizationAssignee: Jaco Kroon <jaco>
Status: RESOLVED FIXED    
Severity: major CC: jaco, proxy-maint
Priority: Normal Keywords: CC-ARCHES, STABLEREQ
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/36841
Whiteboard:
Package list:
=net-dns/djbdns-1.05-r40
 Runtime testing required: No

Description Jaco Kroon 2024-05-27 13:48:56 UTC 
By default djbdns has a size-limited UDP response buffer.

If the UDP response overflows this buffer it's treated as "no response received", resulting in a denial of service.  Options are:

1.  Increase the default response buffer size (limited fix).
2.  Dynamically increase the buffer size (multiple back and forth to find the right buffer size).
3.  Fall back to TCP.

Patch to follow.

One could argue this a "denial of service" security issue, but don't think this is of such a nature that public disclosure isn't responsible, therefore I'm disclosing it here - it definitely doesn't cause the process to deadlock/stop.  Not sure if DJB would consider this a security issue, although this is present in his original code (https://cr.yp.to/djbdns/guarantee.html specifically excludes Denial-of-service attacks).

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2024-05-27 15:08:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b938f9f9a917d3bacb73ef914c371dfc5f2d8ebe

commit b938f9f9a917d3bacb73ef914c371dfc5f2d8ebe
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2024-05-27 14:37:52 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2024-05-27 15:08:30 +0000

    net-dns/djbdns: 1.05-r40
    
    Work around local receive overflow bug.
    
    Bug: https://bugs.gentoo.org/932846
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/36841
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 net-dns/djbdns/djbdns-1.05-r40.ebuild              | 143 +++++++++++++++++++++
 ...dp-overflow-response-buffer-truncate-nov6.patch |  13 ++
 ...-udp-overflow-response-buffer-truncate-v6.patch |  34 +++++
 3 files changed, 190 insertions(+)
Comment 2 Jaco Kroon 2024-05-28 06:27:11 UTC 
Question is, can we "emergency" stable?

Is this considered a security issue by Gentoo? It's certainly a denial of service ... but is it a security issue in this specific case?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-06-26 23:52:17 UTC 
ppc64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-06-26 23:52:18 UTC 
sparc done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-06-27 01:25:32 UTC 
x86 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-06-27 01:25:33 UTC 
amd64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-06-27 01:25:35 UTC 
ppc done

all arches done