Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290822 (CVE-2007-2386) - <net-misc/mDNSResponder-212.1: multiple vulnerabilites (CVE-2007-{2386,3744,3828}, CVE-2008-{0989,2326,3630})
Summary: <net-misc/mDNSResponder-212.1: multiple vulnerabilites (CVE-2007-{2386,3744,3...
Status: RESOLVED FIXED
Alias: CVE-2007-2386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High blocker (vote)
Assignee: Gentoo Security
URL: http://www.opensource.apple.com/sourc...
Whiteboard: B0 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-27 23:28 UTC by Daniel Klaffenbach
Modified: 2012-01-22 23:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Klaffenbach 2009-10-27 23:28:21 UTC
The newest Version of mDNSResponder in the portage tree is 107.6 (from Mac OS 10.4), but version 212.1 (from Mac OS 10.6) is out already.
Please update the application to a more recent version. Quite a few security-related issues have been fixed in newer versions!

Reproducible: Always




http://www.opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-212.1.tar.gz
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-28 09:33:56 UTC
Daniel, thanks for the report. Could you please point us to an advisory or some other resource of information regarding the security issues? I can't find any right now.
Comment 2 Daniel Klaffenbach 2009-10-28 10:45:52 UTC
(In reply to comment #1)
> Could you please point us to an advisory or some
> other resource of information regarding the security issues?
All the source files contain descriptions of their revisions:

mDNSPosix/Responder.c: "Potential buffer overflow in mDNSResponderPosix"

mDNSCore/uDNS.c:
Revision 1.409  2007/07/25 03:05:02  vazquez
Fixes for:
<rdar://problem/5338913> LegacyNATTraversal: UPnP heap overflow
<rdar://problem/5338933> LegacyNATTraversal: UPnP stack buffer overflow
and a myriad of other security problems


Also have a look at:
http://www.net-security.org/advisory.php?id=9270
"Impact:  mDNSResponder is susceptible to DNS cache poisoning and may
return forged information"


Why is the version in the tree a couple of years old anyway?
Comment 3 Tomáš Chvátal (RETIRED) gentoo-dev 2009-10-28 10:55:11 UTC
Because noone from kde uses it anyway, we prefer avahi[+mdnsresponder-compat].
And when we spotted bugs about mdnsresponder and asked those reporters to actualy do some ebuild nobody did any work. So i might be even in favor of removal.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:07:01 UTC
It's in RDEPEND/DEPEND in ~20 packages which use zeroconf or bonjour.
I think removing it is not a good option right now.

Quoting http://www.securiteam.com/securitynews/5FP032KMAW.html:

"Vulnerable Systems:
 * Mac OS X version 10.4.10, Server and Workstation, with mDNSResponder version 108.5.

Exploitation of this vulnerability allows an attacker to execute arbitrary code with root privileges on a vulnerable host. No authentication is needed to exploit this vulnerability.

Failed attempts will result in the service crashing. Shortly after crashing, it will be restarted."

We've got 107.6-r5 and I don't see CVE packports there.

Let's bump to a new version...
Comment 5 Patrick Lauer gentoo-dev 2009-11-08 10:46:12 UTC
+  08 Nov 2009; Patrick Lauer <patrick@gentoo.org>                                                               
+  +mDNSResponder-212.1.ebuild:                                                                                  
+  Bump, fixes #290822 

Not well tested, but at least this version seems to not fail like the 176.* did.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-09 23:33:36 UTC
Thanks, patrick! Adjusting severity according to the gentoo vulnerability treatment guide.

Arches, please test and mark stable:
=net-misc/mDNSResponder-212.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-10 02:07:32 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-11 01:08:18 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-11-15 19:18:59 UTC
alpha/arm/ia64/s390/sh/sparc
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-11-16 14:31:47 UTC
mdnsresponder code is here:
http://svn.macosforge.org/repository/mDNSResponder/
git://git.macosforge.org/mDNSResponder.git

Regarding the issues mentioned above. All but one are already covered by CVEs:

== CVE-2008-3630 ==
impact: cache poisoning

for windows:
git: 691669439eb31cc559f5901dbe4edd934da6b21d

for posix:
git: 2948346b71b87c5d8ae5bca2074a5f663435fc55
git: 7835c9c18a70e721bae608b57eb0560ff94f5b65
(and previous)


== CVE-2008-2326 ==
git: b10ec9ee04a68b9805b67699549f7df75397fe72
impact: crash

Upstream claims this only affects windows. Code changes are in the core though.


== CVE-2008-0989 ==
impact: code execution

should only affect osx as mDNSResponderHelper is not built for posix


== CVE-2007-3744 ==
impact: code execution
git: 2b1d199002fb38635541fe34de4a366f767985d6

osx only / LEGACY_NAT_TRAVERSAL only


== CVE-2007-3828 / CVE-2007-2386 ==
impact: code execution

I do not know which commit fixed this bug, so it is
hard to determine whether we are affected.


== mDNSResponderPosix Buffer Overflow ==

While this is a buffer overflow, the input that is read from is a system configuration file given at program start. No trust boundaries are crossed here.
Comment 11 Markus Meier gentoo-dev 2009-11-16 22:49:48 UTC
amd64 stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-11-17 16:13:44 UTC
ppc64 done
Comment 13 nixnut (RETIRED) gentoo-dev 2009-11-21 19:59:07 UTC
ppc stable
Comment 14 Dawid Węgliński (RETIRED) gentoo-dev 2010-01-20 23:48:36 UTC
@security, could you please resolv this bug as all araches are done w/ stabilization?
Comment 15 David Abbott gentoo-dev 2010-05-02 17:40:34 UTC
@security Can we close this?
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 18:55:23 UTC
GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-01-22 23:35:43 UTC
This issue was resolved and addressed in
 GLSA 201201-05 at http://security.gentoo.org/glsa/glsa-201201-05.xml
by GLSA coordinator Sean Amoss (ackle).