Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260014 (CVE-2008-4392) - <net-dns/djbdns-1.05-r22 identical query spoofing (CVE-2008-4392)
Summary: <net-dns/djbdns-1.05-r22 identical query spoofing (CVE-2008-4392)
Status: RESOLVED FIXED
Alias: CVE-2008-4392
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.your.org/dnscache/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-23 14:42 UTC by Robert Buchholz (RETIRED)
Modified: 2011-10-08 21:39 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
djbdns-1.05-test23.diff.bz2-11758.out (djbdns-1.05-test23.diff.bz2-11758.out,102.71 KB, text/plain)
2009-03-03 05:53 UTC, Jeroen Roovers
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-23 14:42:06 UTC
CVE-2008-4392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4392):
  dnscache in Daniel J. Bernstein djbdns 1.05 does not prevent
  simultaneous identical outbound DNS queries, which makes it easier
  for remote attackers to spoof DNS responses, as demonstrated by a
  spoofed A record in the Additional section of a response to a Start
  of Authority (SOA) query.
Comment 1 René Nussbaumer (RETIRED) gentoo-dev 2009-03-01 09:41:14 UTC
This bug has been fixed with -r22.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-01 11:28:49 UTC
(In reply to comment #1)
> This bug has been fixed with -r22.
> 

uhrm, please don't close security bugs.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-01 11:31:42 UTC
Arches, please test and mark stable:
=net-dns/djbdns-1.05-r22
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-03-02 15:57:27 UTC
anyone hit this patch problem not applying...

djbdns-1.05-test23.diff.bz2
Comment 5 Jeroen Roovers gentoo-dev 2009-03-03 05:53:19 UTC
Created attachment 183744 [details]
djbdns-1.05-test23.diff.bz2-11758.out

(In reply to comment #4)
> anyone hit this patch problem not applying...
> 
> djbdns-1.05-test23.diff.bz2

Yes.
Comment 6 Jeroen Roovers gentoo-dev 2009-03-05 22:18:37 UTC
@killerfox: Could you drop that patch or get it fixed, please?
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2009-03-08 19:40:25 UTC
Fixed. Wrong patch order.
Comment 8 Jeroen Roovers gentoo-dev 2009-03-09 17:44:40 UTC
!!! newbin: /keeps/gentoo/portage/net-dns/djbdns/files/djbdns-setup-r22 does not exist
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-03-11 15:06:54 UTC
ppc64 done
Comment 10 Tobias Klausmann gentoo-dev 2009-03-11 22:20:55 UTC
Stable on alpha. 
Comment 11 Dawid Węgliński (RETIRED) gentoo-dev 2009-03-12 22:34:20 UTC
Since this package has many flags that are not turned on by default, could you guys provide any feedback on how to test it? Or is it ok to you if i only perform compile test only?
Comment 12 Jeroen Roovers gentoo-dev 2009-03-13 00:21:06 UTC
Stable for HPPA (also fixed the issue of comment #8 in that commit).
Comment 13 Markus Meier gentoo-dev 2009-03-15 15:05:26 UTC
amd64/x86 stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2009-03-18 22:30:49 UTC
ppc done
Comment 15 Gordon Malm (RETIRED) gentoo-dev 2009-03-18 22:58:13 UTC
What about bug #260975?
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:23:50 UTC
(In reply to comment #15)
> What about bug #260975?

It has been reported after this bug went into [stable], so we felt like keeping this running and attach arches to the other bug when it's been committed.
Comment 17 Gordon Malm (RETIRED) gentoo-dev 2009-03-27 19:41:39 UTC
It appears there are some issues with this qmerge patch.

http://marc.info/?t=123608914400003&r=1&w=2
Comment 18 Friedrich Oslage (RETIRED) gentoo-dev 2009-03-28 13:16:11 UTC
sparc already has =net-dns/djbdns-1.05-r23 stable, bug #260975

I assume we don't need -r22 then, if we do please re-cc us.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2009-03-30 18:27:40 UTC
has there been upstream reaction concerning the regression? I only see it being discussed for the zinq fork.
Comment 20 Dan Peterson 2009-04-08 22:28:37 UTC
(In reply to comment #19)
> has there been upstream reaction concerning the regression? I only see it being
> discussed for the zinq fork.

There has been no word on this particular problem from DJB. Jeff King has been working on a patch to stock djbdns that Mark Johnson, the zinq maintainer, hopes to include in zinq. Jeff's first patch (the one included in the current ebuild) was flawed even by Jeff's admission. There's a new version here:

http://marc.info/?l=djbdns&m=123859517723684&w=2

But it seems it hasn't received much testing/feedback yet. I would highly recommend not including any version of the patch until the djbdns list has sorted it out; otherwise things may break as they do with the first patch.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 16:00:31 UTC
with the known regression and a new patch evolving slowly, we should probably remove the patch (downgrade won't work due to the other patch in -r23).
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 11:29:42 UTC
With the regressions in our current stable, it seems more sensible to merge the new version of the patch. Feedback on it has been positive except for higher CPU usage:
http://thread.gmane.org/gmane.network.djbdns/13965
Comment 23 Jaak Ristioja 2010-07-23 08:55:31 UTC
There is no <net-dns/djbdns-1.05-r23 in portage any more.
Comment 24 Michael Orlitzky gentoo-dev 2011-03-29 17:04:12 UTC
I think this can be closed; all affected versions are gone from the tree.
Comment 25 Dane Smith (RETIRED) gentoo-dev 2011-04-04 11:50:05 UTC
@security, is there a reason this is still open? If no, can we get it closed please?
Comment 26 Tim Sammut (RETIRED) gentoo-dev 2011-04-04 15:08:11 UTC
(In reply to comment #25)
> @security, is there a reason this is still open? If no, can we get it closed
> please?

Thanks for the poke. We need to vote on whether or not this requires a GLSA, and if it does, we'll need to publish one before we can close this bug.

GLSA Vote: no.
Comment 27 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:39:03 UTC
voting no too, and closing.
Comment 28 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:39:29 UTC
voting no too, and closing.