Secure testing team - Dec 2008 - Minor PowerDNS DoS (CVE-2008-5277)

Hi,

version 2.9.21.1.0-1 fixed a minor denial of service condition in
pdns-server.  It''s currently not in testing.  Please arrange for a
transition of the unstable version, or use the patch below I prepared
for the version etch.

It appears that we don''t need a fix for etch because this version has
a different HINFO parser which does not run into this issue.  At least
I couldn''t reproduce it over there.

Thanks,
Florian

diff --git a/debian/changelog b/debian/changelog
index fea5f1a..948d498 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+pdns (2.9.20-8+etch2) stable-security; urgency=high
+
+  * Fix minor denial of service in CH/HINFO processing (CVE-2008-5277)
+
+ -- Florian Weimer <fw at deneb.enyo.de>  Wed, 03 Dec 2008 16:48:01 +0100
+
 pdns (2.9.20-8+etch1) stable-security; urgency=high
 
   * Fixes security issue CVE-2008-3337 as announced in
diff --git a/debian/patches/00list b/debian/patches/00list
index 990611a..43876a4 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -9,3 +9,4 @@ fix-unaligned-access
 auto-soa-calculation-in-ldapbackend
 literal-zone-file.dpatch
 cve-2008-3337.dpatch
+fix-hinfo-dos.dpatch
diff --git a/debian/patches/fix-hinfo-dos.dpatch
b/debian/patches/fix-hinfo-dos.dpatch
new file mode 100755
index 0000000..d67b2c5
--- /dev/null
+++ b/debian/patches/fix-hinfo-dos.dpatch
@@ -0,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix-hinfo-dos.dpatch by Daniel Drown <dan-pdns at drown.org>
+##
+## DP: Fix HINFO minor DoS (CVE-2008-5277)
+
+ at DPATCH@
+diff -urNad git~/pdns/packethandler.cc git/pdns/packethandler.cc
+--- git~/pdns/packethandler.cc	2008-12-03 16:42:24.000000000 +0100
++++ git/pdns/packethandler.cc	2008-12-03 16:45:57.000000000 +0100
+@@ -180,23 +180,6 @@
+   return 0;
+ }
+ 
+-int PacketHandler::doDNSCheckRequest(DNSPacket *p, DNSPacket *r, string
&target)
+-{
+-  int result = 0;
+-  DNSResourceRecord rr;
+-
+-  if (p->qclass == 3 && p->qtype.getName() == "HINFO")
{
+-    rr.content = "PowerDNS $Id: packethandler.cc 539 2005-11-11 11:17:47Z
ahu $";
+-    rr.ttl = 5;
+-    rr.qname=target;
+-    rr.qtype=13; // hinfo
+-    r->addRecord(rr);
+-    result = 1;
+-  }
+-  
+-  return result;
+-}
+-
+ /** This catches version requests. Returns 1 if it was handled, 0 if it
wasn''t */
+ int PacketHandler::doVersionRequest(DNSPacket *p, DNSPacket *r, string
&target)
+ {
+@@ -616,9 +599,6 @@
+     string target=p->qdomain;
+     bool noCache=false;
+ 
+-    if (doDNSCheckRequest(p, r, target))
+-      goto sendit;
+-    
+     if(doVersionRequest(p,r,target)) // catch version.bind requests
+       goto sendit;
+ 
+diff -urNad git~/pdns/packethandler.hh git/pdns/packethandler.hh
+--- git~/pdns/packethandler.hh	2008-12-03 16:42:24.000000000 +0100
++++ git/pdns/packethandler.hh	2008-12-03 16:45:57.000000000 +0100
+@@ -88,7 +88,6 @@
+   int findMboxFW(DNSPacket *p, DNSPacket *r, string &target);
+   int findUrl(DNSPacket *p, DNSPacket *r, string &target);
+   int doFancyRecords(DNSPacket *p, DNSPacket *r, string &target);
+-  int doDNSCheckRequest(DNSPacket *p, DNSPacket *r, string &target);
+   int doVersionRequest(DNSPacket *p, DNSPacket *r, string &target);
+   bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int
*zoneId);
+   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int
*zoneId);

Hi,
* Florian Weimer <fw at deneb.enyo.de> [2008-12-03
19:20]:
> version 2.9.21.1.0-1 fixed a minor denial of service condition in
> pdns-server.  It''s currently not in testing.  Please arrange for a
> transition of the unstable version, or use the patch below I prepared
> for the version etch.
[...] 
[nion at coredump:~$] rmadison pdns-server
pdns-server |   2.9.20-8 |     etch-m68k | m68k
pdns-server | 2.9.20-8+etch1 |        stable | alpha, amd64, arm, hppa, i386,
ia64, mips, mipsel, powerpc, s390, sparc
pdns-server | 2.9.21.1.0-1 |       testing | alpha, amd64, arm, armel, hppa,
i386, ia64, mips, mipsel, powerpc, s390, sparc
pdns-server | 2.9.21.2-1 |      unstable | alpha, amd64, arm, armel, hppa, i386,
ia64, mips, mipsel, powerpc, s390, sparc

2.9.21.1.0-1 is in testing.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081203/4693dc7d/attachment.pgp

* Nico Golde:
> Hi,
> * Florian Weimer <fw at deneb.enyo.de> [2008-12-03 19:20]:
>> version 2.9.21.1.0-1 fixed a minor denial of service condition in
>> pdns-server.  It''s currently not in testing.  Please arrange
for a
>> transition of the unstable version, or use the patch below I prepared
>> for the version etch.
> [...] 
> [nion at coredump:~$] rmadison pdns-server
> pdns-server |   2.9.20-8 |     etch-m68k | m68k
> pdns-server | 2.9.20-8+etch1 |        stable | alpha, amd64, arm, hppa,
i386, ia64, mips, mipsel, powerpc, s390, sparc
> pdns-server | 2.9.21.1.0-1 |       testing | alpha, amd64, arm, armel,
hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
> pdns-server | 2.9.21.2-1 |      unstable | alpha, amd64, arm, armel, hppa,
i386, ia64, mips, mipsel, powerpc, s390, sparc
>
> 2.9.21.1.0-1 is in testing.
Sorry, typo, 2.9.21.2-1 (in the tracker) is the correct version.

(I can reproduce the issue with today''s lenny, but not with sid.)