Dominic Hargreaves
2009-Mar-04 15:20 UTC
[Secure-testing-team] Bug#518169: djbdns<=1.05 lets AXFRed subdomains overwrite domains
Package: djbdns Version: 1:1.05-4 Severity: grave Tags: security Justification: user security hole Message-ID: <20090304013421.60368.qmail at cr.yp.to> Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains To: dns at list.cr.yp.to From: "D. J. Bernstein" <djb at cr.yp.to> If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.) Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000. The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky''s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below. ---D. J. Bernstein Research Professor, Computer Science, University of Illinois at Chicago --- response.c.orig 2009-02-24 21:04:06.000000000 -0800 +++ response.c 2009-02-24 21:04:25.000000000 -0800 @@ -34,7 +34,7 @@ uint16_pack_big(buf,49152 + name_ptr[i]); return response_addbytes(buf,2); } - if (dlen <= 128) + if ((dlen <= 128) && (response_len < 16384)) if (name_num < NAMES) { byte_copy(name[name_num],dlen,d); name_ptr[name_num] = response_len;