[Secure-testing-team] Minor PowerDNS DoS (CVE-2008-5277)

Wed Dec 3 17:39:20 UTC 2008

Hi,

version 2.9.21.1.0-1 fixed a minor denial of service condition in
pdns-server.  It's currently not in testing.  Please arrange for a
transition of the unstable version, or use the patch below I prepared
for the version etch.

It appears that we don't need a fix for etch because this version has
a different HINFO parser which does not run into this issue.  At least
I couldn't reproduce it over there.

Thanks,
Florian

diff --git a/debian/changelog b/debian/changelog
index fea5f1a..948d498 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+pdns (2.9.20-8+etch2) stable-security; urgency=high
+
+  * Fix minor denial of service in CH/HINFO processing (CVE-2008-5277)
+
+ -- Florian Weimer <fw at deneb.enyo.de>  Wed, 03 Dec 2008 16:48:01 +0100
+
 pdns (2.9.20-8+etch1) stable-security; urgency=high
 
   * Fixes security issue CVE-2008-3337 as announced in
diff --git a/debian/patches/00list b/debian/patches/00list
index 990611a..43876a4 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -9,3 +9,4 @@ fix-unaligned-access
 auto-soa-calculation-in-ldapbackend
 literal-zone-file.dpatch
 cve-2008-3337.dpatch
+fix-hinfo-dos.dpatch
diff --git a/debian/patches/fix-hinfo-dos.dpatch b/debian/patches/fix-hinfo-dos.dpatch
new file mode 100755
index 0000000..d67b2c5
--- /dev/null
+++ b/debian/patches/fix-hinfo-dos.dpatch
@@ -0,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix-hinfo-dos.dpatch by Daniel Drown <dan-pdns at drown.org>
+##
+## DP: Fix HINFO minor DoS (CVE-2008-5277)
+
+ at DPATCH@
+diff -urNad git~/pdns/packethandler.cc git/pdns/packethandler.cc
+--- git~/pdns/packethandler.cc	2008-12-03 16:42:24.000000000 +0100
++++ git/pdns/packethandler.cc	2008-12-03 16:45:57.000000000 +0100
+@@ -180,23 +180,6 @@
+   return 0;
+ }
+ 
+-int PacketHandler::doDNSCheckRequest(DNSPacket *p, DNSPacket *r, string &target)
+-{
+-  int result = 0;
+-  DNSResourceRecord rr;
+-
+-  if (p->qclass == 3 && p->qtype.getName() == "HINFO") {
+-    rr.content = "PowerDNS $Id: packethandler.cc 539 2005-11-11 11:17:47Z ahu $";
+-    rr.ttl = 5;
+-    rr.qname=target;
+-    rr.qtype=13; // hinfo
+-    r->addRecord(rr);
+-    result = 1;
+-  }
+-  
+-  return result;
+-}
+-
+ /** This catches version requests. Returns 1 if it was handled, 0 if it wasn't */
+ int PacketHandler::doVersionRequest(DNSPacket *p, DNSPacket *r, string &target)
+ {
+@@ -616,9 +599,6 @@
+     string target=p->qdomain;
+     bool noCache=false;
+ 
+-    if (doDNSCheckRequest(p, r, target))
+-      goto sendit;
+-    
+     if(doVersionRequest(p,r,target)) // catch version.bind requests
+       goto sendit;
+ 
+diff -urNad git~/pdns/packethandler.hh git/pdns/packethandler.hh
+--- git~/pdns/packethandler.hh	2008-12-03 16:42:24.000000000 +0100
++++ git/pdns/packethandler.hh	2008-12-03 16:45:57.000000000 +0100
+@@ -88,7 +88,6 @@
+   int findMboxFW(DNSPacket *p, DNSPacket *r, string &target);
+   int findUrl(DNSPacket *p, DNSPacket *r, string &target);
+   int doFancyRecords(DNSPacket *p, DNSPacket *r, string &target);
+-  int doDNSCheckRequest(DNSPacket *p, DNSPacket *r, string &target);
+   int doVersionRequest(DNSPacket *p, DNSPacket *r, string &target);
+   bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
+   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);

