From owner-freebsd-security  Wed Jun 26 17:18:35 2002
Delivered-To: freebsd-security@freebsd.org
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by hub.freebsd.org (Postfix) with ESMTP id E80E437CABF
	for <security@FreeBSD.ORG>; Wed, 26 Jun 2002 17:12:09 -0700 (PDT)
Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1])
	by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5R0C8m0029482;
	Thu, 27 Jun 2002 10:12:08 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200206270012.g5R0C8m0029482@drugs.dv.isc.org>
To: Brett Glass <brett@lariat.org>
Cc: security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv 
In-reply-to: Your message of "Wed, 26 Jun 2002 13:33:34 CST."
             <4.3.2.7.2.20020626133115.022a0d30@localhost> 
Date: Thu, 27 Jun 2002 10:12:08 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> Aaargh. This will affect not only more recent systems but
> the older 3.x and embedded systems I maintain for people.
> There's no patch for these, and in the case of the embedded
> systems that use BSD I can't upgrade.
> 
> Any word on whether one can detect and block such attacks
> upstream via an IDS or a proxy at the firewall?
> 
> --Brett Glass

	Provided you are behind a nameserver you trust that reconstructs
	the answer you should be fine.

	BIND 9 reconstucts all answers (excluding forwarded UPDATES).
	BIND 8 forwards some and reconstructs others.

	Mark
> 
> At 01:08 PM 6/26/2002, FreeBSD Security Advisories wrote:
>   
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >============================================================================
> =
> >FreeBSD-SA-02:28.resolv                                     Security Advisor
> y
> >                                                          The FreeBSD Projec
> t
> >
> >Topic:          buffer overflow in resolver
> >
> >Category:       core
> >Module:         libc
> >Announced:      2002-06-26
> >Credits:        Joost Pol <joost@pine.nl>
> >Affects:        All releases prior to and including 4.6-RELEASE
> >Corrected:      2002-06-26 06:34:18 UTC (RELENG_4)
> >                2002-06-26 08:44:24 UTC (RELENG_4_6)
> >                2002-06-26 18:53:20 UTC (RELENG_4_5)
> >FreeBSD only:   NO
> >
> >I.   Background
> >
> >The resolver implements functions for making, sending and interpreting
> >query and reply messages with Internet domain name servers.
> >Hostnames, IP addresses, and other information are queried using the
> >resolver.
> >
> >II.  Problem Description
> >
> >DNS messages have specific byte alignment requirements, resulting in
> >padding in messages.  In a few instances in the resolver code, this
> >padding is not taken into account when computing available buffer
> >space.  As a result, the parsing of a DNS message may result in a
> >buffer overrun of up to a few bytes for each record included in the
> >message.
> >
> >III. Impact
> >
> >An attacker (either a malicious domain name server or an agent that
> >can spoof DNS messages) may produce a specially crafted DNS message
> >that will exploit this bug when parsed by an application using the
> >resolver.  It may be possible for such an exploit to result in the
> >execution of arbitrary code with the privileges of the resolver-using
> >application.  Though no exploits are known to exist today, since
> >practically all Internet applications utilize the resolver, the
> >severity of this issue is high.
> >
> >IV.  Workaround
> >
> >There is currently no workaround.
> >
> >V.   Solution
> >
> >Do one of the following:
> >
> >1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6
> >or RELENG_4_5 security branch dated after the correction date
> >(4.6-RELEASE-p1 or 4.5-RELEASE-p7).
> >
> >2) To patch your present system:
> >
> >The following patch has been verified to apply to FreeBSD 4.5 and
> >FreeBSD 4.6 systems.
> >
> >a) Download the relevant patch from the location below, and verify the
> >detached PGP signature using your PGP utility.
> >
> ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch
> ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch
> .asc
> >
> >b) Execute the following commands as root:
> >
> ># cd /usr/src
> ># patch < /path/to/patch
> >
> >c) Recompile the operating systems as described in
> ><URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
> >
> >Note that any statically linked applications that are not part of
> >the base system (i.e. from the Ports Collection or other 3rd-party
> >sources) must be recompiled.
> >
> >VI.  Correction details
> >
> >The following list contains the revision numbers of each file that was
> >corrected in FreeBSD.
> >
> >Path                                                             Revision
> >  Branch
> >- -------------------------------------------------------------------------
> >src/lib/libc/net/gethostbydns.c
> >  RELENG_4                                                       1.27.2.2
> >  RELENG_4_6                                                    1.27.10.1
> >  RELENG_4_5                                                     1.27.8.1
> >src/lib/libc/net/getnetbydns.c
> >  RELENG_4                                                       1.13.2.2
> >  RELENG_4_6                                                 1.13.2.1.8.1
> >  RELENG_4_5                                                 1.13.2.1.6.1
> >src/lib/libc/net/name6.c
> >  RELENG_4                                                        1.6.2.6
> >  RELENG_4_6                                                  1.6.2.5.8.1
> >  RELENG_4_5                                                  1.6.2.5.6.1
> >src/sys/conf/newvers.sh
> >  RELENG_4_6                                                1.44.2.23.2.2
> >  RELENG_4_5                                                1.44.2.20.2.8
> >- -------------------------------------------------------------------------
> >
> >VII. References
> >
> ><URL:http://www.pine.nl/advisories/pine-cert-20020601.html>
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.0.7 (FreeBSD)
> >
> >iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF
> >sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb
> >qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8
> >ZGTC8pmqfGI=
> >=s76v
> >-----END PGP SIGNATURE-----
> >
> >This is the moderated mailing list freebsd-announce.
> >The list contains announcements of new FreeBSD capabilities,
> >important events and project milestones.
> >See also the FreeBSD Web pages at http://www.freebsd.org
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-announce" in the body of the message
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message