[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [linux-security] About DNS again

> possible that this vulnerability was discussed during BOFs at conferences
> such as LISA, SANS and NETSEC, neither a summary was ever made public, nor a
> detailed description of attack was ever given.

The attack is NOT new news. I got the rcmd() code in gnu libc fixed a while
ago and sent a "fix this ask no questions message" to HJ Lu as well (for
libc5). Looking at the 5.4.10 code it doesnt appear it got fixed. Im not
sure if resolv+ has that bug anyway however.

Also if you remember I moaned at someone [Bill Fenner I think] on here who 
posted a big ping program that assumed the resolver gave back good lengths 
and got a reply saying I was talking crap.. now you know why I said it.

> > problem until we notified him.  This is not to mention that CERT was not
> > aware of the problem either.  The other interesting fact is that the BIND

Who made the claim CERT were not aware of that ?

> > I have also never seen any other reference to this anywhere else (yes
> > there has been alot of talk about h_name problems in various places,
> > causing string buffer overflows, yet not the h_length problem).

The DOMAIN_TRIM stuff in resolv+ also has buffer overrun bugs. It doesnt
check the lengths.

> > firewalls.  Discussing it, e-mailing about it, or any other type of 
> > communication in limited forums will end with the bug still being a 
> > problem. With this in mind, we released the advisory.

Until someone confirms CERT themselves made that claim I reserve judgment on
their issues. Thank you for making it public [and there is no sarcasm in
that sentence].

CERT do [and Im not in the mood to argue for or against their policy on a 
list like this] sit on bugs and pass them to limited audiences to fix 
before they become public knowledge. That is how gnulibc rcmd() got fixed. 
Unfortunately at times they let vendors sit on things for far too long 
(eg the solaris priviledged socket bug).

I'm in the sometimes awkward position of being both on the full disclosure
lists and sometimes doing Linux stuff related to CERT which is non
disclosure. That makes it sometimes awkward to resolve the two conflicting
issues. Thus what I hear from CERT but not from anyone else stays PGP
encrypted on a secure machine at home. What I hear from everyone else I tell
everyone else about.

And yes I have known about resolv for a long time.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]