Flaw in djbdns 1.05 – Hell Has Frozen Over!

Posted on March 6, 2009 by
1 commentLeave a comment

A decade later Dr. Bernstein acknowledges a security flaw in one of his software packages, djbdns.   He has always offered to pay $1000 to anyone that found a security flaw in something he has offered from Qmail, ucspi-tcp, daemontools, and djbdns.  It took a decade for someone to find it, and unlike most software providers he also has provided a patch.

So while we are still waiting on Microsoft to release a patch to fix the Zero Day exploit in Excel, there is already a patch for djbdns.  Take note software vendors, this is how you do it.

From: D. J. Bernstein <djb <at> cr.yp.to>
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains
Newsgroups: gmane.network.djbdns
Date: 2009-03-04 01:34:21 GMT (3 days, 2 hours and 8 minutes ago)

If the administrator of example.com publishes the example.com DNS data
through tinydns and axfrdns, and includes data for sub.example.com
transferred from an untrusted third party, then that third party can
control cache entries for example.com, not just sub.example.com. This is
the result of a bug in djbdns pointed out by Matthew Dempsky. (In short,
axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the
expected security policy in a reasonable situation, so it is a security
hole in djbdns. Third-party DNS service is discouraged in the djbdns
documentation but is nevertheless supported. Dempsky is hereby awarded
$1000.

The next release of djbdns will be backed by a new security guarantee.
In the meantime, if any users are in the situation described above,
those users are advised to apply Dempsky's patch and requested to accept
my apologies. The patch is also recommended for other users; it corrects
the bug without any side effects. A copy of the patch appears below.

---D. J. Bernstein
   Research Professor, Computer Science, University of Illinois at Chicago

--- response.c.orig     2009-02-24 21:04:06.000000000 -0800
+++ response.c  2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
         uint16_pack_big(buf,49152 + name_ptr[i]);
         return response_addbytes(buf,2);
       }
-    if (dlen <= 128)
+    if ((dlen <= 128) && (response_len < 16384))
       if (name_num < NAMES) {
        byte_copy(name[name_num],dlen,d);
        name_ptr[name_num] = response_len;
Its related:
  • No Related Post
Categories: Nerdology | Tags: djb, djbdns, qmail
Notice: This work is licensed under a BY-NC-SA. Permalink: Flaw in djbdns 1.05 – Hell Has Frozen Over!

  • Pingback: Posts about Software as of March 7, 2009 | Easy Reach Software