Debian Bug report logs - #490217
python-dns vulnerable to CVE-2008-1447 DNS source port guessable

version graph

Package: python-dns; Maintainer for python-dns is Scott Kitterman <scott@kitterman.com>; Source for python-dns is src:python-dns.

Reported by: Joe Malicki <jmalicki@metacarta.com>

Date: Thu, 10 Jul 2008 19:36:08 UTC

Severity: grave

Tags: security

Found in version python-dns/2.3.0-5.1

Fixed in versions python-dns/2.3.1-5, 2.3.0-5.2+etch1

Done: <devin@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Joe Malicki <jmalicki@metacarta.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Scott Kitterman <scott@kitterman.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joe Malicki <jmalicki@metacarta.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-dns vulnerable to CVE-2008-1447 DNS source port guessable
Date: Thu, 10 Jul 2008 15:30:42 -0400
Package: python-dns
Version: 2.3.0-5.1
Severity: grave
Tags: security
Justification: user security hole

CVE-2008-1447, which deals with DNS reply poisoning that
is possible due to DNS clients sending DNS requests on
predictable UDP source ports, is a security issue that
also applies to python-dns, as it does not implement the
recommended UDP port randomization... example:

Note lack of port randomization in code:
    def sendUDPRequest(self, server):
        "refactor me"
        self.response=None
        self.socketInit(socket.AF_INET, socket.SOCK_DGRAM)
        for self.ns in server:
            try:
                # TODO. Handle timeouts &c correctly (RFC)
                #self.s.connect((self.ns, self.port))
                self.conn()
                self.time_start=time.time()
                if not self.async:
                    self.s.send(self.request)
                    self.response=self.processUDPReply()
            #except socket.error:
            except None:
                continue
            break
        if not self.response:
            if not self.async:
                raise DNSError,'no working nameservers found'

In [25]: import DNS
In [26]: d=DNS.DnsRequest(name='www.google.com', server='208.80.142.5', 
port=53)
In [27]: r=d.req() 
In [28]: r=d.req()

In [29]: r=d.req()

In [30]: r=d.req()
(etc)

Yields, with "tcpdump udp port 53":
15:27:15.912894 IP baekdudaegan.metacarta.com.43661 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:17.224843 IP baekdudaegan.metacarta.com.43662 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:18.344731 IP baekdudaegan.metacarta.com.43663 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:18.952729 IP baekdudaegan.metacarta.com.43664 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:19.384802 IP baekdudaegan.metacarta.com.43665 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:19.752853 IP baekdudaegan.metacarta.com.43666 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:20.120819 IP baekdudaegan.metacarta.com.43667 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:22.680866 IP baekdudaegan.metacarta.com.43668 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:23.416775 IP baekdudaegan.metacarta.com.43669 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages python-dns depends on:
ii  python                        2.4.4-2    An interactive high-level object-o
ii  python-support                0.5.6      automated rebuilding support for p

python-dns recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 490217@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: 490217@bugs.debian.org, jmalicki@metacarta.com
Subject: Thanks for the report
Date: Thu, 10 Jul 2008 16:43:36 -0400
[Message part 1 (text/plain, inline)]
I'm discussing this with upstream and will get something out soon.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 490217@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: 490217@bugs.debian.org, jmalicki@metacarta.com
Subject: 2.3.1-4 uploaded to Sid partially addresses this issue
Date: Fri, 11 Jul 2008 01:24:17 -0400
[Message part 1 (text/plain, inline)]
In addition to source port randomization, one would also like TID (Transaction 
ID) randomization.  Up until now, python-dns provided neither.  2.3.1-4 pulls 
a patch from the upstream CVS repository that will provide a random TID when 
packets are created.  

The patch does not re-randomize the TID if a packet has to be retried due to 
timeouts.  It also does not randomize the port.  The Lenny/Sid kernel will do 
this for python-dns, but the Etch kernel will not.  

Upstream is still working on the issue.  I expect a new upstream release 
tomorrow that fully supports TID randomization and another release once the 
port randomization is coded and tested (it's a rather more complex change).  
Once both those are in hand, I'll prepare a diff for the security team for 
Etch.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 490217@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: 490217@bugs.debian.org
Subject: Still no upstream release
Date: Sun, 20 Jul 2008 13:24:07 -0400
[Message part 1 (text/plain, inline)]
Upstream is being slower than I'd hoped.  I'll see if I can't come up with a 
patch and send it to them.

Scott K
[signature.asc (application/pgp-signature, inline)]

Reply sent to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joe Malicki <jmalicki@metacarta.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 490217-close@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: 490217-close@bugs.debian.org
Subject: Bug#490217: fixed in python-dns 2.3.1-5
Date: Sat, 26 Jul 2008 05:17:03 +0000
Source: python-dns
Source-Version: 2.3.1-5

We believe that the bug you reported is fixed in the latest version of
python-dns, which is due to be installed in the Debian FTP archive:

python-dns_2.3.1-5.diff.gz
  to pool/main/p/python-dns/python-dns_2.3.1-5.diff.gz
python-dns_2.3.1-5.dsc
  to pool/main/p/python-dns/python-dns_2.3.1-5.dsc
python-dns_2.3.1-5_all.deb
  to pool/main/p/python-dns/python-dns_2.3.1-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 490217@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated python-dns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 26 Jul 2008 00:46:56 -0400
Source: python-dns
Binary: python-dns
Architecture: source all
Version: 2.3.1-5
Distribution: unstable
Urgency: high
Maintainer: scott@kitterman.com
Changed-By: Scott Kitterman <scott@kitterman.com>
Description: 
 python-dns - pydns - DNS client module for Python
Closes: 490217
Changes: 
 python-dns (2.3.1-5) unstable; urgency=high
 .
   * Replace debian/patches/tid-random.patch with source-tid-random.patch
     to fully address CVE-2008-1447 (Closes: #490217)
     - Randomize TID (from previous patch - it works for retries too)
     - Add source port randomization to cover all cases
Checksums-Sha1: 
 b02e172598bdc120ccae44b4f6f04de2ac703496 1355 python-dns_2.3.1-5.dsc
 ece79a849c7491d7691fffa08e09254dc1aa106f 7555 python-dns_2.3.1-5.diff.gz
 bcab205863bce3e7b74bd1acd22e1d16d56069ed 27782 python-dns_2.3.1-5_all.deb
Checksums-Sha256: 
 705414a1cda298b28a07225206a62aeff52076a1bec468a84141b4172a8d2d75 1355 python-dns_2.3.1-5.dsc
 4a5764694d3324c5e1a3e381521ab93efa4b5abdb7bc10de99fc9c301c204ba5 7555 python-dns_2.3.1-5.diff.gz
 3a9560b5f90d93d72547713bc644435677938a86280beb8976ee352d1f282e30 27782 python-dns_2.3.1-5_all.deb
Files: 
 3fb5fd1cd88f0e85367ca9df887a7541 1355 python optional python-dns_2.3.1-5.dsc
 bb08d169c6c172849cc740cff376ea08 7555 python optional python-dns_2.3.1-5.diff.gz
 cc7a30be8afef976a5e499680d9d8d30 27782 python optional python-dns_2.3.1-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIirLPHajaM93NaGoRAhMUAJ9qxu/6iPC2+t7IlLGUgLSOTmqEpgCeJfR9
xCBmHYZNX45bBWeM2Qgcpyc=
=KatA
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #30 received at 490217@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: 490217@bugs.debian.org
Subject: Debdiff for Etch
Date: Sat, 26 Jul 2008 01:53:05 -0400
[Message part 1 (text/plain, inline)]

[etch.debdiff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #35 received at 490217@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: 490217@bugs.debian.org
Subject: Revised Etch Debdiff
Date: Sat, 26 Jul 2008 21:54:19 -0400
[Message part 1 (text/plain, inline)]

[etch.debdiff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug marked as fixed in version 2.3.0-5.2+etch1. Request was from Scott Kitterman <scott@kitterman.com> to control@bugs.debian.org. (Wed, 30 Jul 2008 18:45:06 GMT) Full text and rfc822 format available.

Reply sent to <devin@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joe Malicki <jmalicki@metacarta.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 490217-close@bugs.debian.org (full text, mbox):

From: <devin@debian.org>
To: 490217-close@bugs.debian.org
Subject: Bug#490217: fixed in python-dns 2.3.0-5.2+etch1
Date: Sat, 30 Aug 2008 19:01:21 +0000
Source: python-dns
Source-Version: 2.3.0-5.2+etch1

We believe that the bug you reported is fixed in the latest version of
python-dns, which is due to be installed in the Debian FTP archive:

python-dns_2.3.0-5.2+etch1.diff.gz
  to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch1.diff.gz
python-dns_2.3.0-5.2+etch1.dsc
  to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch1.dsc
python-dns_2.3.0-5.2+etch1_all.deb
  to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 490217@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
devin@debian.org (supplier of updated python-dns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 26 Jul 2008 21:46:00 -0400
Source: python-dns
Binary: python-dns
Architecture: source all
Version: 2.3.0-5.2+etch1
Distribution: stable-security
Urgency: high
Maintainer: Joerg Wendland <joergland@debian.org>
Changed-By: devin@debian.org
Description: 
 python-dns - pydns - DNS client module for Python
Closes: 490217
Changes: 
 python-dns (2.3.0-5.2+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team; thanks to Scott Kitterman
     for preparing the fix.
   * SECURITY UPDATE: Modify DNS/Base.py to randomize both Transaction ID
     (TID) and source port (Closes: #490217)
     - CVE-2008-1447 DNS source port guessable
Files: 
 c2e7178128b7033952b7795b358dea0b 695 python optional python-dns_2.3.0-5.2+etch1.dsc
 82d377c6a59181072b30b0da4e9835b8 21084 python optional python-dns_2.3.0.orig.tar.gz
 06a021e1cf9836cec4bbe72461bab137 3444 python optional python-dns_2.3.0-5.2+etch1.diff.gz
 b544ce3edb7d2051811ec743a49206a1 22750 python optional python-dns_2.3.0-5.2+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIjDLtU5XKDemr/NIRAnCtAJ0fWaGiRkk3lGjK6evw7ltgJ56S/wCg0G3a
Q9H1Offuq/rG76fNTrY3bKI=
=NKhg
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Kitterman <scott@kitterman.com>. Full text and rfc822 format available.

Message #47 received at 490217@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 490217@bugs.debian.org
Subject: CVE for python-dns
Date: Tue, 16 Sep 2008 08:44:55 +0200
[Message part 1 (text/plain, inline)]
Hi,

This is CVE-2008-4099; can you please add it to the changelog of 2.3.1-5 
retroactively on your next upload?


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #52 received at 490217@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: Thijs Kinkhorst <thijs@debian.org>, 490217@bugs.debian.org
Subject: Re: Bug#490217: CVE for python-dns
Date: Tue, 16 Sep 2008 09:45:58 -0400
[Message part 1 (text/plain, inline)]
On Tuesday 16 September 2008 02:44, Thijs Kinkhorst wrote:
> Hi,
>
> This is CVE-2008-4099; can you please add it to the changelog of 2.3.1-5
> retroactively on your next upload?

I don't find that CVE on cve.mitre.org.  Do you have a reference?
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Kitterman <scott@kitterman.com>. Full text and rfc822 format available.

Message #57 received at 490217@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Scott Kitterman" <scott@kitterman.com>
Cc: 490217@bugs.debian.org
Subject: Re: Bug#490217: CVE for python-dns
Date: Tue, 16 Sep 2008 15:55:38 +0200 (CEST)
On Tue, September 16, 2008 15:45, Scott Kitterman wrote:
> On Tuesday 16 September 2008 02:44, Thijs Kinkhorst wrote:
>
>> Hi,
>>
>>
>> This is CVE-2008-4099; can you please add it to the changelog of
>> 2.3.1-5
>> retroactively on your next upload?
>
> I don't find that CVE on cve.mitre.org.  Do you have a reference?

The CVE website details are often filled in a few days after assignment,
be assured this has been directly assigned by Mitre to this issue.


Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Kitterman <scott@kitterman.com>. Full text and rfc822 format available.

Message #62 received at 490217@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Scott Kitterman <scott@kitterman.com>, 490217@bugs.debian.org
Cc: Thijs Kinkhorst <thijs@debian.org>
Subject: Re: Bug#490217: CVE for python-dns
Date: Tue, 16 Sep 2008 15:56:57 +0200
On Tue, Sep 16, 2008 at 09:45:58 -0400, Scott Kitterman wrote:

> On Tuesday 16 September 2008 02:44, Thijs Kinkhorst wrote:
> > Hi,
> >
> > This is CVE-2008-4099; can you please add it to the changelog of 2.3.1-5
> > retroactively on your next upload?
> 
> I don't find that CVE on cve.mitre.org.  Do you have a reference?

http://www.openwall.com/lists/oss-security/2008/09/16/4

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns. Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #67 received at 490217@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: Julien Cristau <jcristau@debian.org>, 490217@bugs.debian.org
Cc: Thijs Kinkhorst <thijs@debian.org>
Subject: Re: Bug#490217: CVE for python-dns
Date: Tue, 16 Sep 2008 10:26:59 -0400
> > > This is CVE-2008-4099; can you please add it to the changelog of
> > > 2.3.1-5 retroactively on your next upload?
> >
> > I don't find that CVE on cve.mitre.org.  Do you have a reference?
>
> http://www.openwall.com/lists/oss-security/2008/09/16/4

Thanks.  Will do.  This is also fixed upstream in 2.3.2/3 if anyone asks.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 24 Oct 2008 07:26:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:37:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.