Debian Bug report logs - #529418
Critical off-by-one error in NSD3

version graph

Package: nsd3; Maintainer for nsd3 is Ondřej Surý <ondrej@debian.org>; Source for nsd3 is src:nsd.

Reported by: Ondřej Surý <ondrej@sury.org>

Date: Tue, 19 May 2009 10:00:02 UTC

Severity: grave

Tags: security

Found in versions nsd3/3.0.7-3.lenny1, nsd3/3.2.1-1

Fixed in versions nsd3/3.2.2-1, nsd3/3.0.7-3.lenny2

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#529418; Package nsd3. (Tue, 19 May 2009 10:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
New Bug report received and forwarded. Copy sent to Pierre Habouzit <madcoder@debian.org>. (Tue, 19 May 2009 10:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@sury.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Critical off-by-one error in NSD3
Date: Tue, 19 May 2009 11:46:50 +0200
Package: nsd3
Version: 3.0.7-3.lenny1
Severity: grave
Tags: security

Dear NSD users and maintainers,

We have released version 3.2.2. of NSD. This is *critical* bugfix
release. One of the bugs is a one-byte buffer overflow that allows a
carefully crafted exploit to take down your name-server. It is highly
unlikely that the one-byte-off issue can lead to other (system) exploits.

The bug affects all version of NSD 2.0.0 to 3.2.1. Whether the bug can
be exploited to depends on various aspects of the OS and is therefore
distribution and compiler dependent.

For more information:
http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html

We strongly recommend you to update your systems to the latest version.
If you have reasons for not running the latest version of NSD, we
strongly advise you to at least apply the patch that resolves the
critical bug.

The source and patches are available at our website:

      http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.2.tar.gz
      http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.1-vuln.patch
      http://www.nlnetlabs.nl/downloads/nsd/nsd-2.3.7-vuln.patch

SHA1 checksum (source): 23fc0be5d447ea852acd49f64743c96403a091fa
SHA1 checksum (patch 3.2.1): 20cb9fc73fae951a9cc25822c48b17ca1d956119
SHA1 checksum (patch 2.3.7): 94887d212621b458a86ad5b086eec9240477

Note that NSD 2.X is feature frozen and security patches may not be made
available in future events.

We acknowledge and thank Ilja von Sprundel of IOActive for finding and
reporting this bug.

Matthijs Mekking
NLnet Labs

RELNOTES:

BUG FIXES:
- - Off-by-one buffer overflow fix while processing the QUESTION section.
- - Return BADVERS when NSD does not implement the VERSION level of the
 request, instead of 0x1<FORMERR>.
- - Bugfix #234.
- - Bugfix #235.
- - Reset 'error occurred' after notifying an error occurred at the $TTL
 or $ORIGIN directive (Otherwise, the whole zone is skipped because the
 error is reset after reading the SOA).
- - Minor bugfixes.


-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/




Bug marked as found in version 3.2.1-1. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Tue, 19 May 2009 11:42:13 GMT) Full text and rfc822 format available.

Bug marked as found in version 3.0.7-3.lenny1. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Tue, 19 May 2009 11:42:14 GMT) Full text and rfc822 format available.

Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility. (Sat, 30 May 2009 12:15:25 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@sury.org>:
Bug acknowledged by developer. (Sat, 30 May 2009 12:15:25 GMT) Full text and rfc822 format available.

Message #14 received at 529418-close@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: 529418-close@bugs.debian.org
Subject: Bug#529418: fixed in nsd3 3.2.2-1
Date: Sat, 30 May 2009 11:52:55 +0000
Source: nsd3
Source-Version: 3.2.2-1

We believe that the bug you reported is fixed in the latest version of
nsd3, which is due to be installed in the Debian FTP archive:

nsd3_3.2.2-1.diff.gz
  to pool/main/n/nsd3/nsd3_3.2.2-1.diff.gz
nsd3_3.2.2-1.dsc
  to pool/main/n/nsd3/nsd3_3.2.2-1.dsc
nsd3_3.2.2-1_amd64.deb
  to pool/main/n/nsd3/nsd3_3.2.2-1_amd64.deb
nsd3_3.2.2.orig.tar.gz
  to pool/main/n/nsd3/nsd3_3.2.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated nsd3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 30 May 2009 11:47:17 +0200
Source: nsd3
Binary: nsd3
Architecture: source amd64
Version: 3.2.2-1
Distribution: unstable
Urgency: low
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description: 
 nsd3       - authoritative domain name server (3.x series)
Closes: 529418 530152
Changes: 
 nsd3 (3.2.2-1) unstable; urgency=low
 .
   * New upstream release (Closes: #529418).
   * Fix bashism in nsdc.sh (Closes: #530152).
   * Add 0005-Force-dbdir-to-be-var-lib-nsd3-by-patching-configure.patch
     to fix the use of /var/db.
Checksums-Sha1: 
 5b5474f92855cdaa2b7406a0e9817d338585ec0e 1091 nsd3_3.2.2-1.dsc
 23fc0be5d447ea852acd49f64743c96403a091fa 840917 nsd3_3.2.2.orig.tar.gz
 57962703480031c1746e711c756d399f50d81912 7392 nsd3_3.2.2-1.diff.gz
 87281e53bbb1f492bf36a17e1265d7e3f38e6c20 905532 nsd3_3.2.2-1_amd64.deb
Checksums-Sha256: 
 0040b2411908018ed1a216701d2776ada696dd2eaf66eb45ec5e42a4fa75a1c2 1091 nsd3_3.2.2-1.dsc
 d538600eba68c6b4c297f3a2bfc89c48427ccb5dbba0ea29b93ad258d14c4343 840917 nsd3_3.2.2.orig.tar.gz
 411cfaa5d93a684011a4793ea99c1e7a9d4bb022d9b8e3f742a37567a6e44f17 7392 nsd3_3.2.2-1.diff.gz
 01bb5bb901bad097e15a6a73f9469715b0e0ada55d4007e5963fb254b2504ca6 905532 nsd3_3.2.2-1_amd64.deb
Files: 
 fe3c083814ad0419c8f4ec09e153f174 1091 net extra nsd3_3.2.2-1.dsc
 a0dcb0a3b3c1a8d386125eeafe403f58 840917 net extra nsd3_3.2.2.orig.tar.gz
 8bfdfad2c94d7bb4a8daa25769e44f0c 7392 net extra nsd3_3.2.2-1.diff.gz
 d759f6aa304ace9ba9fbca3baee49561 905532 net extra nsd3_3.2.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkohB2AACgkQvGr7W6HudhxNiACeI8a52/1/0R6PZT3EA6LhR5e+
HEAAnifKTCVpxyfpODELOyLtIS/+oMvZ
=+rvj
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Thu, 11 Jun 2009 08:06:10 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@sury.org>:
Bug acknowledged by developer. (Thu, 11 Jun 2009 08:06:10 GMT) Full text and rfc822 format available.

Message #19 received at 529418-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 529418-close@bugs.debian.org
Subject: Bug#529418: fixed in nsd3 3.0.7-3.lenny2
Date: Thu, 11 Jun 2009 07:54:01 +0000
Source: nsd3
Source-Version: 3.0.7-3.lenny2

We believe that the bug you reported is fixed in the latest version of
nsd3, which is due to be installed in the Debian FTP archive:

nsd3_3.0.7-3.lenny2.diff.gz
  to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2.diff.gz
nsd3_3.0.7-3.lenny2.dsc
  to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2.dsc
nsd3_3.0.7-3.lenny2_i386.deb
  to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated nsd3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 May 2009 16:11:11 +0200
Source: nsd3
Binary: nsd3
Architecture: source i386
Version: 3.0.7-3.lenny2
Distribution: stable-security
Urgency: high
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 nsd3       - authoritative domain name server (3.x series)
Closes: 529418
Changes: 
 nsd3 (3.0.7-3.lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix off-by-one error allowing a DoS (VU#710316, closes: #529418).
Checksums-Sha1: 
 ad55977d0d506ba4213ceef654c4aebec1d1b7da 1411 nsd3_3.0.7-3.lenny2.dsc
 c4038c017e270a4b0012dcaf47c67593f34ddde8 818770 nsd3_3.0.7.orig.tar.gz
 a007e847381d13bbec94850666d13176f21a42a4 7042 nsd3_3.0.7-3.lenny2.diff.gz
 e2fc7f6197226f5af1572b33e4a7259a26c67be4 818688 nsd3_3.0.7-3.lenny2_i386.deb
Checksums-Sha256: 
 d53225aca1b716745297dc3ad13f1c4fe00e35a6c7b9e3773b503a6c4aca507f 1411 nsd3_3.0.7-3.lenny2.dsc
 73c54aeaf8b302624dca7c570cc0c29b1610ef90b1b2159cb63b01044fdf6bd4 818770 nsd3_3.0.7.orig.tar.gz
 c1f4cdb72de5c8e82e20ee6025a0d15a65a4238c7836274cd443b14db408d2ec 7042 nsd3_3.0.7-3.lenny2.diff.gz
 a447c63436b843e162d5f9cfdd8ef0808702484936220f5460fccde2dda2dd8f 818688 nsd3_3.0.7-3.lenny2_i386.deb
Files: 
 8730419f9ee96a1a77ec3ae273f838ce 1411 net extra nsd3_3.0.7-3.lenny2.dsc
 37558edef2fe9d9052aafeb73effd4ac 818770 net extra nsd3_3.0.7.orig.tar.gz
 49dcc53aac9ce7f2e7c06c8a96f3bf1a 7042 net extra nsd3_3.0.7-3.lenny2.diff.gz
 de76aca5b0faa113e92387913eccfa7b 818688 net extra nsd3_3.0.7-3.lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKEsATAAoJECIIoQCMVaAc/H8H/3KxIYkxUK23cdRsq9V7bFh0
tDykHD7dA92pw87lp1jSrfb7k8MgeK1X0jwFRqa7ALPn8hgpaUjJNffAm24cxGIi
Vn4pnQpwoz05Rc/mewXKfJsNUZax4Qs6bfL5T2khfQnEZMk/hY+PrVezObFvewoZ
+guA/QhH2aV3gHFv8pzQPU/Q9IJwAH2bOddsyg4uxgB3HYWsIcPh2YkJl2+UmbAl
MwOhf/Ypbkzew6YXMDsRO/u/pr+2wENuLnVO5ruPxg1BP+1NwTG2ASQ6teGHbgjP
tBBZzd8LQlJi5Qz2tpPxQuWMFIhSvhZ+wgc5sxd+RqcjInMIcnKhoeH2wdQCxuw=
=a0vf
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 27 Jun 2009 16:51:08 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@sury.org>:
Bug acknowledged by developer. (Sat, 27 Jun 2009 16:51:08 GMT) Full text and rfc822 format available.

Message #24 received at 529418-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 529418-close@bugs.debian.org
Subject: Bug#529418: fixed in nsd3 3.0.7-3.lenny2
Date: Sat, 27 Jun 2009 16:04:42 +0000
Source: nsd3
Source-Version: 3.0.7-3.lenny2

We believe that the bug you reported is fixed in the latest version of
nsd3, which is due to be installed in the Debian FTP archive:

nsd3_3.0.7-3.lenny2.diff.gz
  to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2.diff.gz
nsd3_3.0.7-3.lenny2.dsc
  to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2.dsc
nsd3_3.0.7-3.lenny2_i386.deb
  to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated nsd3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 May 2009 16:11:11 +0200
Source: nsd3
Binary: nsd3
Architecture: source i386
Version: 3.0.7-3.lenny2
Distribution: stable-security
Urgency: high
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 nsd3       - authoritative domain name server (3.x series)
Closes: 529418
Changes: 
 nsd3 (3.0.7-3.lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix off-by-one error allowing a DoS (VU#710316, closes: #529418).
Checksums-Sha1: 
 ad55977d0d506ba4213ceef654c4aebec1d1b7da 1411 nsd3_3.0.7-3.lenny2.dsc
 c4038c017e270a4b0012dcaf47c67593f34ddde8 818770 nsd3_3.0.7.orig.tar.gz
 a007e847381d13bbec94850666d13176f21a42a4 7042 nsd3_3.0.7-3.lenny2.diff.gz
 e2fc7f6197226f5af1572b33e4a7259a26c67be4 818688 nsd3_3.0.7-3.lenny2_i386.deb
Checksums-Sha256: 
 d53225aca1b716745297dc3ad13f1c4fe00e35a6c7b9e3773b503a6c4aca507f 1411 nsd3_3.0.7-3.lenny2.dsc
 73c54aeaf8b302624dca7c570cc0c29b1610ef90b1b2159cb63b01044fdf6bd4 818770 nsd3_3.0.7.orig.tar.gz
 c1f4cdb72de5c8e82e20ee6025a0d15a65a4238c7836274cd443b14db408d2ec 7042 nsd3_3.0.7-3.lenny2.diff.gz
 a447c63436b843e162d5f9cfdd8ef0808702484936220f5460fccde2dda2dd8f 818688 nsd3_3.0.7-3.lenny2_i386.deb
Files: 
 8730419f9ee96a1a77ec3ae273f838ce 1411 net extra nsd3_3.0.7-3.lenny2.dsc
 37558edef2fe9d9052aafeb73effd4ac 818770 net extra nsd3_3.0.7.orig.tar.gz
 49dcc53aac9ce7f2e7c06c8a96f3bf1a 7042 net extra nsd3_3.0.7-3.lenny2.diff.gz
 de76aca5b0faa113e92387913eccfa7b 818688 net extra nsd3_3.0.7-3.lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKEsATAAoJECIIoQCMVaAc/H8H/3KxIYkxUK23cdRsq9V7bFh0
tDykHD7dA92pw87lp1jSrfb7k8MgeK1X0jwFRqa7ALPn8hgpaUjJNffAm24cxGIi
Vn4pnQpwoz05Rc/mewXKfJsNUZax4Qs6bfL5T2khfQnEZMk/hY+PrVezObFvewoZ
+guA/QhH2aV3gHFv8pzQPU/Q9IJwAH2bOddsyg4uxgB3HYWsIcPh2YkJl2+UmbAl
MwOhf/Ypbkzew6YXMDsRO/u/pr+2wENuLnVO5ruPxg1BP+1NwTG2ASQ6teGHbgjP
tBBZzd8LQlJi5Qz2tpPxQuWMFIhSvhZ+wgc5sxd+RqcjInMIcnKhoeH2wdQCxuw=
=a0vf
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jul 2009 07:29:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:41:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.