Debian Bug report logs - #529420
Critical off-by-one error in NSD2

version graph

Package: nsd; Maintainer for nsd is Ondřej Surý <ondrej@debian.org>; Source for nsd is src:nsd.

Reported by: Ondřej Surý <ondrej@sury.org>

Date: Tue, 19 May 2009 10:33:02 UTC

Severity: grave

Tags: security

Found in versions nsd/2.3.7-1.1, nsd/2.3.6-1, nsd/2.3.7-2

Fixed in versions nsd/2.3.7-3, nsd/2.3.7-1.1+lenny1, nsd/2.3.6-1+etch1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#529420; Package nsd. (Tue, 19 May 2009 10:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
New Bug report received and forwarded. Copy sent to Ondřej Surý <ondrej@debian.org>. (Tue, 19 May 2009 10:33:23 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@sury.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Critical off-by-one error in NSD2
Date: Tue, 19 May 2009 11:45:35 +0200
Package: nsd
Version: 2.3.7-1.1
Severity: grave
Tags: security

Dear NSD users and maintainers,

We have released version 3.2.2. of NSD. This is *critical* bugfix
release. One of the bugs is a one-byte buffer overflow that allows a
carefully crafted exploit to take down your name-server. It is highly
unlikely that the one-byte-off issue can lead to other (system) exploits.

The bug affects all version of NSD 2.0.0 to 3.2.1. Whether the bug can
be exploited to depends on various aspects of the OS and is therefore
distribution and compiler dependent.

For more information:
http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html

We strongly recommend you to update your systems to the latest version.
If you have reasons for not running the latest version of NSD, we
strongly advise you to at least apply the patch that resolves the
critical bug.

The source and patches are available at our website:

       http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.2.tar.gz
       http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.1-vuln.patch
       http://www.nlnetlabs.nl/downloads/nsd/nsd-2.3.7-vuln.patch

SHA1 checksum (source): 23fc0be5d447ea852acd49f64743c96403a091fa
SHA1 checksum (patch 3.2.1): 20cb9fc73fae951a9cc25822c48b17ca1d956119
SHA1 checksum (patch 2.3.7): 94887d212621b458a86ad5b086eec9240477

Note that NSD 2.X is feature frozen and security patches may not be made
available in future events.

We acknowledge and thank Ilja von Sprundel of IOActive for finding and
reporting this bug.

Matthijs Mekking
NLnet Labs

RELNOTES:

BUG FIXES:
- - Off-by-one buffer overflow fix while processing the QUESTION section.
- - Return BADVERS when NSD does not implement the VERSION level of the
 request, instead of 0x1<FORMERR>.
- - Bugfix #234.
- - Bugfix #235.
- - Reset 'error occurred' after notifying an error occurred at the $TTL
 or $ORIGIN directive (Otherwise, the whole zone is skipped because the
 error is reset after reading the SOA).
- - Minor bugfixes.




Bug marked as found in version 2.3.6-1. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Tue, 19 May 2009 11:42:10 GMT) Full text and rfc822 format available.

Bug marked as found in version 2.3.7-1.1. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Tue, 19 May 2009 11:42:11 GMT) Full text and rfc822 format available.

Bug marked as found in version 2.3.7-2. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Tue, 19 May 2009 11:42:13 GMT) Full text and rfc822 format available.

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Tue, 19 May 2009 11:48:47 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@sury.org>:
Bug acknowledged by developer. (Tue, 19 May 2009 11:48:47 GMT) Full text and rfc822 format available.

Message #16 received at 529420-close@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: 529420-close@bugs.debian.org
Subject: Bug#529420: fixed in nsd 2.3.7-3
Date: Tue, 19 May 2009 11:17:10 +0000
Source: nsd
Source-Version: 2.3.7-3

We believe that the bug you reported is fixed in the latest version of
nsd, which is due to be installed in the Debian FTP archive:

nsd_2.3.7-3.diff.gz
  to pool/main/n/nsd/nsd_2.3.7-3.diff.gz
nsd_2.3.7-3.dsc
  to pool/main/n/nsd/nsd_2.3.7-3.dsc
nsd_2.3.7-3_amd64.deb
  to pool/main/n/nsd/nsd_2.3.7-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated nsd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 May 2009 11:37:44 +0200
Source: nsd
Binary: nsd
Architecture: source amd64
Version: 2.3.7-3
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 nsd        - authoritative name domain server
Closes: 529420
Changes: 
 nsd (2.3.7-3) unstable; urgency=high
 .
   * Fix off-by-one error (Closes: #529420)
     - debian/patches/nsd-2.3.7-vuln.patch
Checksums-Sha1: 
 cc83c520aee760d6ad1a5428fac332218e6799cd 1019 nsd_2.3.7-3.dsc
 8de3f313162eff1a41f6a956920eb52099f79bcb 7914 nsd_2.3.7-3.diff.gz
 82dab65c7c4a368725838414282dfe3ec60dad5d 179084 nsd_2.3.7-3_amd64.deb
Checksums-Sha256: 
 0f12d764ca7d8cbec1d04baab85d74a491c7d7603051129d01c778292f18daef 1019 nsd_2.3.7-3.dsc
 69ea0b6a4c7222d606bea6875363769c9f44fee3e2e480945e9ce1597879ad82 7914 nsd_2.3.7-3.diff.gz
 cf672e92f2886172a659efeb8fe9e8c1e39863bbd4f43e27cdfbb0baaaea514a 179084 nsd_2.3.7-3_amd64.deb
Files: 
 08b7ac91065562e0f6ecdd388f6cc4c2 1019 net optional nsd_2.3.7-3.dsc
 83f260c055acd180e8bad7e7aca2552a 7914 net optional nsd_2.3.7-3.diff.gz
 9bc10944546967b2bf73bd4300bdc9ce 179084 net optional nsd_2.3.7-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoSkcQACgkQ9OZqfMIN8nPr0ACcDcimLMRkQ5cRyH41uqW27bX7
MSkAni2kBrorJ+xqVSwIg7zAHEetYagL
=TW00
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Mon, 08 Jun 2009 02:06:03 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@sury.org>:
Bug acknowledged by developer. (Mon, 08 Jun 2009 02:06:03 GMT) Full text and rfc822 format available.

Message #21 received at 529420-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 529420-close@bugs.debian.org
Subject: Bug#529420: fixed in nsd 2.3.7-1.1+lenny1
Date: Mon, 08 Jun 2009 01:54:16 +0000
Source: nsd
Source-Version: 2.3.7-1.1+lenny1

We believe that the bug you reported is fixed in the latest version of
nsd, which is due to be installed in the Debian FTP archive:

nsd_2.3.7-1.1+lenny1.diff.gz
  to pool/main/n/nsd/nsd_2.3.7-1.1+lenny1.diff.gz
nsd_2.3.7-1.1+lenny1.dsc
  to pool/main/n/nsd/nsd_2.3.7-1.1+lenny1.dsc
nsd_2.3.7-1.1+lenny1_i386.deb
  to pool/main/n/nsd/nsd_2.3.7-1.1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated nsd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 May 2009 16:21:36 +0200
Source: nsd
Binary: nsd
Architecture: source i386
Version: 2.3.7-1.1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 nsd        - authoritative name domain server
Closes: 529420
Changes: 
 nsd (2.3.7-1.1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix off-by-one error allowing a DoS (VU#710316, closes: #529420).
Checksums-Sha1: 
 6cf16be2ea4603cb35dc91d2410fdd655d367735 1347 nsd_2.3.7-1.1+lenny1.dsc
 4eee0dfdbe823c83e16a4830e97256e66e1d331a 230688 nsd_2.3.7.orig.tar.gz
 ec99abb91b413898ae048e7aa94c42b594d5b137 7876 nsd_2.3.7-1.1+lenny1.diff.gz
 2a25fc862acc6fb4bc26e3f36800e356f0be718a 151978 nsd_2.3.7-1.1+lenny1_i386.deb
Checksums-Sha256: 
 a4bd6350005b750273eea34becc16ffde16b0d4643325d3f2ac6c3e4cc03a5a8 1347 nsd_2.3.7-1.1+lenny1.dsc
 c2286ed03a8ec8e5036b334db3133dfc10f9558f855bbb27276564e27dbc32b7 230688 nsd_2.3.7.orig.tar.gz
 2f3926d789f2051c7c59929e3bcaba224facb73708af723a2da5ae3c9dcee4bf 7876 nsd_2.3.7-1.1+lenny1.diff.gz
 c74e618d1e408751138e624585ca710474afd6ce973f7c87ff4fa07fab9fc49b 151978 nsd_2.3.7-1.1+lenny1_i386.deb
Files: 
 766ac0c2f837be4be85b0298de82d3fe 1347 net optional nsd_2.3.7-1.1+lenny1.dsc
 31a36167098a0ec9d736e113720c517f 230688 net optional nsd_2.3.7.orig.tar.gz
 a6d535df5c74f3a62fb3e3336070bbdc 7876 net optional nsd_2.3.7-1.1+lenny1.diff.gz
 4a6b5c035edc76280213fc2993eecfd5 151978 net optional nsd_2.3.7-1.1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKEsJ8AAoJECIIoQCMVaAczwYH+gPyIWytb1LuVmC45xsZXgxT
06oM53j3s9eZQsSW1g+NfOO3poNNROidW2mriQordRwOCsck3ppK2TEanmdGsCuf
RmPYXGq34F2VG1TCpaR9K4ekvzLI3tYzcy8Hx3Fmhs//0z3s/EIRm58/s/fg/0L/
wbgnZ+XgweMZNbMfeInvKJu3GcOiNp184DLwyoYiJbrc+tHzXQ/BM9sdA7FZskkG
FzowxLsUOjeF9I+6jUmII471PUz8NHmjKT7LCm5YwydRxaO+B152pqfkRLXUBuA1
yj9HGRGOgQ1TvTxy2nG1/BRCJW6YFl0uLr10n+cfiaSCoorN6r59usCpGpG8oLs=
=Jr1d
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 27 Jun 2009 16:39:14 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@sury.org>:
Bug acknowledged by developer. (Sat, 27 Jun 2009 16:39:14 GMT) Full text and rfc822 format available.

Message #26 received at 529420-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 529420-close@bugs.debian.org
Subject: Bug#529420: fixed in nsd 2.3.7-1.1+lenny1
Date: Sat, 27 Jun 2009 16:04:41 +0000
Source: nsd
Source-Version: 2.3.7-1.1+lenny1

We believe that the bug you reported is fixed in the latest version of
nsd, which is due to be installed in the Debian FTP archive:

nsd_2.3.7-1.1+lenny1.diff.gz
  to pool/main/n/nsd/nsd_2.3.7-1.1+lenny1.diff.gz
nsd_2.3.7-1.1+lenny1.dsc
  to pool/main/n/nsd/nsd_2.3.7-1.1+lenny1.dsc
nsd_2.3.7-1.1+lenny1_i386.deb
  to pool/main/n/nsd/nsd_2.3.7-1.1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated nsd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 May 2009 16:21:36 +0200
Source: nsd
Binary: nsd
Architecture: source i386
Version: 2.3.7-1.1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 nsd        - authoritative name domain server
Closes: 529420
Changes: 
 nsd (2.3.7-1.1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix off-by-one error allowing a DoS (VU#710316, closes: #529420).
Checksums-Sha1: 
 6cf16be2ea4603cb35dc91d2410fdd655d367735 1347 nsd_2.3.7-1.1+lenny1.dsc
 4eee0dfdbe823c83e16a4830e97256e66e1d331a 230688 nsd_2.3.7.orig.tar.gz
 ec99abb91b413898ae048e7aa94c42b594d5b137 7876 nsd_2.3.7-1.1+lenny1.diff.gz
 2a25fc862acc6fb4bc26e3f36800e356f0be718a 151978 nsd_2.3.7-1.1+lenny1_i386.deb
Checksums-Sha256: 
 a4bd6350005b750273eea34becc16ffde16b0d4643325d3f2ac6c3e4cc03a5a8 1347 nsd_2.3.7-1.1+lenny1.dsc
 c2286ed03a8ec8e5036b334db3133dfc10f9558f855bbb27276564e27dbc32b7 230688 nsd_2.3.7.orig.tar.gz
 2f3926d789f2051c7c59929e3bcaba224facb73708af723a2da5ae3c9dcee4bf 7876 nsd_2.3.7-1.1+lenny1.diff.gz
 c74e618d1e408751138e624585ca710474afd6ce973f7c87ff4fa07fab9fc49b 151978 nsd_2.3.7-1.1+lenny1_i386.deb
Files: 
 766ac0c2f837be4be85b0298de82d3fe 1347 net optional nsd_2.3.7-1.1+lenny1.dsc
 31a36167098a0ec9d736e113720c517f 230688 net optional nsd_2.3.7.orig.tar.gz
 a6d535df5c74f3a62fb3e3336070bbdc 7876 net optional nsd_2.3.7-1.1+lenny1.diff.gz
 4a6b5c035edc76280213fc2993eecfd5 151978 net optional nsd_2.3.7-1.1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKEsJ8AAoJECIIoQCMVaAczwYH+gPyIWytb1LuVmC45xsZXgxT
06oM53j3s9eZQsSW1g+NfOO3poNNROidW2mriQordRwOCsck3ppK2TEanmdGsCuf
RmPYXGq34F2VG1TCpaR9K4ekvzLI3tYzcy8Hx3Fmhs//0z3s/EIRm58/s/fg/0L/
wbgnZ+XgweMZNbMfeInvKJu3GcOiNp184DLwyoYiJbrc+tHzXQ/BM9sdA7FZskkG
FzowxLsUOjeF9I+6jUmII471PUz8NHmjKT7LCm5YwydRxaO+B152pqfkRLXUBuA1
yj9HGRGOgQ1TvTxy2nG1/BRCJW6YFl0uLr10n+cfiaSCoorN6r59usCpGpG8oLs=
=Jr1d
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Fri, 03 Jul 2009 20:36:21 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@sury.org>:
Bug acknowledged by developer. (Fri, 03 Jul 2009 20:36:21 GMT) Full text and rfc822 format available.

Message #31 received at 529420-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 529420-close@bugs.debian.org
Subject: Bug#529420: fixed in nsd 2.3.6-1+etch1
Date: Fri, 03 Jul 2009 19:54:36 +0000
Source: nsd
Source-Version: 2.3.6-1+etch1

We believe that the bug you reported is fixed in the latest version of
nsd, which is due to be installed in the Debian FTP archive:

nsd_2.3.6-1+etch1.diff.gz
  to pool/main/n/nsd/nsd_2.3.6-1+etch1.diff.gz
nsd_2.3.6-1+etch1.dsc
  to pool/main/n/nsd/nsd_2.3.6-1+etch1.dsc
nsd_2.3.6-1+etch1_i386.deb
  to pool/main/n/nsd/nsd_2.3.6-1+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 529420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated nsd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 19 May 2009 16:28:31 +0200
Source: nsd
Binary: nsd
Architecture: source i386
Version: 2.3.6-1+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 nsd        - authoritative name domain server
Closes: 529420
Changes: 
 nsd (2.3.6-1+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix off-by-one error allowing a DoS (VU#710316, closes: #529420).
Files: 
 cd9d37244bfa45fb346d99c8d2bab5a0 923 net optional nsd_2.3.6-1+etch1.dsc
 72428cdacc5bee63b4477becda27bf64 244341 net optional nsd_2.3.6.orig.tar.gz
 ceed33911e93f79ddce6a60621685f5a 7539 net optional nsd_2.3.6-1+etch1.diff.gz
 d88a2ec27887b12bf4e1a484cea49a8b 152192 net optional nsd_2.3.6-1+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKEsM6AAoJECIIoQCMVaAcUkoIAIHp3PfikZ8Bnu3u+sAe9WPx
9nAvCZckvwpY9i12kcnpCHv+sCk1/q+1oZUUKkq/a3r2WrvxKT3q1YomY0/EUQY0
OZLkUR0R5LqK35wC0yEwLEDN3GAApvi+mr8F/IRkCQl2nMpNqqUvT8TYREsdUAnm
FcmekZtNphlOwsvDt7yz/nAqVyXevttdWrrK7tA7JsPHY9l9A3L3JMpEMFZPIotT
LNj2SW/lqsRwau9C/M3fDdTCm90YY5flB5WMB/qvPYUVRCguGYrb3h7Xb51UEpmf
E6iZw+EI+iVLiSw/XJ+7v7aU4/mwvVTxL2CF5yu+ACF4m2q6ym/tAL90Qjd24qc=
=rkn4
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Aug 2009 07:41:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:26:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.