Bug#151804: marked as done (libc6: libbind security hole)

To: GOTO Masanori <gotom@debian.org>
Cc: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Subject: Bug#151804: marked as done (libc6: libbind security hole)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 21 Aug 2002 04:03:15 -0500
Message-id: <[🔎] handler.151804.D151804.102991992324206.ackdone@bugs.debian.org>
In-reply-to: <80ptwca91u.wl@oris.opensource.jp>
References: <80ptwca91u.wl@oris.opensource.jp> <E17Pl4T-0007GP-00@Mail.CERT.Uni-Stuttgart.DE>

Your message dated Wed, 21 Aug 2002 17:51:57 +0900
with message-id <80ptwca91u.wl@oris.opensource.jp>
and subject line libc6: libbind security hole
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Jul 2002 14:27:06 +0000
>From Weimer@cert.uni-stuttgart.de Wed Jul 03 09:27:06 2002
Return-path: <Weimer@cert.uni-stuttgart.de>
Received: from mail.cert.uni-stuttgart.de [129.69.16.17] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17Pl62-0003l6-00; Wed, 03 Jul 2002 09:27:06 -0500
Received: from rusfw by Mail.CERT.Uni-Stuttgart.DE with local (Exim 4.04)
	id 17Pl4T-0007GP-00; Wed, 03 Jul 2002 16:25:29 +0200
Subject: libc6: libbind security hole
From: "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE>
To: "Debian Bug Tracking System" <submit@bugs.debian.org>
X-Mailer: reportbug 1.99.40
Date: Wed, 03 Jul 2002 16:25:29 +0200
Message-Id: <E17Pl4T-0007GP-00@Mail.CERT.Uni-Stuttgart.DE>
Delivered-To: submit@bugs.debian.org

Package: libc6
Version: 2.2.5-7
Severity: critical
Tags: security patch
Justification: root security hole

Andreas Schwab discovered the following glitch in the resolver code.
It is different from the libbind bugs described in this round: the
length of the remaining buffer is not updated at all.

I've looked at the other occurrences of dn_expand and __ns_name_unpack,
and this appears the whole story, but better check it yourself.  Thanks
to Olaf Kirch, one of the bugs other vendors are fighting with have
already been fixed in GNU libc 2.3.1, see Ulrich Drepper's statement at
http://www.kb.cert.org/vuls/id/AAMN-5BMSW2 .

From: Andreas Schwab <schwab@suse.de>
Subject: Re: PINE-CERT libbind issue
To: libc-alpha@sources.redhat.com
Date: Tue, 02 Jul 2002 11:25:22 +0200

Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> writes:

|> Is someone already checking if this affects the code in libc/resolv?

The following patch is needed in libnss_dns:

2002-07-02  Andreas Schwab  <schwab@suse.de>

	* resolv/nss_dns/dns-network.c (getanswer_r): Reduce linebuflen
	in parallel to bumping up the buffer pointer.

--- resolv/nss_dns/dns-network.c.~1.10.~	2001-07-16 10:43:47.000000000 +0200
+++ resolv/nss_dns/dns-network.c	2002-06-27 13:35:41.000000000 +0200
@@ -328,7 +328,9 @@ getanswer_r (const querybuf *answer, int
 	    }
 	  cp += n;
 	  *alias_pointer++ = bp;
-	  bp += strlen (bp) + 1;
+	  n = strlen (bp) + 1;
+	  bp += n;
+	  linebuflen -= n;
 	  result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
 	  ++have_answer;
 	}

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux AG, Deutschherrnstr. 15-19, D-90429 Nürnberg
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."



-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux CERT 2.4.14-xfs #1 SMP Fri Nov 23 21:34:33 CET 2001 i686
Locale: LANG=C, LC_CTYPE=en_US

-- no debconf information


---------------------------------------
Received: (at 151804-done) by bugs.debian.org; 21 Aug 2002 08:52:03 +0000
>From gotom@debian.or.jp Wed Aug 21 03:52:03 2002
Return-path: <gotom@debian.or.jp>
Received: from oris.opensource.jp (oris.opensource.gr.jp) [218.44.239.73] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17hRDa-0006ID-00; Wed, 21 Aug 2002 03:51:59 -0500
Received: from oris.opensource.jp (oris.opensource.jp [218.44.239.73])
	by oris.opensource.gr.jp (Postfix) with ESMTP id 6E6C4C3495
	for <151804-done@bugs.debian.org>; Wed, 21 Aug 2002 17:51:57 +0900 (JST)
Date: Wed, 21 Aug 2002 17:51:57 +0900
Message-ID: <80ptwca91u.wl@oris.opensource.jp>
From: GOTO Masanori <gotom@debian.org>
To: 151804-done@bugs.debian.org
Subject: libc6: libbind security hole
User-Agent: Wanderlust/2.9.9 (Unchained Melody) SEMI/1.14.3 (Ushinoya)
 FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.2
 (i386-debian-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=US-ASCII
Delivered-To: 151804-done@bugs.debian.org

> Package: libc6
> Version: 2.2.5-12
> Followup-For: Bug #151804
> 
> It appears this bug was fixed in libc6-2.2.5-8.  Should it be closed?

Yes. Close this bug.

-- gotom

Reply to:

Prev by Date: Bug#157724: libc2/less/acrobat
Next by Date: Re: glibc on woody cvs?
Previous by thread: Bug#157724: marked as done (libc2/less/acrobat)
Next by thread: Bug#157374: architectures
Index(es):
- Date
- Thread