Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Florian Weimer a écrit :
> * brian m. carlson:
>> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
>> 1605. Since the vast majority of network-using programs use glibc as a
>> resolver, this vulnerability affects virtually any network-using
>> program, hence the severity. libc6 should not be released without a fix
>> for this problem.
>> The vulnerability has been exposed:
> I fail to see how this attack has a chance to work against non-caching
> stub resolvers like the GNU libc resolver.
> However, we're working on a solution.
As already said previously on this bug log, I don't think there is
something to do for the glibc resolver. glibc stub resolver uses an
unspecified UDP port, so it is eventually chosen by the kernel. As a
consequence this has to be handled in the kernel, and is already fixed
in kernel >= 2.6.24 .
tcpdump show that using a >= 2.6.24 kernel (lenny kernel), the ports are
correctly randomized. With a 2.6.18 kernel (etch kernel), the ports
*are* not randomized.
IMHO, the UDP randomization commit has to be backported to the etch
kernel. The advantage of this solution, is that it potentially fixes
other bugs/vulnerabilities in other protocols/programs using UDP.
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' email@example.com | firstname.lastname@example.org
`- people.debian.org/~aurel32 | www.aurel32.net