Bug#491809: marked as done (libc6: DNS spoofing vulnerability [CVE-2008-1447])

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 23 Jul 2008 16:26:49 +0200
with message-id <20080723142649.GD20614@artemis.madism.org>
and subject line Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
has caused the Debian Bug report #491809,
regarding libc6: DNS spoofing vulnerability [CVE-2008-1447]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
491809: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491809
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libc6: DNS spoofing vulnerability [CVE-2008-1447]
• From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
• Date: Tue, 22 Jul 2008 00:16:14 +0000
• Message-id: <[🔎] 20080722001613.GA28684@crustytoothpaste.ath.cx>

Package: libc6
Version: 2.7-12
Severity: critical
Tags: security

The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
1605.  Since the vast majority of network-using programs use glibc as a
resolver, this vulnerability affects virtually any network-using
program, hence the severity.  libc6 should not be released without a fix
for this problem.

The vulnerability has been exposed:

http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008

If Slashdot knows it, so does everyone else.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libgcc1                       1:4.3.1-6  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
pn  glibc-doc                     <none>     (no description available)

ii locales-all [locales] 2.7-12 GNU C Library: Precompiled locale

-- debconf information:
  glibc/upgrade: true
  glibc/restart-failed:
  glibc/restart-services:

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: Florian Weimer <fw@deneb.enyo.de>, 491809-done@bugs.debian.org
• Cc: Aurelien Jarno <aurelien@aurel32.net>, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
• Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
• From: Pierre Habouzit <madcoder@debian.org>
• Date: Wed, 23 Jul 2008 16:26:49 +0200
• Message-id: <20080723142649.GD20614@artemis.madism.org>
• In-reply-to: <[🔎] 20080722160213.GC15532@artemis.madism.org>
• References: <[🔎] 20080722001613.GA28684@crustytoothpaste.ath.cx> <[🔎] 871w1mmgmc.fsf@mid.deneb.enyo.de> <[🔎] 4885F632.80605@aurel32.net> <[🔎] 87ljzu9cn3.fsf@mid.deneb.enyo.de> <[🔎] 4885FAD1.50306@aurel32.net> <[🔎] 87d4l69c2x.fsf@mid.deneb.enyo.de> <[🔎] 20080722160213.GC15532@artemis.madism.org>

On Tue, Jul 22, 2008 at 04:02:13PM +0000, Pierre Habouzit wrote:
> On Tue, Jul 22, 2008 at 03:24:06PM +0000, Florian Weimer wrote:
> > * Aurelien Jarno:
> > 
> > >> Currently, there is no suitable patch to backport.  I hope that improved
> > >> port randomization will be available shortly.
> > >
> > > You mean a patch for the kernel?
> > 
> > Yes, one for the kernel, and one for the transaction ID generation in
> > the libc resolver, too.
> > 
> > (Oh, and "shortly" == "next week or so".)
> 
>   Assuming the TID generator for the glibc is "good enough" and that the
> flaw is the one described in [0], then the glibc code (even nscd) isn't
> vulnerable, because it doesn't cache or even look at the additional
> records.
> 
>   The problems with QID randomization are quite orthogonal, and it's a
> problem known for 20 years now (using last QID+1 isn't really an option
> ;p). Having a better random number generator will probably help, but
> quite doesn't require such a severity (as there is already randomization
> of the QIDs, maybe not a perfect one).
> 
>   So unless you have further non yet disclosed informations, I'd
> suggest reconsidering the DSA.

  Kaminsky agrees confirm the issue, so I can say for sure that the
glibc isn't vulnerable to the attack he describes, as it needs a
resolver that caches additionnal RRs, which the glibc doesn't do.

  As of attacks that would use non randomized source port use, this is
addressed by recent kernels hence is fixed enough. Note that such
answers are only cached when nscd host caching is in used, and it's off
by default in Debian nscd default setup.

  I'm hence closing the bug.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Attachment: pgp6sqSeoCTfq.pgp
Description: PGP signature

--- End Message ---