Bug#80888: bug #80888: dnrd: Multiple buffer overflows
Sorry for the crosspost, but I wanted to include everyone potentially
interested in this bug.
The home page for dnrd [1] seems to indicate that it is intended for use
for a single computer or an internal network. The typical user will likely
only want to allow input to dnrd from trusted sources [2].
This bug may be worked around (and therefore downgraded) by having a
configuration to warn the user that they must trust the DNS servers
(wherever this is configured), and must trust the users. To allow the
ladder to be effective, configuration of who is allowed to query dnrd is
needed too (default none allowed? configure allowed users through an inetd
implementation?).
This package however seems to be orphaned [3] and has another RC bug [4],
so it may be worth removing this package [5]. Aj suggested [6] that if the
bugs are left as RC (not downgraded/fixed) then the package should be
removed or at least put in experimental.
Rats [7], splint [8], flawfinder [9] or other tools may be useful in
finding the buffer overflows. If upstream wants I can give them the output
from a few of these audit tools to use as a starting point to *fix* these
bugs.
[1] http://users.zoominternet.net/~garsh/dnrd/
[2] ISP DNS's, local users, local network users, but they might not always
be trusted.
[3] http://packages.qa.debian.org/d/dnrd/news/1.html lists the only change
as "* Orphaned, set maintainer to Debian QA Group"
[4] Bug #189978: dnrd_2.10-7(unstable/ia64): FTBFS: warning treated as
error http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=189978
[5] I dislike it when packages are removed, but if no one fixes or creates
workarounds to downgrade RC bugs...
[6] http://lists.debian.org/debian-release/2003/debian-release-200304/msg00024.html
[7] http://www.securesoftware.com/auditing_tools_download.htm
[8] http://www.splint.org/
[9] http://www.dwheeler.com/flawfinder/
Drew Daniels
Reply to: