Re: Inadequate source of entropy in recursive queries: maradns

To: Julien Cristau <jcristau@debian.org>
Cc: "debian-release@lists.debian.org" <debian-release@lists.debian.org>, 653838@bugs.debian.org
Subject: Re: Inadequate source of entropy in recursive queries: maradns
From: Nicholas Bamber <nicholas@periapt.co.uk>
Date: Sun, 01 Jan 2012 17:52:21 +0000
Message-id: <[🔎] 4F009D55.6000606@periapt.co.uk>
In-reply-to: <20111231150045.GP3104@radis.cristau.org>
References: <4EFF1C6C.4080801@periapt.co.uk> <20111231150045.GP3104@radis.cristau.org>

Julien,
	The attached file is a debdiff for 1.4.03-1.1 -> 1.4.03-1.2. I have not
run an FTBS test on it but I wanted to know if I was on the right lines.

On 31/12/11 15:00, Julien Cristau wrote:
> On Sat, Dec 31, 2011 at 14:30:04 +0000, Nicholas Bamber wrote:
> 
>> As per the attached email, I wonder if you would be interested in point
>> releases for the old versions of maradns to fix #653838 and what the
>> relevant timescales would be.
>>
> Yes.  The next (and last) lenny point release is planned for late
> February or early March, and the next squeeze point release should be in
> the second half of January.  Packages would have to be uploaded and
> accepted at least a week in advance.
> 
> Please send source debdiffs for both lenny and squeeze to the d-release
> list so they can be reviewed in advance of an upload.
> 
>> There is also the question of unarchiving and fixing #584587 in the
>> lenny  version whilst we still have the chance.
> 
> That'd depend on the actual diff, what would that look like?
> 
> Cheers,
> Julien


-- 
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu

diff -u maradns-1.4.03/debian/copyright maradns-1.4.03/debian/copyright
--- maradns-1.4.03/debian/copyright
+++ maradns-1.4.03/debian/copyright
@@ -4,7 +4,7 @@
 
 Files: *
 Copyright:
- (C) 2002-2010 Sam Trenholme <maradns@gmail.com>
+ (C) 2002-2011 Sam Trenholme <maradns@gmail.com>
 License: BSD license
 
 Files: debian/*
diff -u maradns-1.4.03/debian/changelog maradns-1.4.03/debian/changelog
--- maradns-1.4.03/debian/changelog
+++ maradns-1.4.03/debian/changelog
@@ -1,3 +1,9 @@
+maradns (1.4.03-1.2) stable; urgency=low
+
+  * Applied patch to ensure adequate entropy (Closes: #653838)
+
+ -- Nicholas Bamber <nicholas@periapt.co.uk>  Sun, 01 Jan 2012 16:29:53 +0000
+
 maradns (1.4.03-1.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- maradns-1.4.03.orig/server/MaraDNS.c
+++ maradns-1.4.03/server/MaraDNS.c
@@ -3933,6 +3933,24 @@
     int recurse_number_ports = 4096;
 #endif
 
+    /* First order of business: Initialize the hash */
+    if(mhash_set_add_constant(
+#ifdef MINGW32
+	"secret.txt"
+#else
+	"/dev/urandom"
+#endif
+		) != 1) {
+	printf(
+#ifdef MINGW32
+	"Fatal error opening secret.txt"
+#else
+	"Fatal error opening /dev/urandom"
+#endif
+			);
+			return 32;
+	}
+    
     memset(&client,0,sizeof(client)); /* Initialize ya variables */
     clin = (struct sockaddr_in *)&client;
 #ifdef AUTHONLY
only in patch2:
unchanged:
--- maradns-1.4.03.orig/libs/MaraHash.c
+++ maradns-1.4.03/libs/MaraHash.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2006 Sam Trenholme
+/* Copyright (c) 2006,2011 Sam Trenholme
  *
  * TERMS
  *
@@ -32,6 +32,7 @@
 #include "JsStr.h"
 #endif
 #include "MaraHash.h"
+#include <stdio.h>
 
 /* Masks to limit the size of the hash */
 /* These are powers of two, minus one */
@@ -41,6 +42,8 @@
                           16777215, 33554431, 67108863, 134217727,
                           268435455, 536870911, 1073741823 };
 
+mhash_offset mhash_secret_add_constant = 7;
+
 /* Create a new, blank mhash object
    input: none
    output: pointer to the object in quesiton on success, NULL (0)
@@ -100,6 +103,7 @@
     /* Simple enough hash */
     while(point < max) {
         ret += (mhash_offset)(*point << shift);
+	ret += mhash_secret_add_constant;
         shift += 7;
         shift %= hash_bits;
         point++;
@@ -684,3 +688,23 @@
     return tuple->tuple_list[element];
     }
 
+/* Read four bytes from a filename and use that as a secret add constant */
+int mhash_set_add_constant(char *filename) {
+	FILE *read = 0;
+
+	read = fopen(filename,"rb");
+	if(read == NULL) {
+		return -1;
+	}
+	
+	mhash_secret_add_constant ^= getc(read);
+	mhash_secret_add_constant <<= 8;
+	mhash_secret_add_constant ^= getc(read);
+	mhash_secret_add_constant <<= 8;
+	mhash_secret_add_constant ^= getc(read);
+	mhash_secret_add_constant <<= 7;
+	mhash_secret_add_constant ^= getc(read);
+	fclose(read);
+	return 1;
+}
+
only in patch2:
unchanged:
--- maradns-1.4.03.orig/libs/functions_MaraHash.h
+++ maradns-1.4.03/libs/functions_MaraHash.h
@@ -39,3 +39,5 @@
 */
 void *mhash_undef(mhash *hash, js_string *key);
 
+/* Read four bytes from a filename and use that as a secret add constant */
+int mhash_set_add_constant(char *filename);

Reply to:

Follow-Ups:
- Re: Inadequate source of entropy in recursive queries: maradns
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#653919: transition: KDE SC 4.7
Next by Date: Re: Bug#653053: ldap2zone: Sending email every hour fill up the mail spool
Previous by thread: Re: Bug#653053: ldap2zone: Sending email every hour fill up the mail spool
Next by thread: Re: Inadequate source of entropy in recursive queries: maradns
Index(es):
- Date
- Thread