CVE-2008-4194 denial of service

Debian Bug report logs - #500910
CVE-2008-4194 denial of service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2008-4194 denial of service

Date: Thu, 2 Oct 2008 16:20:09 +0200

[Message part 1 (text/plain, inline)]

Package: pdnsd
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pdnsd.

CVE-2008-4194[0]:
| The p_exec_query function in src/dns_query.c in pdnsd before 1.2.7-par
| allows remote attackers to cause a denial of service (daemon crash)
| via a long DNS reply with many entries in the answer section, related
| to a "dangling pointer bug."

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4194
    http://security-tracker.debian.net/tracker/CVE-2008-4194

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 500910@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Nico Golde <nion@debian.org>, 500910@bugs.debian.org

Subject: Re: Bug#500910: CVE-2008-4194 denial of service

Date: Thu, 2 Oct 2008 18:25:54 +0200

[Message part 1 (text/plain, inline)]

Quoting Nico Golde (nion@debian.org):
> Package: pdnsd
> Severity: grave
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for pdnsd.

If someone fixes this, fixing #490047 would be much appreciated as
well by the l10n folks (and this is certainly not invasive).

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 500910@bugs.debian.org (full text, mbox, reply):

From: Pierre Habouzit <madcoder@debian.org>

To: Christian Perrier <bubulle@debian.org>, 500910@bugs.debian.org

Cc: Nico Golde <nion@debian.org>

Subject: Re: Bug#500910: CVE-2008-4194 denial of service

Date: Thu, 02 Oct 2008 19:50:05 +0200

[Message part 1 (text/plain, inline)]

On Thu, Oct 02, 2008 at 04:25:54PM +0000, Christian Perrier wrote:
> Quoting Nico Golde (nion@debian.org):
> > Package: pdnsd
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for pdnsd.
> 
> If someone fixes this, fixing #490047 would be much appreciated as
> well by the l10n folks (and this is certainly not invasive).

This becomes an habit :P
But Yes I'll fix those at the same time.


-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 500910@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 500910@bugs.debian.org

Subject: Re: Bug#500910: CVE-2008-4194 denial of service

Date: Fri, 3 Oct 2008 07:56:39 +0200

[Message part 1 (text/plain, inline)]

Quoting Pierre Habouzit (madcoder@debian.org):

> > If someone fixes this, fixing #490047 would be much appreciated as
> > well by the l10n folks (and this is certainly not invasive).
> 
> This becomes an habit :P


You should know that..:-)

But, yes, I found funny to see that two of your packages went on my
l10n radar at about the same time, Pierre. And you'll fix both of them
of course.

/me moves the radar somewhere else. Feel safe, apparently
http://i18n.debian.net/debian-l10n/l10n-nmu/nmu_bypackage.html is not
showing any other package of yours...

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 500910@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Pierre Habouzit <madcoder@debian.org>

Cc: Christian Perrier <bubulle@debian.org>, 500910@bugs.debian.org

Subject: Re: Bug#500910: CVE-2008-4194 denial of service

Date: Fri, 3 Oct 2008 14:56:51 +0200

[Message part 1 (text/plain, inline)]

tags 500910 + patch
thanks

Hi,
* Pierre Habouzit <madcoder@debian.org> [2008-10-02 21:43]:
> On Thu, Oct 02, 2008 at 04:25:54PM +0000, Christian Perrier wrote:
> > Quoting Nico Golde (nion@debian.org):
> > > Package: pdnsd
> > > Severity: grave
> > > Tags: security
> > > 
> > > Hi,
> > > the following CVE (Common Vulnerabilities & Exposures) id was
> > > published for pdnsd.
> > 
> > If someone fixes this, fixing #490047 would be much appreciated as
> > well by the l10n folks (and this is certainly not invasive).
> 
> This becomes an habit :P
> But Yes I'll fix those at the same time.

A patch for CVE-2008-4194 is attached.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[pdnsd-1.2.6-dpfix.diff (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #32 received at 500910-close@bugs.debian.org (full text, mbox, reply):

From: Pierre Habouzit <madcoder@debian.org>

To: 500910-close@bugs.debian.org

Subject: Bug#500910: fixed in pdnsd 1.2.6-par-10

Date: Sun, 05 Oct 2008 09:02:11 +0000

Source: pdnsd
Source-Version: 1.2.6-par-10

We believe that the bug you reported is fixed in the latest version of
pdnsd, which is due to be installed in the Debian FTP archive:

pdnsd_1.2.6-par-10.diff.gz
  to pool/main/p/pdnsd/pdnsd_1.2.6-par-10.diff.gz
pdnsd_1.2.6-par-10.dsc
  to pool/main/p/pdnsd/pdnsd_1.2.6-par-10.dsc
pdnsd_1.2.6-par-10_amd64.deb
  to pool/main/p/pdnsd/pdnsd_1.2.6-par-10_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 500910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated pdnsd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 05 Oct 2008 09:54:52 +0200
Source: pdnsd
Binary: pdnsd
Architecture: source amd64
Version: 1.2.6-par-10
Distribution: unstable
Urgency: high
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description: 
 pdnsd      - Proxy DNS Server
Closes: 490047 499984 500910
Changes: 
 pdnsd (1.2.6-par-10) unstable; urgency=high
 .
   * Add patches/0005-fix-for-CVE-2008-4194.patch for CVE-2008-4194.
     (Closes: #500910).
   * Document where the two default configuration are in README.Debian
     (Closes: #499984).
   * Update turkish translation thanks to Mert Dirik (Closes: #490047).
Checksums-Sha1: 
 af88824ae59be5a5c26639382daccfbc70154628 1139 pdnsd_1.2.6-par-10.dsc
 567845752e33044e9ef5a3da2406f970361f4c8f 81156 pdnsd_1.2.6-par-10.diff.gz
 9d96b42fdff7abf678f52ca3dd3873397fd4574f 287422 pdnsd_1.2.6-par-10_amd64.deb
Checksums-Sha256: 
 fc338b275e47703dd4c7644cdc7a21b7c13f0de63f47f8f3a1da47d5d4bb7dd3 1139 pdnsd_1.2.6-par-10.dsc
 f455c6927595d0c00054999cf8fcfcd6cd6b4065481dff0967549389bebbd961 81156 pdnsd_1.2.6-par-10.diff.gz
 36c984f761f23ad39c50b3c15ead2b6624599229ea58e3afe2728fcfc03cdb4d 287422 pdnsd_1.2.6-par-10_amd64.deb
Files: 
 d9ac6f099a06cfcd0de45767e3b3566e 1139 net optional pdnsd_1.2.6-par-10.dsc
 38ff45e8a9de54f5284840069e29975c 81156 net optional pdnsd_1.2.6-par-10.diff.gz
 ec036f26763f88687c86eae538a0b0a6 287422 net optional pdnsd_1.2.6-par-10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjodDEACgkQvGr7W6HudhwQAwCdFl0BEx191IG8+xcJL6hAoTP8
JXgAn3HTQGr5xF3wDhWoKWapQYCsqRto
=450A
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.