Debian Bug report logs -
#490217
python-dns vulnerable to CVE-2008-1447 DNS source port guessable
Reported by: Joe Malicki <jmalicki@metacarta.com>
Date: Thu, 10 Jul 2008 19:36:08 UTC
Severity: grave
Tags: security
Found in version python-dns/2.3.0-5.1
Fixed in versions python-dns/2.3.1-5, 2.3.0-5.2+etch4
Done: <devin@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Joe Malicki <jmalicki@metacarta.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Scott Kitterman <scott@kitterman.com>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-dns
Version: 2.3.0-5.1
Severity: grave
Tags: security
Justification: user security hole
CVE-2008-1447, which deals with DNS reply poisoning that
is possible due to DNS clients sending DNS requests on
predictable UDP source ports, is a security issue that
also applies to python-dns, as it does not implement the
recommended UDP port randomization... example:
Note lack of port randomization in code:
def sendUDPRequest(self, server):
"refactor me"
self.response=None
self.socketInit(socket.AF_INET, socket.SOCK_DGRAM)
for self.ns in server:
try:
# TODO. Handle timeouts &c correctly (RFC)
#self.s.connect((self.ns, self.port))
self.conn()
self.time_start=time.time()
if not self.async:
self.s.send(self.request)
self.response=self.processUDPReply()
#except socket.error:
except None:
continue
break
if not self.response:
if not self.async:
raise DNSError,'no working nameservers found'
In [25]: import DNS
In [26]: d=DNS.DnsRequest(name='www.google.com', server='208.80.142.5',
port=53)
In [27]: r=d.req()
In [28]: r=d.req()
In [29]: r=d.req()
In [30]: r=d.req()
(etc)
Yields, with "tcpdump udp port 53":
15:27:15.912894 IP baekdudaegan.metacarta.com.43661 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:17.224843 IP baekdudaegan.metacarta.com.43662 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:18.344731 IP baekdudaegan.metacarta.com.43663 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:18.952729 IP baekdudaegan.metacarta.com.43664 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:19.384802 IP baekdudaegan.metacarta.com.43665 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:19.752853 IP baekdudaegan.metacarta.com.43666 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:20.120819 IP baekdudaegan.metacarta.com.43667 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:22.680866 IP baekdudaegan.metacarta.com.43668 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
15:27:23.416775 IP baekdudaegan.metacarta.com.43669 >
eiger.metacarta.com.domain: 0+ A? www.google.com. (32)
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages python-dns depends on:
ii python 2.4.4-2 An interactive high-level object-o
ii python-support 0.5.6 automated rebuilding support for p
python-dns recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 490217@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I'm discussing this with upstream and will get something out soon.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #15 received at 490217@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
In addition to source port randomization, one would also like TID (Transaction
ID) randomization. Up until now, python-dns provided neither. 2.3.1-4 pulls
a patch from the upstream CVS repository that will provide a random TID when
packets are created.
The patch does not re-randomize the TID if a packet has to be retried due to
timeouts. It also does not randomize the port. The Lenny/Sid kernel will do
this for python-dns, but the Etch kernel will not.
Upstream is still working on the issue. I expect a new upstream release
tomorrow that fully supports TID randomization and another release once the
port randomization is coded and tested (it's a rather more complex change).
Once both those are in hand, I'll prepare a diff for the security team for
Etch.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #20 received at 490217@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Upstream is being slower than I'd hoped. I'll see if I can't come up with a
patch and send it to them.
Scott K
[signature.asc (application/pgp-signature, inline)]
Reply sent to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joe Malicki <jmalicki@metacarta.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 490217-close@bugs.debian.org (full text, mbox, reply):
Source: python-dns
Source-Version: 2.3.1-5
We believe that the bug you reported is fixed in the latest version of
python-dns, which is due to be installed in the Debian FTP archive:
python-dns_2.3.1-5.diff.gz
to pool/main/p/python-dns/python-dns_2.3.1-5.diff.gz
python-dns_2.3.1-5.dsc
to pool/main/p/python-dns/python-dns_2.3.1-5.dsc
python-dns_2.3.1-5_all.deb
to pool/main/p/python-dns/python-dns_2.3.1-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 490217@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated python-dns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 26 Jul 2008 00:46:56 -0400
Source: python-dns
Binary: python-dns
Architecture: source all
Version: 2.3.1-5
Distribution: unstable
Urgency: high
Maintainer: scott@kitterman.com
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
python-dns - pydns - DNS client module for Python
Closes: 490217
Changes:
python-dns (2.3.1-5) unstable; urgency=high
.
* Replace debian/patches/tid-random.patch with source-tid-random.patch
to fully address CVE-2008-1447 (Closes: #490217)
- Randomize TID (from previous patch - it works for retries too)
- Add source port randomization to cover all cases
Checksums-Sha1:
b02e172598bdc120ccae44b4f6f04de2ac703496 1355 python-dns_2.3.1-5.dsc
ece79a849c7491d7691fffa08e09254dc1aa106f 7555 python-dns_2.3.1-5.diff.gz
bcab205863bce3e7b74bd1acd22e1d16d56069ed 27782 python-dns_2.3.1-5_all.deb
Checksums-Sha256:
705414a1cda298b28a07225206a62aeff52076a1bec468a84141b4172a8d2d75 1355 python-dns_2.3.1-5.dsc
4a5764694d3324c5e1a3e381521ab93efa4b5abdb7bc10de99fc9c301c204ba5 7555 python-dns_2.3.1-5.diff.gz
3a9560b5f90d93d72547713bc644435677938a86280beb8976ee352d1f282e30 27782 python-dns_2.3.1-5_all.deb
Files:
3fb5fd1cd88f0e85367ca9df887a7541 1355 python optional python-dns_2.3.1-5.dsc
bb08d169c6c172849cc740cff376ea08 7555 python optional python-dns_2.3.1-5.diff.gz
cc7a30be8afef976a5e499680d9d8d30 27782 python optional python-dns_2.3.1-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIirLPHajaM93NaGoRAhMUAJ9qxu/6iPC2+t7IlLGUgLSOTmqEpgCeJfR9
xCBmHYZNX45bBWeM2Qgcpyc=
=KatA
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #30 received at 490217@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[etch.debdiff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #35 received at 490217@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[etch.debdiff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Bug marked as fixed in version 2.3.0-5.2+etch4.
Request was from Scott Kitterman <scott@kitterman.com>
to control@bugs.debian.org.
(Wed, 30 Jul 2008 18:45:06 GMT) (full text, mbox, link).
Reply sent to <devin@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joe Malicki <jmalicki@metacarta.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #42 received at 490217-close@bugs.debian.org (full text, mbox, reply):
Source: python-dns
Source-Version: 2.3.0-5.2+etch4
We believe that the bug you reported is fixed in the latest version of
python-dns, which is due to be installed in the Debian FTP archive:
python-dns_2.3.0-5.2+etch4.diff.gz
to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch4.diff.gz
python-dns_2.3.0-5.2+etch4.dsc
to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch4.dsc
python-dns_2.3.0-5.2+etch4_all.deb
to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 490217@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
devin@debian.org (supplier of updated python-dns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 26 Jul 2008 21:46:00 -0400
Source: python-dns
Binary: python-dns
Architecture: source all
Version: 2.3.0-5.2+etch4
Distribution: stable-security
Urgency: high
Maintainer: Joerg Wendland <joergland@debian.org>
Changed-By: devin@debian.org
Description:
python-dns - pydns - DNS client module for Python
Closes: 490217
Changes:
python-dns (2.3.0-5.2+etch4) stable-security; urgency=high
.
* Non-maintainer upload by the security team; thanks to Scott Kitterman
for preparing the fix.
* SECURITY UPDATE: Modify DNS/Base.py to randomize both Transaction ID
(TID) and source port (Closes: #490217)
- CVE-2008-1447 DNS source port guessable
Files:
c2e7178128b7033952b7795b358dea0b 695 python optional python-dns_2.3.0-5.2+etch4.dsc
82d377c6a59181072b30b0da4e9835b8 21084 python optional python-dns_2.3.0.orig.tar.gz
06a021e1cf9836cec4bbe72461bab137 3444 python optional python-dns_2.3.0-5.2+etch4.diff.gz
b544ce3edb7d2051811ec743a49206a1 22750 python optional python-dns_2.3.0-5.2+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIjDLtU5XKDemr/NIRAnCtAJ0fWaGiRkk3lGjK6evw7ltgJ56S/wCg0G3a
Q9H1Offuq/rG76fNTrY3bKI=
=NKhg
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Kitterman <scott@kitterman.com>.
(full text, mbox, link).
Message #47 received at 490217@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
This is CVE-2008-4099; can you please add it to the changelog of 2.3.1-5
retroactively on your next upload?
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #52 received at 490217@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tuesday 16 September 2008 02:44, Thijs Kinkhorst wrote:
> Hi,
>
> This is CVE-2008-4099; can you please add it to the changelog of 2.3.1-5
> retroactively on your next upload?
I don't find that CVE on cve.mitre.org. Do you have a reference?
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Kitterman <scott@kitterman.com>.
(full text, mbox, link).
Message #57 received at 490217@bugs.debian.org (full text, mbox, reply):
On Tue, September 16, 2008 15:45, Scott Kitterman wrote:
> On Tuesday 16 September 2008 02:44, Thijs Kinkhorst wrote:
>
>> Hi,
>>
>>
>> This is CVE-2008-4099; can you please add it to the changelog of
>> 2.3.1-5
>> retroactively on your next upload?
>
> I don't find that CVE on cve.mitre.org. Do you have a reference?
The CVE website details are often filled in a few days after assignment,
be assured this has been directly assigned by Mitre to this issue.
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, Scott Kitterman <scott@kitterman.com>:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Scott Kitterman <scott@kitterman.com>.
(full text, mbox, link).
Message #62 received at 490217@bugs.debian.org (full text, mbox, reply):
On Tue, Sep 16, 2008 at 09:45:58 -0400, Scott Kitterman wrote:
> On Tuesday 16 September 2008 02:44, Thijs Kinkhorst wrote:
> > Hi,
> >
> > This is CVE-2008-4099; can you please add it to the changelog of 2.3.1-5
> > retroactively on your next upload?
>
> I don't find that CVE on cve.mitre.org. Do you have a reference?
http://www.openwall.com/lists/oss-security/2008/09/16/4
Cheers,
Julien
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490217; Package python-dns.
(full text, mbox, link).
Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #67 received at 490217@bugs.debian.org (full text, mbox, reply):
> > > This is CVE-2008-4099; can you please add it to the changelog of
> > > 2.3.1-5 retroactively on your next upload?
> >
> > I don't find that CVE on cve.mitre.org. Do you have a reference?
>
> http://www.openwall.com/lists/oss-security/2008/09/16/4
Thanks. Will do. This is also fixed upstream in 2.3.2/3 if anyone asks.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 24 Oct 2008 07:26:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:32:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon