Search the web
Sign In
New User? Sign Up
dnrd · DNRD discussion list
  • Members Only
  • Post
  • Files
  • Photos
  • Links
  • Database
  • Polls
  • Members
  • Calendar
  • Promote
  • Groups Labs (Beta)
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Want to share photos of your group with the world? Add a group photo to Flickr.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

   Messages Help
Message #
Search:
Advanced
[grantma@anathoth.gen.nz: Bug#80888: SECURITY - Several multiple bu   Message List  
Reply | Forward Message #182 of 261 |
Hello Brad,


this doesn't sound very good, I'm afraid I've got too little experience with
network programming. Maybe you both could arrange something?

Thank you!

Thomas
----- Forwarded message from Matthew Grant <grantma@...> -----

Subject: Bug#80888: SECURITY - Several multiple buffer overflows in dnrd
Reply-To: Matthew Grant <grantma@...>, 80888@...
To: submit@...
Date: Sun, 31 Dec 2000 00:36:00 +1300
From: Matthew Grant <grantma@...>


Package: dnrd
Version: 2.7-1, 2.8-3
Severity: critical

Due to dnrd design, there is no buffer length checking in many places through
out the daemon. Multiple buffer overflows exist that can only be fixed via a
major audit and possibly rewrite. This package is probably un-fixable as it
stands, and probably means that anyone on the net can easily get access to the
machine as the user the demon is running as.

I have the beginnings of what has to be done, but it will take the upstream
authors weeks to correct, and the person who does it has to have a good
knowledge of network programming. The way the DNS records are encoded with
variable length strings makes it very difficult for an in-experienced
programmer to get the buffer length checking right.

I would recommend that the package be with drawn until this is attended to. I
currently don't have the time to finish the fix as I am doing some major work
on zebra and some projects for Debian. If the package maintainer wants to see
if he can do it, I will send him what I have and try and explain what has to
be done. Some heavy work is required in workign with the DNS RFCs.

Cheers,

Matthew Grant
--
===============================================================================
Matthew Grant /\ ^/\^ grantma@... It's/~~~~\Plain where
A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\I come from
===============================================================================





----- End forwarded message -----

--
1024D/B0FA4F49: FA38 2D7E 408F 61E4 BF49 B48F 04BD F5BE B0FA 4F49
2048g/C631AF6E: B89D 7BF4 AA6B 569B D9D1 4BF6 3459 66AB C631 AF6E
Fri Jan 12, 2001 2:20 pm

Show Message Option
schoepf@...
Send Email Send Email

Forward 		Message #182 of 261 |
Expand Messages Author Sort by Date

Hello Brad, this doesn't sound very good, I'm afraid I've got too little experience with network programming. Maybe you both could arrange something? Thank... 		Thomas Schoepf
schoepf@...
Send Email 		Jan 12, 2001
2:35 pm

... The potential buffer overflows have been known for a while. The patches submitted by Wolfgang Zekoll were full of them, but many people were asking for the...
Brad Garcia
garsh@...
Send Email 		Jan 12, 2001
3:27 pm
< Prev Topic  |  Next Topic >
Message #
Search:
Advanced
Copyright © 2009 Yahoo! Inc. All rights reserved.
Privacy Policy - Terms of Service - Guidelines - Help