Subject: NetBSD Security Advisory 2002-015: (another) buffer overrun in libc/libresolv DNS resolver
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: netbsd-announce
Date: 10/08/2002 14:25:51
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-015
		 =================================

Topic:		(another) buffer overrun in libc/libresolv DNS resolver

Version:	NetBSD-current:	source prior to August 28, 2002
		NetBSD-1.6 beta: source prior to August 28, 2002
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.
		pkgsrc:		net/bind4, prior to bind-4.9.10
				net/bind8, prior to bind-8.2.5
				emulators/compat14 prior to 1.4.3.2
				emulators/compat14-crypto prior to 1.4.3.2
				emulators/netbsd32_compat14 prior to 1.4.3.2
				emulators/compat15 prior to 1.5.3.1
					if ships with libc/libresolv shlib
				emulators/netbsd32_compat15 prior to 1.5.3.1
				emulators/* for other operating systems,
					if ships with libc/libresolv shlib
				any statically linked pkgsrc binaries
				(there could be more)
				programs that call res_* directly with small
				receive buffer

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		August 28, 2002
		NetBSD-1.6 branch:	August 28, 2002	(1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		pkgsrc:			net/bind4 4.9.10
					net/bind8 8.3.3
					emulators/compat14 1.4.3.2
					emulators/compat14-crypto 1.4.3.2
					emulators/netbsd32_compat14 1.4.3.2
					emulators/compat15 1.5.3.1
					emulators/netbsd32_compat15 1.5.3.1
					emulators/* for other operating systems
						- not yet

Abstract
========

BIND-based DNS resolver did not allocate a sufficiently large receive
memory buffer.  Large DNS responses (even if valid) could overrun the
buffer, or could confuse DNS response parsing.

NetBSD uses BIND4-based DNS resolver code in libc/libresolv, and is
vulnerable.

The release of this advisory has been postponed for coordination with
third party.


Technical Details
=================

http://www.kb.cert.org/vuls/id/738331


Solutions and Workarounds
=========================

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.

Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.

If you have NetBSD systems that have been upgraded from earlier
releases from before 1997, you may have libc and/or libresolv shared
libraries with older shared library major numbers.  Check for the
presence of /usr/lib/libc.so.X.Y where X < 12 (the current major
number).  These old libraries contain vulnerable resolver code, and
will not be updated even if you rebuild the system; they are retained
for support of old programs linked against them.  Therefore, we
suggest you replace any such binaries and remove the old shared
libraries.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-28
	should be upgraded to NetBSD-current dated 2002-08-28 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/net
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-28 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/net
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5 dated from before 2002-09-05
	should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/net
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.4.x:

	NetBSD 1.4.x has reached end-of-life.  Users should upgrade to 1.5.x
	or 1.6.


* pkgsrc:

	BIND4:
	bind-4.9.9 (pkgsrc/net/bind4) and prior are vulnerable.  Upgrade to
	bind-4.9.10.  Note that BIND4 nameserver is considered obsolete by
	the vendor (ISC), and it is recommended to use BIND9, or BIND8.

	BIND8:
	pkgsrc prior to bind-8.2.5 are vulnerable.  Upgrade to bind-8.3.3
	(BIND8 prior to 8.3.3 is vulnerable to other problems).

	static binaries:
	If you have statically linked binaries in pkgsrc, they have to be
	rebuilt.  Statically linked binaries can be identified by the
	following command (note: be sure to include the directory you install
	pkgsrc binaries to, if you've changed LOCALBASE from the default of
	/usr/pkg)

		file /usr/pkg/{bin,sbin,libexec}/* | grep static

	compat14, compat14-crypto, netbsd32_compat14, compat15,
	netbsd32_compat15 (emulators category):
	They may contain libc/libresolv shared libraries which might be
	vulnerable.  See top of this advisory for revision numbers.

	emulation libraries:
	Shared libraries for binary compatibility are available
	through pkgsrc for some operating systems, and are installed into
	/emul.  Some of them may be vulnerable as noted above if installed.


Thanks To
=========

Jun-ichiro itojun Hagino for patches, and initial advisory text.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-10-08	Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-015.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-015.txt,v 1.15 2002/10/08 03:43:35 itojun Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPaJUTz5Ru2/4N2IFAQEz5QP/cc2KrgSaqae+cuWEdBw3TceLk3KhScCh
HMBc86dFkR1RyaRlJuMyOKgh3QV+NIzCI8RrWfO2wt0Zgjg6A8sDpwRC/WadqVYb
ElMJtGyNMhuf66VDdouInI+sKmvRN8Hs6wdK78MRAZJhvTafHenXD6jbYLFQzSze
bcRrblz/Jr8=
=At7u
-----END PGP SIGNATURE-----