* Stefan Ritt: >> - If host names are resolved, no forward lookup is performed to >> verify the PTR RR. (This does not affect the sarge version >> because it unconditionally uses addresses, not host names.) > > Can you specify what you mean by that exactly?
If I read the code correctly, it just requests the PTR record from DNS, and logs the host name that is returned. Suppose that I added 171.189.9.212.in-addr.arpa. 172800 IN PTR deneb.debian.org. to the 189.9.212.in-addr.arpa zone (which I technically control because it's IP address space). Now deneb.debian.org does not belong to me, so this is forgery. In order to detect such things, you have to perform a forward lookup as well (which would fail in this case because deneb.debian.org is not an official host name used by Debian) and check that the returned IP addresses, if any, include the IP address you started with. Since DNS is quite dynamic, it's also a good idea to include IP address information in the log file in all cases, even if a proper host name was found in DNS. >> - There are still some format string issues when things are written >> to the logfile. > > I thought I have fixed these things already some time ago. Can you > recheck revison 1635? There are still many lines that read: write_logfile(lbs, str); However, the second argument of write_logfile is passed to vsprintf (which should be turned into vsnprintf, by the way), so it should be a real format string, and not some user input. The 0005 patch I sent tries to address that (but for the version in Debian stable). >> Is this list complete as far as fixes past r1202 are concerned? What >> about r1487, is it a significant DoS condition? > > Yes. Okay, this patch shouldn't be too hard to extract. Recai, could you backport that one and the fixes from r1635 to stable? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
