Second attempt at preparing a fix for this issue.
By the way CVE-2011-5055, as far as I can see, only applies to the
experimental release. That will be fixed when upstream issue a new
upstream 2.x release. Could the security page be updated to reflect that.
On 18/01/12 13:24, Adam D. Barratt wrote:
> On 15.01.2012 20:39, Nicholas Bamber wrote:
>> unstable/testing [CVE-2012-0024, CVE-2011-5055]: This was fixed in
>> 1.4.09-1 but Sam has issued one further release, 1.4.10 with a last
>> tweak. For this version all the three CVE tickets are fundamentally the
>> same issue.
>>
>> stable [CVE-2012-0024, CVE-2011-5055]: I previously sent a debdiff. I
>> need to issue a new one.
> [...]
>> I am not sure what to do now apart from issuing 1.4.10-1. Do I raise new
>> bug reports?
>
> Based on the above, I'd suggest, in order:
>
> - update unstable, ensuring that all relevant bugs are fixed there
>
> - confirm with the security team that they don't wish to issue a fix for
> CVE-2011-5055 directly, if you haven't already done so (I suspect they
> won't, but the security tracker doesn't indicate that right now, so it's
> worth checking)
>
> - assuming a nack from the security team, prepare an updated package
> from stable and send the new debdiff to this thread
>
> Does that sound reasonable?
>
> Regards,
>
> Adam
--
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu
diff -u maradns-1.4.03/debian/changelog maradns-1.4.03/debian/changelog
--- maradns-1.4.03/debian/changelog
+++ maradns-1.4.03/debian/changelog
@@ -1,3 +1,10 @@
+maradns (1.4.03-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix CVE-2012-0024 (Closes: #653838)
+
+ -- Nicholas Bamber <nicho...@periapt.co.uk> Tue, 24 Jan 2012 14:32:06 +0000
+
maradns (1.4.03-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- maradns-1.4.03.orig/server/MaraDNS.c
+++ maradns-1.4.03/server/MaraDNS.c
@@ -3933,6 +3933,24 @@
int recurse_number_ports = 4096;
#endif
+ /* First order of business: Initialize the hash */
+ if(mhash_set_add_constant(
+#ifdef MINGW32
+ "secret.txt"
+#else
+ "/dev/urandom"
+#endif
+ ) != 1) {
+ printf(
+#ifdef MINGW32
+ "Fatal error opening secret.txt"
+#else
+ "Fatal error opening /dev/urandom"
+#endif
+ );
+ return 32;
+ }
+
memset(&client,0,sizeof(client)); /* Initialize ya variables */
clin = (struct sockaddr_in *)&client;
#ifdef AUTHONLY
only in patch2:
unchanged:
--- maradns-1.4.03.orig/libs/functions_MaraHash.h
+++ maradns-1.4.03/libs/functions_MaraHash.h
@@ -39,3 +39,5 @@
*/
void *mhash_undef(mhash *hash, js_string *key);
+/* Read four bytes from a filename and use that as a secret add constant */
+int mhash_set_add_constant(char *filename);
only in patch2:
unchanged:
--- maradns-1.4.03.orig/libs/MaraHash.c
+++ maradns-1.4.03/libs/MaraHash.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2006 Sam Trenholme
+/* Copyright (c) 2006,2011 Sam Trenholme
*
* TERMS
*
@@ -32,6 +32,7 @@
#include "JsStr.h"
#endif
#include "MaraHash.h"
+#include <stdio.h>
/* Masks to limit the size of the hash */
/* These are powers of two, minus one */
@@ -41,6 +42,8 @@
16777215, 33554431, 67108863, 134217727,
268435455, 536870911, 1073741823 };
+mhash_offset mhash_secret_add_constant = 7;
+
/* Create a new, blank mhash object
input: none
output: pointer to the object in quesiton on success, NULL (0)
@@ -100,6 +103,8 @@
/* Simple enough hash */
while(point < max) {
ret += (mhash_offset)(*point << shift);
+ ret += mhash_secret_add_constant;
+ ret *= 45737;
shift += 7;
shift %= hash_bits;
point++;
@@ -684,3 +689,23 @@
return tuple->tuple_list[element];
}
+/* Read four bytes from a filename and use that as a secret add constant */
+int mhash_set_add_constant(char *filename) {
+ FILE *read = 0;
+
+ read = fopen(filename,"rb");
+ if(read == NULL) {
+ return -1;
+ }
+
+ mhash_secret_add_constant ^= getc(read);
+ mhash_secret_add_constant <<= 8;
+ mhash_secret_add_constant ^= getc(read);
+ mhash_secret_add_constant <<= 8;
+ mhash_secret_add_constant ^= getc(read);
+ mhash_secret_add_constant <<= 7;
+ mhash_secret_add_constant ^= getc(read);
+ fclose(read);
+ return 1;
+}
+
