[Bug 1432378] Re: libresolv res_init() does not correctly inititalize internals
The bug has been present since what looks like 2006... http://cgit.openembedded.org/openembedded/plain/recipes/glibc/files/glibc-2.5-local-dynamic-resolvconf.patch It's probably present in Debian too: http://git.net/debian-glibc/txt5w0qWtefJS.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1432378 Title: libresolv res_init() does not correctly inititalize internals To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1432378/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1432378] Re: libresolv res_init() does not correctly inititalize internals
tl;dr:
res_init() does not correctly initialize the _res struct.
The code:
res_init();
if(_res.options RES_INIT) {
printf(RES_INIT set.\n);
} else {
printf(RES_INIT not set.\n);
}
outputs RES_INIT set. correctly, and that bit is set. res_init() does all of
its setting through res_init.c,
https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/res_init.c;h=66561ffac2ffc039707676ed8b4bf36ee50ee889;hb=HEAD#l151
That's all fine and dandy. -- (The actual resetting happens through the
function __res_vinit())
However, res_init() neglects to set things that the ubuntu-specific eglibc
requires for it to be a valid struct, such as the last modified time of
/etc/resolv.conf -- last_mtime.
Thus, the first call to res_query() resets the _res struct, effectively making
any changes before it and after the original res_init(), useless.
As we can see in res_data.c,
https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/res_data.c;h=81c9ae5bfd7ef71ebb986b5c9572c1859684ba39;hb=HEAD#l185
, res_query() calls __res_maybe_init (), which decides whether we need to
re-call res_init() or not.
In the comments for that __res_maybe_init() function:
/* Initialize resp if RES_INIT is not yet set or if res_init in some other
thread requested re-initializing. */
On the first run of __res_maybe_init()[thus, effectively, res_query), it
will always call __res_vinit(), because res_init() does not set the
'last_mtime'. -- That's because the last_mtime is an Ubuntu-specific
feature, likely added for security reasons.
if ((ret == 0) (last_mtime != statbuf.st_mtime)) {
last_mtime = statbuf.st_mtime;
atomicinc (__res_initstamp);
}
__libc_lock_unlock (lock);
if (__res_initstamp != resp-_u._ext.initstamp) {
if (resp-nscount 0)
__res_iclose (resp, true);
return __res_vinit (resp, 1);
}
even shorter tl;dr:
'last_mtime' is an ubuntu-specific feature added to eglibc's resolv library,
which is only set inside the __res_maybe_init() function.
When calling res_init(), it does not set 'last_mtime', as that uses
__res_vinit(), not __res_maybe_init().
When calling res_query() for the first time, all the changes made to the _res
struct are wiped, with the exception of int retrans, int retry, u_long options.
This is because res_query uses __res_maybe_init(), which will reset _res if
'last_mtime' has not been set(or is old)
A quick fix is to replace __res_vinit()'s usage within the res_query()
function with __res_maybe_init(), which takes the exact same parameters.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1432378
Title:
libresolv res_init() does not correctly inititalize internals
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1432378/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1432378] Re: libresolv res_init() does not correctly inititalize internals
No logs required. ** Changed in: linux (Ubuntu) Status: Incomplete = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1432378 Title: libresolv res_init() does not correctly inititalize internals To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1432378/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1432378] [NEW] libresolv res_init() does not correctly inititalize internals
Public bug reported:
As reported here: https://sourceware.org/bugzilla/show_bug.cgi?id=18126
The bug, however, is not in the sourceware sourcecode, but in the Ubuntu
one.
https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/res_libc.c;h=ee3fa2114b7051b86f6f9676f1151d1435dedb9d;hb=HEAD#l97
Contrary to what one would think, res_init() does not correctly
inititialize the internals for further use by the libresolv family, and
others.
When you call res_init(), it correctly keeps these:
if (!_res.retrans)
_res.retrans = RES_TIMEOUT;
if (!_res.retry)
_res.retry = 4;
if (!(_res.options RES_INIT))
_res.options = RES_DEFAULT;
else if (_res.nscount 0)
__res_iclose (_res, true); /* Close any VC sockets. */
then calls __res_vinit():
return (__res_vinit(_res, 1));
However, programs that use the libresolv family and others, use the
hidden function, __res_maybe_init.
__res_maybe_init determines if res_init(__res_vinit()) needs to be
called or not.
It does this:
static time_t last_mtime;
struct stat statbuf;
int ret;
if (resp-options RES_INIT) {
ret = stat (_PATH_RESCONF, statbuf);
__libc_lock_lock (lock);
if ((ret == 0) (last_mtime != statbuf.st_mtime)) {
last_mtime = statbuf.st_mtime;
atomicinc (__res_initstamp);
}
__libc_lock_unlock (lock);
if (__res_initstamp != resp-_u._ext.initstamp) {
if (resp-nscount 0)
__res_iclose (resp, true);
return __res_vinit (resp, 1);
}
return 0;
Since the internals have been initialized by res_init(), we don't need to
reinitalize, normally. The program checks if we do need to reinitalize, such as
due to the change in modifcation date of /etc/resolv.conf.
However, last_mtime is never set when using res_init(), so upon the
first run of __res_maybe_init(), it will always run __res_vinit(). This
will wipe all changes except for the ones that are kept, mentioned
above.
last_mtime should be taken into consideration and handled, when calling
res_init().
(for reference)
Only these are kept on res_init(), and thus are only kept with the first call
to __res_maybe_init:
int retrans;/* retransmition time interval */
int retry; /* number of times to retransmit */
u_long options;/* option flags - see below. */
These are wiped, due to this bug:
int nscount;/* number of name servers */
struct sockaddr_in
nsaddr_list[MAXNS]; /* address of name server */
# define nsaddr nsaddr_list[0] /* for backward compatibility */
u_short id; /* current message id */
/* 2 byte hole here. */
char*dnsrch[MAXDNSRCH+1]; /* components of domain to search */
chardefdname[256]; /* default domain (deprecated) */
u_long pfcode; /* RES_PRF_ flags - see below. */
unsigned ndots:4; /* threshold for initial abs. query */
unsigned nsort:4; /* number of elements in sort_list[] */
unsigned ipv6_unavail:1;/* connecting to IPv6 server failed */
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Tags: libc libresolv
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1432378
Title:
libresolv res_init() does not correctly inititalize internals
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1432378/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1432378] Re: libresolv res_init() does not correctly inititalize internals
Link to the eglibc file that Ubuntu uses: http://www.eglibc.org/cgi- bin/viewvc.cgi/branches/eglibc-2_19/libc/resolv/res_libc.c?view=markup -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1432378 Title: libresolv res_init() does not correctly inititalize internals To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1432378/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1432378] Re: libresolv res_init() does not correctly inititalize internals
** Package changed: linux (Ubuntu) = glibc (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1432378 Title: libresolv res_init() does not correctly inititalize internals To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1432378/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419391] Re: LANG=C environment breaks clock
Is this one gnome panel clock? Or is this also the indicator? Thanks ** Attachment added: Screenshot from 2015-02-19 04:52:43.png https://bugs.launchpad.net/ubuntu/+source/indicator-datetime/+bug/1419391/+attachment/4322008/+files/Screenshot%20from%202015-02-19%2004%3A52%3A43.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419391 Title: LANG=C environment breaks clock To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-datetime/+bug/1419391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419391] Re: LANG=C environment breaks clock
Perhaps I should mention I'm using gnome-session-flashback? And it was both. If required, I can re-do it and take a screenshot. Let me know. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419391 Title: LANG=C environment breaks clock To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/1419391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419391] Re: LANG=C environment breaks clock
Normal ** Attachment added: Screenshot from 2015-02-19 02:28:09.png https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/1419391/+attachment/4321883/+files/Screenshot%20from%202015-02-19%2002%3A28%3A09.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419391 Title: LANG=C environment breaks clock To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/1419391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419391] Re: LANG=C environment breaks clock
Not normal ** Attachment added: Screenshot from 2015-02-19 02:27:45.png https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/1419391/+attachment/4321884/+files/Screenshot%20from%202015-02-19%2002%3A27%3A45.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419391 Title: LANG=C environment breaks clock To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/1419391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1419391] [NEW] LANG=C environment breaks clock
Public bug reported: When the environment contains LANG=C (in .pam_environment, for example), the clock in gnome-panel disapears if it is either in 12-hour format, or it displays seconds. Thanks ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: gnome-panel 1:3.8.0-1ubuntu12.2 ProcVersionSignature: Ubuntu 3.16.0-25.33~14.04.2-generic 3.16.7 Uname: Linux 3.16.0-25-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 CurrentDesktop: Unity Date: Sun Feb 8 14:06:58 2015 EcryptfsInUse: Yes ExecutablePath: /usr/bin/gnome-panel GsettingsChanges: InstallationDate: Installed on 2014-09-26 (134 days ago) InstallationMedia: Ubuntu 14.04 LTS Trusty Tahr - Release amd64 (20140417) ProcEnviron: LANGUAGE=en_AU:en PATH=(custom, no user) XDG_RUNTIME_DIR=set LANG=en_AU.UTF-8 SHELL=/bin/bash SourcePackage: gnome-panel UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: gnome-panel (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug third-party-packages trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1419391 Title: LANG=C environment breaks clock To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/1419391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Just for reference: the vulnrable function is parse_error_msg([..]), not warningv([..]). I've attached the patch that the maintainer as reccomended for the latest version of dpkg. ** Patch added: 0001-libdpkg-Escape-package-and-architecture-on-control-f.patch https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+attachment/4260926/+files/0001-libdpkg-Escape-package-and-architecture-on-control-f.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389135 Title: dpkg / dpkg-deb segfault -- possible format string bug/vuln? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3127 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389135 Title: dpkg / dpkg-deb segfault -- possible format string bug/vuln? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Fixed, my bad.. ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3127 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389135 Title: dpkg / dpkg-deb segfault -- possible format string bug/vuln? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
I think that this is a security bug. If you make the 'control' file have Architecture: %08x.%08x.%08x.%08x.%08x and run --build, it will print five parameters from the stack. # ./dpkg-deb --build /var/tmp/ok/ dpkg-deb: warning: parsing file '/var/tmp/ok//DEBIAN/control' near line 2 package 'backup:016b0150.00449f58.0001.0001.0018': '�D' is not a valid architecture name: %08x.%08x.%08x.%08x.%08x dpkg-deb: warning: parsing file '/var/tmp/ok//DEBIAN/control' near line 4 package 'backup:00449077.00449af0.0001.0001.01bb5790': missing maintainer dpkg-deb: error: parsing file '/var/tmp/ok//DEBIAN/control' near line 4 package 'backup:00449082.00449af0.0001.0001.01bb5790': missing version This can also be used to overwrite/rewrite the stack, using %n, too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389135 Title: dpkg / dpkg-deb segfault -- possible format string bug/vuln? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
I don't have the time/skill to try, but I'm guessing that if you can somehow actually build the package with that set as the architecture, unpacking the .deb file will also be vulnerable, which would defintley be a security-related bug. My guess is that it _does_ exist in the unpacking phase too, since the bug seems to be triggered in lib/dpkg/parsehelp.c. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389135 Title: dpkg / dpkg-deb segfault -- possible format string bug/vuln? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Yep, I'm right. control file: Package: backup Architecture: %08x.%08x.%08x.%08x.%08x\n Description: Stuff maintainer: Joshua Rogers version: 1 # dpkg-deb/dpkg-deb --build /var/tmp/ok/ dpkg-deb: warning: parsing file '/var/tmp/ok//DEBIAN/control' near line 2 package 'backup:015fd150.00449f58.0001.0001.001a\n': '�D' is not a valid architecture name: %08x.%08x.%08x.%08x.%08x\n dpkg-deb: warning: ignoring 1 warning about the control file(s) dpkg-deb: building package `backup:%08x.%08x.%08x.%08x.%08x\n' in `/var/tmp/ok.deb'. # dpkg -i ok.deb dpkg: warning: parsing file '/var/lib/dpkg/available' near line 11413 package 'backup:017a1e00.00431828.0001.0001.001c\n': '%08x.%08x.%08x.%08x.%08x\n Version: 1 Size: 514 Description: Stuff [] (full: http://pastebin.com/qetcDngk ) Unsure if signing of the .deb files happens before or after the parsing of the file -- AKA whether or not a MITM attack could be used, if the listing of architecture is done before or after checking of the signature. I won't be testing that though. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389135 Title: dpkg / dpkg-deb segfault -- possible format string bug/vuln? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389135 Title: dpkg / dpkg-deb segfault -- possible format string bug/vuln? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1258003] Re: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo]
Just an update on this: It is patched in Ubuntu 14.04.1. I have identified another bug in DiG which is yet to be patched in any versions of bind(I only just reported it now), which affects those that use ipv6. megamansec@megamansec:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 14.04.1 LTS Release:14.04 Codename: trusty megamansec@megamansec:~$ dig +time=3 +nssearch +tcp internot.info ;; Connection to 2400:cb00:2049:1::adf5:3b95#53(2400:cb00:2049:1::adf5:3b95) for internot.info failed: network unreachable. Segmentation fault megamansec@megamansec:~$ dig +time=3 +nssearch +tcp google.com SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.38.10 in 231 ms. SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.32.10 in 238 ms. SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.36.10 in 239 ms. SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.34.10 in 283 ms. So, perhaps before pushing anything, wait for ISC to fix the most recent bug I identified. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1258003 Title: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1258003/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1258003] Re: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo]
Just an update on this: It is patched in Ubuntu 14.04.1. I have identified another bug in DiG which is yet to be patched in any versions of bind(I only just reported it now), which affects those that use ipv6. megamansec@megamansec:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 14.04.1 LTS Release:14.04 Codename: trusty megamansec@megamansec:~$ dig +time=3 +nssearch +tcp internot.info ;; Connection to 2400:cb00:2049:1::adf5:3b95#53(2400:cb00:2049:1::adf5:3b95) for internot.info failed: network unreachable. Segmentation fault megamansec@megamansec:~$ dig +time=3 +nssearch +tcp google.com SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.38.10 in 231 ms. SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.32.10 in 238 ms. SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.36.10 in 239 ms. SOA ns1.google.com. dns-admin.google.com. 2014101500 7200 1800 1209600 300 from server 216.239.34.10 in 283 ms. So, perhaps before pushing anything, wait for ISC to fix the most recent bug I identified. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1258003 Title: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1258003/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1258003] Re: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo]
Erm, it looks like /usr/bin/dig is actually provided by `dnsutils', not bind9. Strange. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1258003 Title: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1258003/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1258003] Re: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo]
Erm, it looks like /usr/bin/dig is actually provided by `dnsutils', not bind9. Strange. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1258003 Title: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1258003/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1258003] [NEW] DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo]
Public bug reported: Precursor: 'DiG' is provided in the package bind9, and the version in DiG is the same version of bind9. Whilst running 'DiG', with +ssearch, AND +tcp, on the DiG version that is available in the repo's(DiG 9.8.1-P1), the program segfaults with a core dump. Example: 13:13:14 (toil@laptop) ~ $ dig -v DiG 9.8.1-P1 13:13:37 (toil@laptop) ~ $ dig +time=3 +nssearch +tcp internot.info socket.c:2535: REQUIRE(socketp != ((void *)0) *socketp == ((void *)0)) failed, back trace #0 0x4f877b in ?? #1 0x4f86c4 in ?? #2 0x52b062 in ?? #3 0xfd03ef in ?? #4 0xfd07c3 in ?? #5 0x51b9ac in ?? #6 0x7cdd4c in ?? #7 0x1ffbae in ?? Aborted (core dumped) It's strange that it gives a back trace, but that's irrelevant anyways. Although I'm unsure of which version exactly it's fixed in, but it doesn't work in DiG 9.10.0a1. It also seems to be patched in DiG 9.8.4-P2, but that probably isn't useful (due to the P2).. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: bind9-host 1:9.8.1.dfsg.P1-4ubuntu0.7 ProcVersionSignature: Ubuntu 3.2.0-56.86-generic 3.2.51 Uname: Linux 3.2.0-56-generic i686 NonfreeKernelModules: wl ApportVersion: 2.0.1-0ubuntu17.6 Architecture: i386 Date: Thu Dec 5 13:11:08 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 10.04 LTS Lucid Lynx - Release i386 (20100429) MarkForUpload: True ProcEnviron: TERM=xterm PATH=(custom, no user) LANG=en_AU.UTF-8 SHELL=/bin/bash SourcePackage: bind9 UpgradeStatus: Upgraded to precise on 2013-08-26 (100 days ago) ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Tags: apport-bug i386 precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1258003 Title: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1258003/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1258003] [NEW] DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo]
Public bug reported: Precursor: 'DiG' is provided in the package bind9, and the version in DiG is the same version of bind9. Whilst running 'DiG', with +ssearch, AND +tcp, on the DiG version that is available in the repo's(DiG 9.8.1-P1), the program segfaults with a core dump. Example: 13:13:14 (toil@laptop) ~ $ dig -v DiG 9.8.1-P1 13:13:37 (toil@laptop) ~ $ dig +time=3 +nssearch +tcp internot.info socket.c:2535: REQUIRE(socketp != ((void *)0) *socketp == ((void *)0)) failed, back trace #0 0x4f877b in ?? #1 0x4f86c4 in ?? #2 0x52b062 in ?? #3 0xfd03ef in ?? #4 0xfd07c3 in ?? #5 0x51b9ac in ?? #6 0x7cdd4c in ?? #7 0x1ffbae in ?? Aborted (core dumped) It's strange that it gives a back trace, but that's irrelevant anyways. Although I'm unsure of which version exactly it's fixed in, but it doesn't work in DiG 9.10.0a1. It also seems to be patched in DiG 9.8.4-P2, but that probably isn't useful (due to the P2).. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: bind9-host 1:9.8.1.dfsg.P1-4ubuntu0.7 ProcVersionSignature: Ubuntu 3.2.0-56.86-generic 3.2.51 Uname: Linux 3.2.0-56-generic i686 NonfreeKernelModules: wl ApportVersion: 2.0.1-0ubuntu17.6 Architecture: i386 Date: Thu Dec 5 13:11:08 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 10.04 LTS Lucid Lynx - Release i386 (20100429) MarkForUpload: True ProcEnviron: TERM=xterm PATH=(custom, no user) LANG=en_AU.UTF-8 SHELL=/bin/bash SourcePackage: bind9 UpgradeStatus: Upgraded to precise on 2013-08-26 (100 days ago) ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Tags: apport-bug i386 precise -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1258003 Title: DiG crashes on +nssearch with +tcp [Outdated in Ubuntu repo] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1258003/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091473] Re: grep 2.11 is vulnerable to Arbitrary command execution
After more analysis, it may not be vulnerable to command execution. Not sure. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1091473 Title: grep 2.11 is vulnerable to Arbitrary command execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grep/+bug/1091473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091473] Re: grep 2.11 is vulnerable to Arbitrary command execution
Under MORE analysis, it does appear to allow command execution, but I can't get the ls -la working. I'm a noob at asm. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1091473 Title: grep 2.11 is vulnerable to Arbitrary command execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grep/+bug/1091473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091473] Re: grep 2.11 is vulnerable to Arbitrary command execution
perl -e 'print xx(2**31)' | grep x /dev/null just run that if that's what you mean by a reproducer -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1091473 Title: grep 2.11 is vulnerable to Arbitrary command execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grep/+bug/1091473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 206314] Re: Grub fails to install corectly on some IBM Intellistations
I found this solution worked better when specifying the full pathname of each file: root (hd0,0) install --stage2=/boot/grub/stage2 /boot/grub/stage1 d (hd0) /boot/grub/stage2 p (hd0,0)/boot/grub/menu.lst -- Grub fails to install corectly on some IBM Intellistations https://bugs.launchpad.net/bugs/206314 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
