Ubuntu

PowerDNS Recursor Critical Security Issue - PDNS-2010-01

Reported by bert hubert on 2010-01-04
280
This bug affects 4 people
Affects Status Importance Assigned to Milestone
pdns-recursor (Ubuntu)
High
Unassigned
Nominated for Dapper by r12056
Hardy
High
Unassigned
Intrepid
High
Unassigned
Jaunty
High
Unassigned
Karmic
High
Unassigned
Lucid
High
Unassigned

Bug Description

Binary package hint: pdns-recursor

Please contact <email address hidden>, the PowerDNS author ASAP. I've also emailed <email address hidden>.

bert hubert (bert-hubert) wrote :

> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.

For issue 1, CVE-2009-4009, for issue 2, CVE-2009-4010.

To further clarify, the information & update will be made public on
Wednesday January 6th, at 16:00 CET (10AM EST).

I've not yet heard from FreeBSD, Ubuntu (Bug #502987), Fedora and Gentoo.
Can you please contact me ASAP?

> Hi everbody,
>
> This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made
> public, which fixes two important security issues, one of which is remotely
> exploitable.
>
> Given the critical nature of these vulnerabilities, we are trying to keep
> details confidential for a few more days.
>
> Summary
> -------
> The short version: please contact me off-list if you distribute the PowerDNS
> Recursor (any version), and if you want to gain early access to version
> 3.1.7.2 and associated release notes.
>
> Details
> -------
> The two security issues have been discovered by two parties which we cannot
> yet publicly mention or thank, but they deserve full credit and gratitude
> for their discoveries.
>
> Two CVE numbers have been requested, they will be communicated ASAP.
>
> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.
>
> The first issue is at least a DoS, but in all likelihood can be expanded
> into a full compromise ('rooted').
>
> The release that will be made public is already available for distributors.
> Other good news is that it is already serving over a million ISP customers,
> with no apparent problems.
>
> Contact me off-list for quick access to the new PowerDNS Recursor code,
> patch & release notes.

Marc Deslauriers (mdeslaur) wrote :
visibility: private → public
Imre Gergely (cemc) on 2010-01-06
Changed in pdns-recursor (Ubuntu):
assignee: nobody → Imre Gergely (cemc)
status: New → In Progress
Imre Gergely (cemc) wrote :

For Lucid we should wait for Debian, then sync.

This bug affects Karmic, Jaunty, Intrepid and Hardy as well (the all have pdns-recursor <= 3.1.7), for those I'm working on a patch.

See attached debdiff against latest Karmic package (3.1.7-5).
- package was built in a clean pbuilder environment, it built OK
- installing/updating didn't seem to break anything
- I did some basic testing, seems to work ok (can't test it agains the exploits though)

Changed in pdns-recursor (Ubuntu):
assignee: Imre Gergely (cemc) → nobody
Kees Cook (kees) wrote :

To repeat a bit of the IRC discussion: patch looks generally good, but it would be better if it did not include the code clean-ups (dropping unused functions, removing #if 0 code, etc). This will make reviewing, backporting, and possible regression handling easier.

Changed in pdns-recursor (Ubuntu Karmic):
status: New → In Progress
assignee: nobody → Imre Gergely (cemc)
Changed in pdns-recursor (Ubuntu Lucid):
status: In Progress → Confirmed
Changed in pdns-recursor (Ubuntu Hardy):
status: New → Triaged
Changed in pdns-recursor (Ubuntu Jaunty):
status: New → Confirmed
Changed in pdns-recursor (Ubuntu Intrepid):
status: New → Triaged
Changed in pdns-recursor (Ubuntu Hardy):
importance: Undecided → High
Changed in pdns-recursor (Ubuntu Jaunty):
status: Confirmed → Triaged
Changed in pdns-recursor (Ubuntu Karmic):
importance: Undecided → High
Changed in pdns-recursor (Ubuntu Lucid):
status: Confirmed → Triaged
Changed in pdns-recursor (Ubuntu Jaunty):
importance: Undecided → High
Changed in pdns-recursor (Ubuntu Intrepid):
importance: Undecided → High
Changed in pdns-recursor (Ubuntu Lucid):
importance: Undecided → High
Imre Gergely (cemc) wrote :

I've cleaned up the debdiff, should be smaller and more clear now. (Tested this one and it builds and seems to work ok.)

Please take a look. I'll go on to Jaunty and Intrepid if everything's fine with this one.

It looks good - if all you did was remove the bits about #if 0 and
getDirect, then it can't be wrong <TM>.

On Wed, Jan 06, 2010 at 10:33:02PM -0000, Imre Gergely wrote:
> I've cleaned up the debdiff, should be smaller and more clear now.
> (Tested this one and it builds and seems to work ok.)
>
> Please take a look. I'll go on to Jaunty and Intrepid if everything's
> fine with this one.
>
> ** Attachment removed: "pdns-recursor_3.1.7-5ubuntu0.1.debdiff"
> http://launchpadlibrarian.net/37515116/pdns-recursor_3.1.7-5ubuntu0.1.debdiff
>
> ** Attachment added: "pdns-recursor_3.1.7-5ubuntu0.1.debdiff"
> http://launchpadlibrarian.net/37518450/pdns-recursor_3.1.7-5ubuntu0.1.debdiff
>
> --
> PowerDNS Recursor Critical Security Issue - PDNS-2010-01
> https://bugs.launchpad.net/bugs/502987
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Kees Cook (kees) wrote :

Thanks, this looks good to me. I've uploaded it to the security queue now.

Changed in pdns-recursor (Ubuntu Karmic):
status: In Progress → Fix Committed
Changed in pdns-recursor (Ubuntu Hardy):
status: Triaged → New
Changed in pdns-recursor (Ubuntu Intrepid):
status: Triaged → In Progress
Changed in pdns-recursor (Ubuntu Jaunty):
status: Triaged → In Progress
Changed in pdns-recursor (Ubuntu Lucid):
status: Triaged → New
Changed in pdns-recursor (Ubuntu Jaunty):
assignee: nobody → Imre Gergely (cemc)
Changed in pdns-recursor (Ubuntu Intrepid):
assignee: nobody → Imre Gergely (cemc)
bert hubert (bert-hubert) wrote :

Interesting enough, this probably makes Ubuntu the first distribution to
ship an update, even though pdns-recursor is in Universe ;-)

Many thanks!

On Wed, Jan 06, 2010 at 10:51:26PM -0000, Kees Cook wrote:
> Thanks, this looks good to me. I've uploaded it to the security queue
> now.
>
> ** Changed in: pdns-recursor (Ubuntu Karmic)
> Status: In Progress => Fix Committed
>
> ** Changed in: pdns-recursor (Ubuntu Hardy)
> Status: Triaged => New
>
> ** Changed in: pdns-recursor (Ubuntu Intrepid)
> Status: Triaged => In Progress
>
> ** Changed in: pdns-recursor (Ubuntu Jaunty)
> Status: Triaged => In Progress
>
> ** Changed in: pdns-recursor (Ubuntu Lucid)
> Status: Triaged => New
>
> ** Changed in: pdns-recursor (Ubuntu Jaunty)
> Assignee: (unassigned) => Imre Gergely (cemc)
>
> ** Changed in: pdns-recursor (Ubuntu Intrepid)
> Assignee: (unassigned) => Imre Gergely (cemc)
>
> --
> PowerDNS Recursor Critical Security Issue - PDNS-2010-01
> https://bugs.launchpad.net/bugs/502987
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Imre Gergely (cemc) wrote :

Attached debdiff for Jaunty, same patch works because Jaunty also has version 3.1.7. It's building and working OK.

Also fixed the initscript, which prevented the current package to be upgraded/removed.
See: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/403957

Imre Gergely (cemc) wrote :

Re-added the debdiff for Jaunty (which corrected changelog).

Imre Gergely (cemc) wrote :

Attached debdiff for Intrepid, built, tested and working. Patch was the same as above because Intrepid too has version 3.1.7.

Kees Cook (kees) wrote :

Thanks! I've uploaded them to the security queue now.

Changed in pdns-recursor (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in pdns-recursor (Ubuntu Intrepid):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pdns-recursor - 3.1.7-5ubuntu0.1

---------------
pdns-recursor (3.1.7-5ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: first issue is remotely exploitable, likely
    leads to full compromise; second issue allows an attacker to
    spoof domain data for domain names he does not own (LP: #502987)
    - debian/patches/CVE-2009-4009-4010.dpatch: fixes the two
      problems
    - CVE-2009-4009, CVE-2009-4010
 -- Imre Gergely <email address hidden> Wed, 06 Jan 2010 22:19:13 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pdns-recursor - 3.1.7-2ubuntu0.1

---------------
pdns-recursor (3.1.7-2ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: first issue is remotely exploitable, likely
    leads to full compromise; second issue allows an attacker to
    spoof domain data for domain names he does not own (LP: #502987)
    - debian/patches/CVE-2009-4009-4010.dpatch: fixes the two
      problems
    - CVE-2009-4009, CVE-2009-4010
  * Fixed init.d script typo which prevented the stop() function from
    working (LP: #403957)
    - debian/init.d/pdns-recursor
 -- Imre Gergely <email address hidden> Thu, 07 Jan 2010 01:36:22 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pdns-recursor - 3.1.7-1ubuntu0.1

---------------
pdns-recursor (3.1.7-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: first issue is remotely exploitable, likely
    leads to full compromise; second issue allows an attacker to
    spoof domain data for domain names he does not own (LP: #502987)
    - debian/patches/CVE-2009-4009-4010.dpatch: fixes the two
      problems
    - CVE-2009-4009, CVE-2009-4010
 -- Imre Gergely <email address hidden> Thu, 07 Jan 2010 01:35:01 +0200

Changed in pdns-recursor (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in pdns-recursor (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in pdns-recursor (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in pdns-recursor (Ubuntu Hardy):
status: New → Confirmed
Changed in pdns-recursor (Ubuntu Lucid):
status: New → Confirmed
r12056 (r12056) on 2010-02-07
Changed in pdns-recursor (Ubuntu Hardy):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in pdns-recursor (Ubuntu Lucid):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
r12056 (r12056) on 2010-02-07
Changed in pdns-recursor (Ubuntu Hardy):
assignee: Ubuntu Security Team (ubuntu-security) → Imre Gergely (cemc)
Changed in pdns-recursor (Ubuntu Lucid):
assignee: Ubuntu Security Team (ubuntu-security) → Imre Gergely (cemc)
Jan Groenewald (jan-aims) wrote :

I see this has been nominated for dapper. Any plans for an update or backport?

Chris Johnston (cjohnston) wrote :

Removed assignee that was added by r12056.

The nominations may not be appropriate. Please investigate and fix as appropriate.

Changed in pdns-recursor (Ubuntu Lucid):
assignee: Imre Gergely (cemc) → nobody
Changed in pdns-recursor (Ubuntu Hardy):
assignee: Imre Gergely (cemc) → nobody
Jamie Strandboge (jdstrand) wrote :

Lucid now has 3.1.7.2-1.

Changed in pdns-recursor (Ubuntu Lucid):
status: Confirmed → Fix Released
Imre Gergely (cemc) wrote :

Correct, we're still waiting for a patch for the version in Hardy. Because of the greater version difference, an easy patching is not possible (at least not something I could do, as I'm not that familiar with the code).
I will contact upstream again, and if it can't be arranged in a short while, maybe we could try a backport to Hardy.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in pdns-recursor (Ubuntu Hardy):
status: Confirmed → Won't Fix
Imre Gergely (cemc) wrote :

As I don't thing we will get a patch for Hardy for this bug, would it be possible to backport 3.3-2 from Precise? At least that way anyone who really wants a new and fixed version and is still using Hardy, they could install it from -backports.

I have 3.3-1 'backported' in my PPA, and if I'm not mistaken it's an easy enough thing to do, I'm running it on my Hardy server for two months now.

Changed in pdns-recursor (Ubuntu Intrepid):
assignee: Imre Gergely (cemc) → nobody
Changed in pdns-recursor (Ubuntu Jaunty):
assignee: Imre Gergely (cemc) → nobody
Changed in pdns-recursor (Ubuntu Karmic):
assignee: Imre Gergely (cemc) → nobody
Jamie Strandboge (jdstrand) wrote :

Imre, we can't backport the full release to hardy from precise in a security update, but you can use hardy-backports for this (conceivably). I suggest you contact the backporters team.

Imre Gergely (cemc) wrote :

I know, I was thinking about -backports , too. Opened a bugreport for it (bug #888627). Thanks.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers