Ubuntu

Multiple security vulnerabilities

Reported by Scott Kitterman on 2008-09-16
256
Affects Status Importance Assigned to Milestone
libspf2 (Ubuntu)
High
Scott Kitterman
Dapper
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
High
Scott Kitterman

Bug Description

Security changes in the new upcoming release are:

1) responsebuf is now dynamically allocated, avoiding a buffer overrun found and published by openwave.
2) txt record lengths are now handled properly, avoiding a remote exploit.

#2 is the private one.

I have the code and will prepare debdiffs. I don't have a precise embargo date for this yet. Still working on that.

description: updated
Scott Kitterman (kitterman) wrote :

Re: Releasing new libspf2 into debian
 Date: Thu Sep 18 11:33:01 2008
 From: Shevek <email address hidden>
 To: Scott Kitterman <email address hidden>
 CC: Magnus Holmgren <email address hidden>

On Thu, 2008-09-18 at 11:18 -0400, Scott Kitterman wrote:
> On Thursday 18 September 2008 10:02, Shevek wrote:
> > Hi,
> >
> > People are asking me about making this vuln public. How long do you want
> > until you're ready to roll with a fix? You'll still need most of
> > Magnus's debian patches if you're only replacing that one file.
> >
> > S.
>
> For Ubuntu, I can probably get inputs to the security team today. They
> generally need 24-48 hours to get things rolled out. Unfortunately I'm
> leaving town in the morning and will be off the grid for a week (I'd thought
> this would wait until I got back). The Ubuntu development release doesn't
> promise any level of security goodness, so I'll get 1.2.6 into it once I get
> back (hopefully via Debian if Magnus gets it uploaded).
>
> I'll give the Ubuntu security team your name/address as a POC in my absence
> and make sure you know who to email before I go.

I'm still waiting to hear back from Dan, but CERT want to make this into
a CVE. I'm also travelling for work next week, although I'll be on
email, I hope.

I'm tempted to put this out as a quiet security update in both
distributions, preferably in advance of the fanfare, I don't want a CVE
coming out before Debian have released the patch. On the other hand, I
have agreed to wait for Dan.

S.

Scott Kitterman (kitterman) wrote :

I've run out of time. I'll be offline from Friday or Saturday until the following Saturday or Sunday. Shevek has kees and jdstrand's email addresses and is supposed to mail you when it can be release. These are simple diffs to bring the affected file up to the proposed 1.2.6 version. Clearly it can be reduced. Magnus Holmgrem, the Debian Maintainer is working on a minimal patch. Attached is the non-reduced diff for the security fixes for all current distros. For Feisty - Intrepid they are to be applied after the last current patch for each release. Dapper has no patch system, so it's just a direct diff.

Scott Kitterman (kitterman) wrote :

Gutsy and Hardy have the same version.

Scott Kitterman (kitterman) wrote :

Or I'll deal with Intrepid after I get back, but here's a patch anyway.

Scott Kitterman (kitterman) wrote :

I'm back online with no word on when this goes public. As you can see, there is a CVE number now. Sunday PM or Monday I'll be able to roll actual debdiffs based on the reduced patch it looks like Debian will use.

Scott Kitterman (kitterman) wrote :

Word is CVE goes public tomorrow (wed). I'm prepping updated debdiffs based on Debian's patch.

Scott Kitterman (kitterman) wrote :

Intrepid. This one I installed and tested using spfquery and it works. I did not try to recreate the exploit. Dan Kaminsky reviewed the upstream changes this patch is based on and this patch, so I'm not about to second guess him.

Scott Kitterman (kitterman) wrote :

Hardy.Same code change. Test built it.

Scott Kitterman (kitterman) wrote :

Gutsy. Same as Hardy except revision number.

Scott Kitterman (kitterman) wrote :

Feisty. Test built. Code changes the same.

Scott Kitterman (kitterman) wrote :

Dapper. Test built. Code changes the same, but done inline because the package lacks a patch system.

Changed in libspf2:
importance: Undecided → High
status: New → Triaged
Kees Cook (kees) on 2008-10-15
Changed in libspf2:
assignee: nobody → kitterman
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Thanks for your hard work Scott. I have been able to find libspf2-1.2.8.tar.gz on the net, which includes these patches, so I am going to mark this public.

Couple of things:
1. the dapper debdiff should use 1.2.5-3ubuntu0.1 as the version
2. the uploaded hardy debdiff was actually the intrepid debdiff
3. we now use a different changelog format as per https://wiki.ubuntu.com/SecurityUpdateProcedures. This won't affect this upload, but thought you'd like to know

I have adjusted the dapper version and created a hardy debdiff based on intrepid, since they are both based on version 1.2.5.

Jamie Strandboge (jdstrand) wrote :

I also just noticed that hardy and gutsy both have a release version of 1.2.5.dfsg-4. Therefore, the gutsy update should have 1.2.5.dfsg-4ubuntu.0.7.10.1 and hardy 1.2.5.dfsg-4ubuntu.0.8.04.1. I'll fix that as well and upload shortly.

Changed in libspf2:
status: New → In Progress
status: New → In Progress
status: New → In Progress
status: New → In Progress
Changed in libspf2:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libspf2 - 1.2.5.dfsg-5ubuntu1

---------------
libspf2 (1.2.5.dfsg-5ubuntu1) intrepid; urgency=high

  * SECURITY UPDATE:
  * References CVE2008-2469
  * Add 50_dns_resolv_bufoverflow.dpatch to fix buffer overflows handling DNS
    responses. (LP: #271025)

 -- Scott Kitterman <email address hidden> Tue, 14 Oct 2008 22:58:15 -0400

Changed in libspf2:
status: In Progress → Fix Released

Thanks for fixing up the debdiffs. I guess I was up to late last night.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libspf2 - 1.2.5.dfsg-4ubuntu0.8.04.1

---------------
libspf2 (1.2.5.dfsg-4ubuntu0.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: buffer overflow when handling DNS responses (LP: #271025)
    - debian/patches/50_dns_resolv_bufoverflow.dpatch: dynamically allocate
      responsebug and properly check txt record lengths. Thanks to Scott
      Kitterman.
    - CVE-2008-2469

 -- Jamie Strandboge <email address hidden> Wed, 15 Oct 2008 07:43:31 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libspf2 - 1.2.5.dfsg-4ubuntu0.7.10.1

---------------
libspf2 (1.2.5.dfsg-4ubuntu0.7.10.1) gutsy-security; urgency=high

  * SECURITY UPDATE:
  * References CVE-2008-2469
  * Add 50_dns_resolv_bufoverflow.dpatch to fix buffer overflows handling DNS
    responses. (LP: #271025)

 -- Scott Kitterman <email address hidden> Wed, 15 Oct 2008 00:14:25 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libspf2 - 1.2.5-4ubuntu3.1

---------------
libspf2 (1.2.5-4ubuntu3.1) feisty-security; urgency=high

  * SECURITY UPDATE:
  * References CVE2008-2469
  * Add 50_dns_resolv_bufoverflow.dpatch to fix buffer overflows handling DNS
    responses. (LP: #271025)

 -- Scott Kitterman <email address hidden> Wed, 15 Oct 2008 00:28:47 -0400

Changed in libspf2:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in libspf2:
status: Fix Committed → Fix Released
Scott Kitterman (kitterman) wrote :

For completeness sake, here's Dan Kaminsky's paper on the issue:

http://www.doxpara.com/?p=1263

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers