Bug 1066609 (CVE-2014-2031, CVE-2014-2032)

Summary: CVE-2014-2031 CVE-2014-2032 maradns: DoS due to incorrect bounds checking on certain strings
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, mmcallis, tomek
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-18 21:19:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1066611, 1066612    
Bug Blocks:    

Description Martin Prpič 2014-02-18 17:27:51 UTC 
It was reported [1],[2] that MaraDNS's recursive resolver, Deadwood,
suffers from a flaw where string bounds checking was not done correctly
under certain circumstances. As a result, it was possible for a remote
attacker to send Deadwood a "packet of death", which would cause Deadwood
to crash. Upstream notes that it currently appears that this attack can
only be exploited by an IP address with a permission to perform recursive
queries against Deadwood.

It looks like these are the appropriate patches in git:

https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093
https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3

[1] http://samiam.org/blog/2014-02-12.html
[2] http://secunia.com/advisories/57033/
Comment 1 Martin Prpič 2014-02-18 17:30:48 UTC 
Created maradns tracking bugs for this issue:

Affects: fedora-all [bug 1066611]
Affects: epel-5 [bug 1066612]
Comment 2 Tomasz Torcz 2014-02-18 18:33:52 UTC 
F20 update went stable few days ago. Please check facts before opening such bugs.
F19 update waits for testers. 
I don't care about EPEL.
Comment 3 Vincent Danen 2014-02-18 21:14:43 UTC 
(In reply to Tomasz Torcz from comment #2)
> F20 update went stable few days ago. Please check facts before opening such
> bugs.
> F19 update waits for testers. 
> I don't care about EPEL.

Please don't close SRT bugs.  This bug was not assigned to you, so please don't close it.

We don't care whether you care about EPEL.  The maintainer should care about it.  If you're the maintainer of the EPEL version, then I'd suggest we have a problem and maybe someone who _does_ care should take care of it (since it is shipped and, presumably, supported in EPEL5).
Comment 4 Vincent Danen 2014-02-18 21:19:22 UTC 
Also, instead of making some rude comments, you could have pointed to the fixed packages:

https://admin.fedoraproject.org/updates/FEDORA-2014-2421 (maradns-2.0.09-1.fc20)
https://admin.fedoraproject.org/updates/FEDORA-2014-2439 (maradns-2.0.09-1.fc19, but this one is currently in testing, not stable)
Comment 5 Tomas Hoger 2014-02-19 07:45:37 UTC 
(In reply to Vincent Danen from comment #3)
> We don't care whether you care about EPEL.  The maintainer should care about
> it.  If you're the maintainer of the EPEL version, then I'd suggest we have
> a problem and maybe someone who _does_ care should take care of it (since it
> is shipped and, presumably, supported in EPEL5).

Or have it removed if it's unmaintained:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life#EPEL
Comment 6 Murray McAllister 2014-02-20 06:11:11 UTC 
MITRE assigned the following CVEs:

CVE-2014-2031 https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093

CVE-2014-2032 https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3

Reference: http://seclists.org/oss-sec/2014/q1/399