Bug 600738

Summary: MaraDNS: Usa-after-free when parsing csv2 zone file, containing hostnames not ending with '.' character
Product: [Fedora] Fedora EPEL Reporter: Jan Lieskovsky <jlieskov>
Component: maradnsAssignee: Orphan Owner <extras-orphan>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: el5CC: mfleming+rpm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584587#5
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 600739 (view as bug list) Environment:
Last Closed: 2015-01-15 16:43:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 600739, 600740, 600741, 608733    
Attachments:
Description Flags
Local copy of "maradns-1.4.02-parse_segfault.patch" from [2] none

Description Jan Lieskovsky 2010-06-05 20:23:36 UTC 
Maradns upstream, in version v1.4.03 fixed following bug (from
patch changelog):

<begin quote>

This fixes a bug introduced in MaraDNS 1.3.03 (January 2007) when
I allowed '.' to be in a hostname: Hostnames that incorrectily not
end with a dot result in a string being deallocated then used.

MaraDNS 1.2 does not have this issue.

This issue can not be exploited from zones loaded using DNS's zone
transfer mechanism; fetchzone filters data obtained this way.  This issue
can only be exploited in the unusual case of an attacker having control
of the contents of a csv2 zone file to be parsed by MaraDNS.

This issue, on Linux systems, results in a null pointer dereference that
does not appear to be exploitable.

This patch cleanly patches MaraDNS 1.4.02 and against 1.3.07.09.

<end quote>

Red Hat Security Response Team wouldn't consider this to bei a security
issue, as it's just NULL pointer dereference and requires the attacker
to have control of the contenst of a csv2 zone file to be parsed
by MaraDNS (which is quite unlikely). But it's still a bug / deficiency,
which should be addressed.

References:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584587
  [2] http://maradns.org/download/maradns-1.4.02-parse_segfault.patch
Comment 1 Jan Lieskovsky 2010-06-05 20:27:48 UTC 
Created attachment 421489 [details]
Local copy of "maradns-1.4.02-parse_segfault.patch" from [2]

While current EPEL-5 version of MaraDNS seems to already contain
some hunks of this patch, Michael, please double-check && rebuild
if necessary (at least first hunk seems applicable).

Thanks, Jan.
Comment 2 Eric Christensen 2015-01-15 16:43:08 UTC 
This package has been retired.  This ticket should be reopened if the package is unretired.