Bug 600739

Summary: MaraDNS: Usa-after-free when parsing csv2 zone file, containing hostnames not ending with '.' character
Product: [Fedora] Fedora Reporter: Jan Lieskovsky <jlieskov>
Component: maradnsAssignee: Michael Fleming <mfleming+rpm>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 11CC: mfleming+rpm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584587#5
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 600738
: 600740 (view as bug list) Environment:
Last Closed: 2010-06-28 15:45:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 600738    
Bug Blocks: 600740, 600741, 608733    
Attachments:
Description Flags
Local copy of "maradns-1.4.02-parse_segfault.patch" from [2] none

Description Jan Lieskovsky 2010-06-05 20:28:46 UTC 
+++ This bug was initially created as a clone of Bug #600738 +++

Maradns upstream, in version v1.4.03 fixed following bug (from
patch changelog):

<begin quote>

This fixes a bug introduced in MaraDNS 1.3.03 (January 2007) when
I allowed '.' to be in a hostname: Hostnames that incorrectily not
end with a dot result in a string being deallocated then used.

MaraDNS 1.2 does not have this issue.

This issue can not be exploited from zones loaded using DNS's zone
transfer mechanism; fetchzone filters data obtained this way.  This issue
can only be exploited in the unusual case of an attacker having control
of the contents of a csv2 zone file to be parsed by MaraDNS.

This issue, on Linux systems, results in a null pointer dereference that
does not appear to be exploitable.

This patch cleanly patches MaraDNS 1.4.02 and against 1.3.07.09.

<end quote>

Red Hat Security Response Team wouldn't consider this to bei a security
issue, as it's just NULL pointer dereference and requires the attacker
to have control of the contenst of a csv2 zone file to be parsed
by MaraDNS (which is quite unlikely). But it's still a bug / deficiency,
which should be addressed.

References:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584587
  [2] http://maradns.org/download/maradns-1.4.02-parse_segfault.patch

--- Additional comment from jlieskov on 2010-06-05 16:27:48 EDT ---

Created an attachment (id=421489)
Local copy of "maradns-1.4.02-parse_segfault.patch" from [2]

While current F-11 version of MaraDNS seems to already contain
some hunks of this patch, Michael, please double-check && rebuild
if necessary (at least first hunk seems applicable).

Thanks, Jan.
Comment 1 Jan Lieskovsky 2010-06-05 20:29:22 UTC 
Created attachment 421490 [details]
Local copy of "maradns-1.4.02-parse_segfault.patch" from [2]
Comment 2 Bug Zapper 2010-06-28 15:45:12 UTC 
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.