Multiple security vulnerabilities

Re: Releasing new libspf2 into debian
 Date: Thu Sep 18 11:33:01 2008
 From: Shevek <email address hidden>
 To: Scott Kitterman <email address hidden>
 CC: Magnus Holmgren <email address hidden>

On Thu, 2008-09-18 at 11:18 -0400, Scott Kitterman wrote:
> On Thursday 18 September 2008 10:02, Shevek wrote:
> > Hi,
> >
> > People are asking me about making this vuln public. How long do you want
> > until you're ready to roll with a fix? You'll still need most of
> > Magnus's debian patches if you're only replacing that one file.
> >
> > S.
>
> For Ubuntu, I can probably get inputs to the security team today. They
> generally need 24-48 hours to get things rolled out. Unfortunately I'm
> leaving town in the morning and will be off the grid for a week (I'd thought
> this would wait until I got back). The Ubuntu development release doesn't
> promise any level of security goodness, so I'll get 1.2.6 into it once I get
> back (hopefully via Debian if Magnus gets it uploaded).
>
> I'll give the Ubuntu security team your name/address as a POC in my absence
> and make sure you know who to email before I go.

I'm still waiting to hear back from Dan, but CERT want to make this into
a CVE. I'm also travelling for work next week, although I'll be on
email, I hope.

I'm tempted to put this out as a quiet security update in both
distributions, preferably in advance of the fanfare, I don't want a CVE
coming out before Debian have released the patch. On the other hand, I
have agreed to wait for Dan.

S.

I've run out of time. I'll be offline from Friday or Saturday until the following Saturday or Sunday. Shevek has kees and jdstrand's email addresses and is supposed to mail you when it can be release. These are simple diffs to bring the affected file up to the proposed 1.2.6 version. Clearly it can be reduced. Magnus Holmgrem, the Debian Maintainer is working on a minimal patch. Attached is the non-reduced diff for the security fixes for all current distros. For Feisty - Intrepid they are to be applied after the last current patch for each release. Dapper has no patch system, so it's just a direct diff.

Gutsy and Hardy have the same version.

Or I'll deal with Intrepid after I get back, but here's a patch anyway.

I'm back online with no word on when this goes public. As you can see, there is a CVE number now. Sunday PM or Monday I'll be able to roll actual debdiffs based on the reduced patch it looks like Debian will use.

Word is CVE goes public tomorrow (wed). I'm prepping updated debdiffs based on Debian's patch.

Intrepid. This one I installed and tested using spfquery and it works. I did not try to recreate the exploit. Dan Kaminsky reviewed the upstream changes this patch is based on and this patch, so I'm not about to second guess him.

Hardy.Same code change. Test built it.

Gutsy. Same as Hardy except revision number.

Feisty. Test built. Code changes the same.

Dapper. Test built. Code changes the same, but done inline because the package lacks a patch system.

Thanks for your hard work Scott. I have been able to find libspf2-1.2.8.tar.gz on the net, which includes these patches, so I am going to mark this public.

Couple of things:
1. the dapper debdiff should use 1.2.5-3ubuntu0.1 as the version
2. the uploaded hardy debdiff was actually the intrepid debdiff
3. we now use a different changelog format as per https://wiki.ubuntu.com/SecurityUpdateProcedures. This won't affect this upload, but thought you'd like to know

I have adjusted the dapper version and created a hardy debdiff based on intrepid, since they are both based on version 1.2.5.

I also just noticed that hardy and gutsy both have a release version of 1.2.5.dfsg-4. Therefore, the gutsy update should have 1.2.5.dfsg-4ubuntu.0.7.10.1 and hardy 1.2.5.dfsg-4ubuntu.0.8.04.1. I'll fix that as well and upload shortly.

This bug was fixed in the package libspf2 - 1.2.5.dfsg-5ubuntu1

---------------
libspf2 (1.2.5.dfsg-5ubuntu1) intrepid; urgency=high

  * SECURITY UPDATE:
  * References CVE2008-2469
  * Add 50_dns_resolv_bufoverflow.dpatch to fix buffer overflows handling DNS
    responses. (LP: #271025)

 -- Scott Kitterman <email address hidden> Tue, 14 Oct 2008 22:58:15 -0400

Thanks for fixing up the debdiffs. I guess I was up to late last night.

This bug was fixed in the package libspf2 - 1.2.5.dfsg-4ubuntu0.8.04.1

---------------
libspf2 (1.2.5.dfsg-4ubuntu0.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: buffer overflow when handling DNS responses (LP: #271025)
    - debian/patches/50_dns_resolv_bufoverflow.dpatch: dynamically allocate
      responsebug and properly check txt record lengths. Thanks to Scott
      Kitterman.
    - CVE-2008-2469

 -- Jamie Strandboge <email address hidden> Wed, 15 Oct 2008 07:43:31 -0500

This bug was fixed in the package libspf2 - 1.2.5.dfsg-4ubuntu0.7.10.1

---------------
libspf2 (1.2.5.dfsg-4ubuntu0.7.10.1) gutsy-security; urgency=high

  * SECURITY UPDATE:
  * References CVE-2008-2469
  * Add 50_dns_resolv_bufoverflow.dpatch to fix buffer overflows handling DNS
    responses. (LP: #271025)

 -- Scott Kitterman <email address hidden> Wed, 15 Oct 2008 00:14:25 -0400

This bug was fixed in the package libspf2 - 1.2.5-4ubuntu3.1

---------------
libspf2 (1.2.5-4ubuntu3.1) feisty-security; urgency=high

  * SECURITY UPDATE:
  * References CVE2008-2469
  * Add 50_dns_resolv_bufoverflow.dpatch to fix buffer overflows handling DNS
    responses. (LP: #271025)

 -- Scott Kitterman <email address hidden> Wed, 15 Oct 2008 00:28:47 -0400

For completeness sake, here's Dan Kaminsky's paper on the issue:

http://www.doxpara.com/?p=1263