[MaraDNS] MaraDNS security update

[Sam Trenholme]

I have made a security update for MaraDNS and Deadwood. Everyone is
encouraged to update MaraDNS and Deadwood at their soonest
convenience.

There is a buffer overflow (actually, underflow) in Deadwood which
allows an out of bounds memory location to be overwritten with the
output of malloc().

It is unknown whether this buffer underflow is remotely exploitable;
it has only been seen on systems where there is no default gateway
route.

Unlike other recent bugs which have popped up, this is not something
from the 2001-2002 codebase; this is from the 2009 codebase when I
added code to merge multiple inflight connections, to protect against
attacks like https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4392
(Yeah, spoofing is much more dangerous than being able to possibly
remotely crash Deadwood, so I made the right call)

I have verified that the 2.3 branch of Deadwood doesn’t have inflight
merging, so it doesn’t have this bug.

In flight merging (and this bug) was added on August 31, 2009, in
Deadwood 2.4.07
http://maradns.blogspot.com/2009/08/deadwood-2407-released.html

In addition, there are two buffer overflows (actually, one buffer
overflow and one buffer underflow) in ParseMaraRc.c. One of the buffer
overruns can not be exploited, the other is a difficult to exploit
buffer overflow (actually, underflow) in the mararc parser. The
workaround is to not let random people edit the mararc file (which is
usually in /etc and owned by root); the fix is in MaraDNS 2.0.13.

The MaraDNS exploit is very limited. It’s not possible to write to any
memory with this bug; it only allows MaraDNS to read from a memory
location she should not read from.

Deadwood 3.2.09 and MaraDNS 2.0.13 fix these bugs, and are available
for download here:

http://maradns.samiam.org/download.html

If anyone else finds any bugs in MaraDNS, feel free to file a GitHub
bug report: https://github.com/samboy/MaraDNS

- Sam