MaraDNS minor security update

Tue Feb 2 13:00:36 EST 2010

I have released MaraDNS 1.4.03 and 1.3.07.10 today. This fixes a minor
security issue; MaraDNS' first known security problem since 2007.

There was a bug introduced in MaraDNS 1.3.03 (January 2007): Hostnames
that incorrectly not end with a dot result in a string being
deallocated then used.

MaraDNS 1.2 does not have this issue.

This issue can not be exploited from zones loaded using DNS's zone
transfer mechanism; fetchzone filters data obtained this way. This
issue can only be exploited in the unusual case of an attacker having
control of the contents of a csv2 zone file to be parsed by MaraDNS.

This issue, on Linux systems, results in a null pointer dereference
that terminates that MaraDNS process.

Impact: Denial of service

This issue is now fixed in MaraDNS 1.4.03 and 1.3.07.10, released
February 2, 2010. I have already talked with the relevant people at
Debian, who feel this bug is not serious enough to warrant a new
stable release of MaraDNS in the Debian repositories.

The updated files can be downloaded here:

http://www.maradns.org/download.html

http://sourceforge.net/projects/maradns/

Note also that MaraDNS 1.4.03 documents the reject_aaaa/ptr
parameters, as per this weekend's discussion on the list.

Personal note: There is a possibility that some hard core DJB advocate
will say "Look at how buggy MaraDNS is; you should use DJBdns
instead".  May I point out, to this imaginary annoying advocate (I
love making up people who are the worst of the types of twits the
internet has), that DJBdns has three security problems, including a
remote denial of service and a way to spoof records with DJBdns.  May
I also point out this bug was added during the process of adding a
feature users want: BIND zone file support.  If I had kept with
MaraDNS 1.0's ugly zone file format, I would not have had this bug.
There is a balance between security and features; it is not good to
make a program with almost no features then proclaim "I'm more secure
than everyone else!".

Security is a process; there is no such thing as a perfectly secure
program.  The only way to keep a program secure is to be honest about
the program's security problems and patch them in a timely manner.
DJBdns is still insecure because DJB walked away from this program a
decade ago, and has since made no updates (except finally making the
license reasonable in 2007).

- Sam

Note: I do not answer MaraDNS (including Deadwood) support requests
sent by private email without being compensated for my time. A MaraDNS
support request is any and all discussion you may wish to have about
MaraDNS in private email; if you want to email me to talk about
MaraDNS then, yes, that is a support request. I will discuss rates if
you want this kind of support. Thank you for your understanding.

MaraDNS security vulnerability reports, however, will be dealt with
without charge and kept confidential. If you don't know what Bugtraq
is, then, no, your email is not a security report. It is not a
security report unless you've done due diligence to determine how the
security bug you think you found can reasonably be exploited.