From dalias at aerifal.cx Fri Jun 1 23:34:31 2012 From: dalias at aerifal.cx (Rich Felker) Date: Fri, 1 Jun 2012 23:34:31 -0400 Subject: [MaraDNS list] Multiple issues in JsStrOS.c Message-ID: <20120602033431.GO163@brightrain.aerifal.cx> I've been trying to track down some problems that might be in MaraDNS or my system (musl libc), and I just got around to reading the string library code and found some potentially-serious issues. 1. Integer overflow in js_alloc (JsStrOS.c line 66): data = (void *)malloc(unit_count * unit_size); I don't believe this is exploitable in MaraDNS (unit_size is actually usually 1), but it's still a serious bug at the library level. 2. js_alloc aborts the calling program on failure. This is just really bad behavior for a library, and creates a DoS vulnerability in any software using it. As far as I can tell, MaraDNS properly checks js_alloc for failure despite the fact that it can never return failure (it's already aborted). In addition, the code writes to stdout before terminating, which is also troubling to see in library code. Rich (same guy as back in 2005) From maradns at gmail.com Sat Jun 2 18:28:23 2012 From: maradns at gmail.com (Sam Trenholme) Date: Sat, 2 Jun 2012 18:28:23 -0400 Subject: [MaraDNS list] Multiple issues in JsStrOS.c In-Reply-To: <20120602033431.GO163@brightrain.aerifal.cx> References: <20120602033431.GO163@brightrain.aerifal.cx> Message-ID: Since this is attempting to come off as a security report, I will briefly humor Rich and reply to him even though it's not after the 20th. This is the only reply I'm going to give Rich unless he either: 1) Has found a CVE-worthy security report (he hasn't) 2) Has patches to submit to me and the mailing list. Keep in mind that attachments get scrubbed; Cc me when submitting patches. I will look at such patches after the 20th of this month. The bottom line, Rich, is that it is better to light a candle than cure the darkness. If you have an issue with MaraDNS' library, you would be a far more productive person if you submitted a patch to address the issue instead of just complaining on the mailing list. I'm sorry the libraries do not meet your arbitrary criteria of what a "good library" has, but you're not paying me enough to have me fix them for you. You are aware that MaraDNS 1 is no longer supported and that MaraDNS 2 only uses the really old code you're complaining about in the authoritative code, which means that nothing about MaraDNS 2's memory state can be changed by a remote attacker. Deadwood is a complete rewrite, and you haven't reported any issues with Deadwood's libs. MaraDNS 1 is only supported for serious security issues at this point, and to be honest, I'm currently deciding whether to cut off that support in 2015 or 2017. Probably 2015. "continues to functional normally when malloc() fails" has never been a design criteria for either MaraDNS or Deadwood. The only OSes I support are Windows and RHEL6-derived versions of Linux. Both OSes are either rebooting or randomly killing processes long before malloc() starts failing. Again, Rich, don't waste my time with random whining. I have finished MaraDNS; if you don't like the way it's written, submit a patch. This is my last out of band reply to you. I'm not going to reply to you until after the 20th of any given month, and only reply to you once a month, unless you have a CVE number. - Sam From dalias at aerifal.cx Sat Jun 2 18:59:55 2012 From: dalias at aerifal.cx (Rich Felker) Date: Sat, 2 Jun 2012 18:59:55 -0400 Subject: [MaraDNS list] Multiple issues in JsStrOS.c In-Reply-To: References: <20120602033431.GO163@brightrain.aerifal.cx> Message-ID: <20120602225955.GS163@brightrain.aerifal.cx> On Sat, Jun 02, 2012 at 06:28:23PM -0400, Sam Trenholme wrote: > Since this is attempting to come off as a security report, I will > briefly humor Rich and reply to him even though it's not after the > 20th. I'm not clear what I did that warranted this kind of hostile response. It's certainly not the sort of communication we had back in 2005.. > The bottom line, Rich, is that it is better to light a candle than > cure the darkness. If you have an issue with MaraDNS' library, you > would be a far more productive person if you submitted a patch to > address the issue instead of just complaining on the mailing list. The homepage says "MaraDNS support (including bug reports) is available on the MaraDNS mailing list." so I figured it was appropriate to send a bug report. Perhaps the fact that the subject line sounded a bit like a security advisory was problematic..? > You are aware that MaraDNS 1 is no longer supported Yes. > and that MaraDNS 2 > only uses the really old code you're complaining about in the > authoritative code, which means that nothing about MaraDNS 2's memory > state can be changed by a remote attacker. I was not aware that the affected code is not used in deadwood. Naturally this seems to make the issue non-security-relevant for MaraDNS 2, but my impression was that you intended JsStr to be a secure string library. At present, these issues would certainly affect other code using the library, even if they don't affect MaraDNS. > "continues to functional normally when malloc() fails" has never been > a design criteria for either MaraDNS or Deadwood. The only OSes I I would consider it a requirement for a secure daemon not to crash or behave in a way that compromises security under resource-exhaustion conditions. Naturally it may have to fail temporarily under such conditions. But this is getting rather OT, so I'll drop it. > support are Windows and RHEL6-derived versions of Linux. Both OSes > are either rebooting or randomly killing processes long before > malloc() starts failing. A properly configured Linux system does not randomly kill processes. The OOM killer is quite smart about which processes it kills, but more importantly a Linux system configured for deployment as a server will have overcommit disabled (it's a simple echo "2" > /proc/sys/vm/overcommit_memory). > Again, Rich, don't waste my time with random whining. I have finished > MaraDNS; I was not aware that you're not interested in further development of MaraDNS. If that's the case, sorry for bothering you. > if you don't like the way it's written, submit a patch. This Patch included inline below. Rich --- libs/JsStrOS.c.orig +++ libs/JsStrOS.c @@ -61,7 +61,7 @@ lt_hash_spot *new,*point; #endif /* DEBUG */ /* Sanity check: Never allow this; makes C act buggy */ - if(unit_size == 0 || unit_count == 0) + if(unit_size == 0 || unit_count == 0 || unit_count >= INT_MAX/unit_size) return 0; data = (void *)malloc(unit_count * unit_size); #ifdef DEBUG @@ -115,14 +115,6 @@ pthread_mutex_unlock(&alloc_lock); #endif /* THREADS */ #endif /* DEBUG */ - if(data == NULL) { - /* Securty: In a situtation where we can not allocate memory, - the subsequent behavior of the program is undefined. Hence, - the best thing to do is exit then and there */ - printf("Aieeeeee, can not allocate memory!"); - exit(64); - return (void *)0; - } return data; } From maradns at gmail.com Sat Jun 2 20:01:06 2012 From: maradns at gmail.com (Sam Trenholme) Date: Sat, 2 Jun 2012 20:01:06 -0400 Subject: [MaraDNS list] Multiple issues in JsStrOS.c In-Reply-To: <20120602225955.GS163@brightrain.aerifal.cx> References: <20120602033431.GO163@brightrain.aerifal.cx> <20120602225955.GS163@brightrain.aerifal.cx> Message-ID: > I'm not clear what I did that warranted this kind of hostile response. > It's certainly not the sort of communication we had back in 2005.. I'm sorry for the hostile response. A lot has changed since 2005: http://maradns.blogspot.com/2009/10/every-open-source-developer-grows-up.html I will look at the rest of your email after the 20th; I do not reply to emails until near the end of the month unless a security report is made. There has been talk of getting a CVS/Git/whatever repository set up for a MaraDNS-ng project; if that ever happens, I think it would be a good idea to give you check-in access to it. - Sam From Bradley at NorthTech.US Sat Jun 2 20:51:41 2012 From: Bradley at NorthTech.US (Bradley D. Thornton) Date: Sat, 02 Jun 2012 17:51:41 -0700 Subject: [MaraDNS list] Multiple issues in JsStrOS.c In-Reply-To: References: <20120602033431.GO163@brightrain.aerifal.cx> <20120602225955.GS163@brightrain.aerifal.cx> Message-ID: <4FCAB51D.3050408@NorthTech.US> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 06/02/2012 05:01 PM, Sam Trenholme wrote: >> I'm not clear what I did that warranted this kind of hostile response. >> It's certainly not the sort of communication we had back in 2005.. > > I'm sorry for the hostile response. A lot has changed since 2005: Thank you Sam. Because the hostility is felt by everyone on this list and it doesn't feel very good either. Perhaps there is a bit more growing up to expect and hope for over the next 30 or so years too ;) Kindest regards, - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.310.388.9469 (US) TEL: +44.203.318.2755 (UK) TEL: +41.43.508.05.10 (CH) http://NorthTech.US -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Find this cert at x-hkp://pool.sks-keyservers.net iQEcBAEBAwAGBQJPyrUcAAoJEE1wgkIhr9j3PGsH/A5Aeo9HTCCnSaEhfVcIiBwH +Wu3A6CfkENGFSuoTH/2LdYqNAyR/ioC4EhdMvpSaHhCasUnSEna7V12j4OOWs9K YjpZDFFgW0LeRPbwYZYvM9o1zbqHmwp1P5T+ZPND7RSUtGEdvftISxUlqsFyS6m/ G6OZQl8vMdOP6u56lnWRtan5MbnqtZ+Bt36XzVQw39QXtl+1G3WHba5/D1B0o2JB tp7otQPrpz7R3Qb51yCUsVAejZ8fy+daV4Raixm1NqMMN6IcOceJNcDDJiKluT1m CEharslsvyaaqfZ8CZ5WdqAvgjNLB+E/0mQZ/hUc8jICntVY92tbt6MVM8ERu9E= =u+HR -----END PGP SIGNATURE----- From maradns at gmail.com Sun Jun 3 03:39:05 2012 From: maradns at gmail.com (Sam Trenholme) Date: Sun, 3 Jun 2012 03:39:05 -0400 Subject: [MaraDNS list] Multiple issues in JsStrOS.c In-Reply-To: <4FCAB51D.3050408@NorthTech.US> References: <20120602033431.GO163@brightrain.aerifal.cx> <20120602225955.GS163@brightrain.aerifal.cx> <4FCAB51D.3050408@NorthTech.US> Message-ID: > Thank you Sam. Because the hostility is felt by everyone on this list > and it doesn't feel very good either. I also apologize for the hostility I had on the list half a year ago during what will probably be my final ever MaraDNS funding drive. That funding drive helped me at a time when money was really tight; I think everyone for their contributions. I will discuss technical aspects of MaraDNS after the 20th. I'll also formally put an end of life date on MaraDNS 1. - Sam From Bradley at NorthTech.US Sun Jun 3 14:45:08 2012 From: Bradley at NorthTech.US (Bradley D. Thornton) Date: Sun, 03 Jun 2012 11:45:08 -0700 Subject: [MaraDNS list] Multiple issues in JsStrOS.c In-Reply-To: References: <20120602033431.GO163@brightrain.aerifal.cx> <20120602225955.GS163@brightrain.aerifal.cx> <4FCAB51D.3050408@NorthTech.US> Message-ID: <4FCBB0B4.6050603@NorthTech.US> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 06/03/2012 12:39 AM, Sam Trenholme wrote: >> Thank you Sam. Because the hostility is felt by everyone on this list >> and it doesn't feel very good either. > > I also apologize for the hostility I had on the list half a year ago > during what will probably be my final ever MaraDNS funding drive. > That funding drive helped me at a time when money was really tight; I > think everyone for their contributions. Hi Sam :) You're not the only one here (I can't speak for anyone but myself on this point) that has been strapped, stressed, and and lashed out in frustration, only later to wonder how [I] could gracefully recover from a moment of indiscretion. I completely understand, and should mention that when I made my most recent little contrib, I did it on the down-low and you took it upon yourself to thank me for it publicly on the list. It took a lot of guts to to that after I flamed you, and never responded because the contrib wasn't for any particular feature (although you thought you might be able to apply it toward split horizon) - it was just for you, for having selflessly developed something and offered it to the commmunity that is in so many ways superior to the vixie-warez alternative :) Having said that, I think it is only appropriate for me to apologize for flaming you so many months ago when you were feeling the economic burn yourself. You're a talented and quite appreciated developer Sam, a valued member of the open source and DNS communities among others, and I too apologize for my vitriolic lashing back then :) No one faults you for contributing your time only when you can budget it in, or even not at all if that is to be the case (although that would indeed be unfortunate). I should also thank you for having my PacificRoot servers as one of the optional standard configuration options for root servers (in at least the default debian package) way back before ICANN gobbled up and created a competing .BIZ with the original. It didn't go unnoticed :) I wish you all the best and sincerely hope you never find yourself in a position where you have to entertain the notion of having to hire bernstein to do ANY development for you LOL (April fools eh?)! Kindest regards, - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.310.388.9469 (US) TEL: +44.203.318.2755 (UK) TEL: +41.43.508.05.10 (CH) http://NorthTech.US -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Find this cert at x-hkp://pool.sks-keyservers.net iQEcBAEBAwAGBQJPy7C0AAoJEE1wgkIhr9j3mrcH/i7w+LDwOTPgltyCb3zzfoqO ZH7FDJ9HnPY6fbdEh3eouSjffUP9DVgJBbvgfeTA88ret+cHrrKxW7xA1FjAUMo2 Rk1iyUWpTQbvzGH/cqB5j5OBSL1Cbt4mN6lvFYRSaY5EhAVojuhEYcQerWjriyWY 4bRh5Y4piGG9+499BvBJ8SYQ9ttzsnXnLp0Gzrf9mfRA0RGsaqDtN207xcQ/tOFv A8ttefWxOIwkqA74El4fTzC+7ps6RAJWHzKy5JMJLvw/qJ/qciBimaUHU0/qTjAw JS8tKpsE0tTQIsJwfe9LAy8oV3+6N3Ho4GX2sp65V1x0IJmtqJ50xs6W/cz533A= =urzz -----END PGP SIGNATURE----- From jefsey at jefsey.com Mon Jun 4 14:25:55 2012 From: jefsey at jefsey.com (JFC Morfin) Date: Mon, 04 Jun 2012 20:25:55 +0200 Subject: [MaraDNS list] Multiple issues in JsStrOS.c In-Reply-To: <4FCBB0B4.6050603@NorthTech.US> References: <20120602033431.GO163@brightrain.aerifal.cx> <20120602225955.GS163@brightrain.aerifal.cx> <4FCAB51D.3050408@NorthTech.US> <4FCBB0B4.6050603@NorthTech.US> Message-ID: At 20:45 03/06/2012, Bradley D. Thornton wrote: >No one faults you for contributing your time only when you can budget it >in, or even not at all if that is to be the case (although that would >indeed be unfortunate). +1 Thanks Sam, even if so far my health and load did not permit me to achieve what I had in mind. Best From maradns at gmail.com Thu Jun 21 16:50:51 2012 From: maradns at gmail.com (Sam Trenholme) Date: Thu, 21 Jun 2012 16:50:51 -0400 Subject: [MaraDNS list] MaraDNS 1 end-of-life: June 21, 2015 Message-ID: MaraDNS 1 end-of-life: June 21, 2015 Ten years ago today, I released MaraDNS 1.0. All things have a beginning and an end. Today, I am announcing the end of life for MaraDNS 1. Support for MaraDNS 1 will end three years from today, on June 21, 2015. To clarify for people who do not regularly read the MaraDNS blog or mailing list: MaraDNS 1 has only been supported for critical security bug fixes as of the beginning of this year. People are encouraged to upgrade from MaraDNS 1 to MaraDNS 2. I understand that MaraDNS 2 does not support every single configuration MaraDNS 1 supports. My plan was originally to have MaraDNS 2 be more compatible with MaraDNS 1, and come out with a MaraDNS 3 release that would have been completely compatible but then open source economics kicked in and I realized I could no longer do professional quality software development "for fun and for free". Work plans for June Things are really busy with my day job right now. I hope to be able to put aside a little time for MaraDNS baby sitting this weekend, including addressing emails sent to the list earlier this month. From maradns at gmail.com Sat Jun 23 14:52:01 2012 From: maradns at gmail.com (Sam Trenholme) Date: Sat, 23 Jun 2012 14:52:01 -0400 Subject: [MaraDNS list] Deadwood update Message-ID: Earlier this month, Deadwood was unable to resolve es-us.noticias.yahoo.com (Deadwood's recursion problems always seem to be caused by either Yahoo or EasyDNS). Yahoo has since fixed things on their end. Since I recorded the DNS packets when Deadwood had the issue, I was able to make a SQA test to reproduce it. Once I did that, it took me over an hour to find the problem and make a one-line patch to fix it. It can be downloaded here: http://www.maradns.org/deadwood/snap/ I plan to work on MaraDNS/Deadwood again one day next month, after the 20th, unless a critical security bug is found. Rich: Really quickly, I do agree that it would have been nice for MaraDNS to handle malloc() failures more gracefully. If you had brought up the issue in 2006 or 2007, I probably would even had done something about it. You pointed out that you had an expectation that a "security aware" program would handle malloc() failures without bombing out. In 2001, having a secure DNS server meant running a DNS server did not expose you to remote root exploits, and this was the climate in which I marketed MaraDNS as being "security aware". Things have changed since then. Indeed, I no longer market MaraDNS as being security aware: http://samiam.org/blog/20120326.html Everyone: This will be my last MaraDNS update or posting to the mailing list until one day in July, after the 20th, unless a critical security issue with a CVE number pops up. - Sam From nicholas at periapt.co.uk Mon Jun 25 17:56:53 2012 From: nicholas at periapt.co.uk (Nicholas Bamber) Date: Mon, 25 Jun 2012 22:56:53 +0100 Subject: [MaraDNS list] Would anyone like to help transition Debain MaraDNS onto 2.0 Message-ID: <4FE8DEA5.9040603@periapt.co.uk> I reckon I've got Debian MaraDNS good shape *apart* from the fact that the 2.x series is still only in experimental. I've been thinking long and hard about the best way to do it. I've changed my mind about the best way to go about it. I am now inclined to a rather simple and straightforward approach (new maradns2 source package). I am however quite open to discuss it. Another thing that has changed is that I don't particularly feel like doing this on my own anymore. If you are interested in Debian packaging and MaraDNS then this is a good opportunity. If - as part of the deal - you want to get other software into Debian I can probably help you with that as well. If for some reason I don't feel comfortable actually sponsoring your package, I can at least help you get it to a good standard and point you at the right people.