N PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-006
		 =================================

Topic:		buffer overrun in libc/libresolv DNS resolver

Version:	NetBSD-current:	source prior to June 26, 2002
		NetBSD-1.6 beta:source prior to June 26, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.
		pkgsrc:		net/bind4, bind-4.9.8 and before affected
				net/bind8, bind-8.3.1nb1, bind-8.3.2 and before
					affected
				net/bind9, bind-9.2.1 and before
				emulators/compat1[234]
				any statically linked pkgsrc binaries
				(there could be more)

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		June 26, 2002
		NetBSD-1.6 branch:	June 26, 2002 (1.6 will include the fix)
		NetBSD-1.5 branch:	June 26, 2002 (1.5.3 will include the fix)
		NetBSD-1.4 branch:	June 26, 2002 (1.4.4 will include the fix)
		pkgsrc:			net/bind4, bind-4.9.8nb1
					net/bind8, (not yet)
					net/bind9, (not yet)
					emulators/compat1[234], not yet


Abstract
========

There was a buffer-length computation bug in BIND-based DNS resolver
code.  A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a remote
root exploit, though there are no public exploits in circulation at this
time.

NetBSD uses BIND4-based DNS resolver code in libc/libresolv, and is found to be
vulnerable.  We also use BIND8-based DNS resolver code in named related tools
like /usr/bin/dig, and are vulnerable (source located in dist/bind and
usr.sbin/bind).


Technical Details
=================

In lib/libc/net/gethnamaddr.c:getanswer() and
lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage
packet buffer parsing - a pointer to the byte we are looking at, and
the remaining length on the buffer.

The remaining length was not updated consistently, and malicious DNS
responses are able to write outside the buffer.  This may present an
attacker with the opportunity to insert arbitrary code for execution as
the user running the resolver query, potentially root.  No exploit
script to take advantage of this vulnerability is known at time of
writing.

It is important to understand that this issue can be triggered in a
manner unlike the more common buffer overflows in network daemons. Any
outgoing DNS query made to a hostile server would expose the
vulnerability. The exploit path includes email sent to Netscape users
which automatically display HTML, and hostile web pages which carry
embedded objects located on servers in domains with a hostile DNS
server.

Since client systems in many network environments are permitted to make
DNS queries directly to root servers, through routed IPs, or NATs,
realize that these systems are vulnerable even if behind a firewall,
since they are initiating the outgoing query.

As a workaround, it is highly worthwhile considering pointing your
client systems at a patched nameserver that does recusive resolution,
and blocking all direct query/responses at a gateway or firewall system.
This will allow central control over your network environment, and
protection while updates are being made to individual clients.


This issue was brought to the attention of the NetBSD security-officer
very recently. Unfortunately, coordination to deliver a full set of
updated binary releases was not possible, and given the severity of this
issue, this Advisory is being released immediately.

Updates will be made to this advisory providing additional pointers to
upgrade resources as available.

See also:
http://www.pine.nl/advisories/pine-cert-20020601.html


Solutions and Workarounds
=========================

Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. This is a reminder
to consider upgrading when they are available, if you are running
anything older than NetBSD 1.5.3.  Many security-related improvements
have been made.

Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.

Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.

If you have NetBSD systems that have been upgraded from earlier releases
from before 1997, you may have libc and/or libresolv shared libraries
with older shared library major numbers.  Check for the presence of
/usr/lib/libc.so.X.Y where X < 12 (the current major number).  These old
libraries contain vulnerable resolver code, and will not be updated even
if you rebuild the system.  Therefore, we suggest you to remove those
old shared libraries.

NetBSD systems ship with BIND8-based nameserver and utilities, and
they use separate resolver library codebase in dist/bind.
BIND8 in our tree is also found to be vulnerable, however, at this moment
we are waiting for vendor patches from ISC.  Once vendor patches are made
available, the following directories should be updated and rebuilt:
	usr.sbin/bind
	dist/bind


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-06-25
	should be upgraded to NetBSD-current dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/net
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 betas dated from before 2002-06-25
	should be upgraded to NetBSD 1.6 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/net
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/net
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.4.x:

	Systems running NetBSD 1.4.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-4 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* pkgsrc:

	bind-4.9.8 (pkgsrc/net/bind4) is vulnerable.  Upgrade to bind-4.9.8nb1
	is recommended.  Note that BIND4 nameserver is considered obsolete
	by the vendor (ISC), and it is recommended to use BIND9, or BIND8.

	All available pkgsrc for bind-[89] are vulnerable.  We are still
	waiting for vendor patches to be issued.

	Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234])
	are vulnerable.  There is no fix supplied at this moment.

	If you have statically linked binaries in pkgsrc, they have to be
	rebuilt.  Statically linked binaries can be identified by the
	following command (note: be sure to include the directory you install
	pkgsrc binaries to, if you've changed LOCALBASE from the default of
	/usr/pkg)

		file /usr/pkg/{bin,sbin,libexec} | grep static

	Shared libraries for binary compatibility are available
	through pkgsrc for some operating systems, and may be
	vulnerable as noted above if installed.

Thanks To
=========

Jun-ichiro itojun Hagino for patches, and initial advisory text.


Revision History
================

	2002-06-26	Initial release
	2002-06-27	Updated with further information on pkgsrc, and affected
			BIND releases.


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-006.txt,v 1.23 2002/06/28 04:29:26 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPRuqBT5Ru2/4N2IFAQFj6gQAxWJeXwgrwYx6RcgNjVLzURMwSRXAEuNW
uVeT55068Xf/0Q3xWbU78+RJRTEbLqemyqCj/rJr7b6EUsXK+XUicxtcA4Jh5Ha5
F+4wjafLmNrqzPTyu7yeMpGcEERGoN5FnwQfG817vb2J91joMptW2rR6plOW/ZCG
yqAauUvpdUg=
=xrP1
-----END PGP SIGNATURE-----