Second attempt at preparing a fix for this issue.

By the way CVE-2011-5055, as far as I can see, only applies to the
experimental release. That will be fixed when upstream issue a new
upstream 2.x release. Could the security page be updated to reflect that.


On 18/01/12 13:24, Adam D. Barratt wrote:
> On 15.01.2012 20:39, Nicholas Bamber wrote:
>> unstable/testing [CVE-2012-0024, CVE-2011-5055]: This was fixed in
>> 1.4.09-1 but Sam has issued one further release, 1.4.10 with a last
>> tweak. For this version all the three CVE tickets are fundamentally the
>> same issue.
>>
>> stable [CVE-2012-0024, CVE-2011-5055]: I previously sent a debdiff. I
>> need to issue a new one.
> [...]
>> I am not sure what to do now apart from issuing 1.4.10-1. Do I raise new
>> bug reports?
> 
> Based on the above, I'd suggest, in order:
> 
> - update unstable, ensuring that all relevant bugs are fixed there
> 
> - confirm with the security team that they don't wish to issue a fix for
> CVE-2011-5055 directly, if you haven't already done so (I suspect they
> won't, but the security tracker doesn't indicate that right now, so it's
> worth checking)
> 
> - assuming a nack from the security team, prepare an updated package
> from stable and send the new debdiff to this thread
> 
> Does that sound reasonable?
> 
> Regards,
> 
> Adam


-- 
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu
diff -u maradns-1.4.03/debian/changelog maradns-1.4.03/debian/changelog
--- maradns-1.4.03/debian/changelog
+++ maradns-1.4.03/debian/changelog
@@ -1,3 +1,10 @@
+maradns (1.4.03-1.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix CVE-2012-0024 (Closes: #653838)
+
+ -- Nicholas Bamber <nicho...@periapt.co.uk>  Tue, 24 Jan 2012 14:32:06 +0000
+
 maradns (1.4.03-1.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- maradns-1.4.03.orig/server/MaraDNS.c
+++ maradns-1.4.03/server/MaraDNS.c
@@ -3933,6 +3933,24 @@
     int recurse_number_ports = 4096;
 #endif
 
+    /* First order of business: Initialize the hash */
+    if(mhash_set_add_constant(
+#ifdef MINGW32
+	"secret.txt"
+#else
+	"/dev/urandom"
+#endif
+		) != 1) {
+	printf(
+#ifdef MINGW32
+	"Fatal error opening secret.txt"
+#else
+	"Fatal error opening /dev/urandom"
+#endif
+			);
+			return 32;
+	}
+    
     memset(&client,0,sizeof(client)); /* Initialize ya variables */
     clin = (struct sockaddr_in *)&client;
 #ifdef AUTHONLY
only in patch2:
unchanged:
--- maradns-1.4.03.orig/libs/functions_MaraHash.h
+++ maradns-1.4.03/libs/functions_MaraHash.h
@@ -39,3 +39,5 @@
 */
 void *mhash_undef(mhash *hash, js_string *key);
 
+/* Read four bytes from a filename and use that as a secret add constant */
+int mhash_set_add_constant(char *filename);
only in patch2:
unchanged:
--- maradns-1.4.03.orig/libs/MaraHash.c
+++ maradns-1.4.03/libs/MaraHash.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2006 Sam Trenholme
+/* Copyright (c) 2006,2011 Sam Trenholme
  *
  * TERMS
  *
@@ -32,6 +32,7 @@
 #include "JsStr.h"
 #endif
 #include "MaraHash.h"
+#include <stdio.h>
 
 /* Masks to limit the size of the hash */
 /* These are powers of two, minus one */
@@ -41,6 +42,8 @@
                           16777215, 33554431, 67108863, 134217727,
                           268435455, 536870911, 1073741823 };
 
+mhash_offset mhash_secret_add_constant = 7;
+
 /* Create a new, blank mhash object
    input: none
    output: pointer to the object in quesiton on success, NULL (0)
@@ -100,6 +103,8 @@
     /* Simple enough hash */
     while(point < max) {
         ret += (mhash_offset)(*point << shift);
+        ret += mhash_secret_add_constant;
+	ret *= 45737;
         shift += 7;
         shift %= hash_bits;
         point++;
@@ -684,3 +689,23 @@
     return tuple->tuple_list[element];
     }
 
+/* Read four bytes from a filename and use that as a secret add constant */
+int mhash_set_add_constant(char *filename) {
+        FILE *read = 0;
+
+        read = fopen(filename,"rb");
+        if(read == NULL) {
+                return -1;
+        }
+
+        mhash_secret_add_constant ^= getc(read);
+        mhash_secret_add_constant <<= 8;
+        mhash_secret_add_constant ^= getc(read);
+        mhash_secret_add_constant <<= 8;
+        mhash_secret_add_constant ^= getc(read);
+        mhash_secret_add_constant <<= 7;
+        mhash_secret_add_constant ^= getc(read);
+        fclose(read);
+        return 1;
+}
+

Reply via email to