On Friday July 11 2008 07:11:25 pm Chris Buxton wrote: > I assume most of you have heard about the recent BIND/MS DNS updates > to somewhat address a new DNS spoofing attack vector discovered by Dan > Kaminsky. > > What you may not have heard is that the Unix stub resolver, part of > glibc, is also vulnerable. > > Does anyone know if/when glibc will be patched against this? Until it > is, you should disable nscd (the stub resolver's caching daemon) if > you're using it. (Also disable any other DNS caching routine you have > running until the problem is addressed by the vendor - too bad Mac > users really can't do this.) This will reduce your exposure, although > not as much as using a patched stub resolver would. > > Chris Buxton > Professional Services > Men & Mice
The Glibc arc4 patch adds arc4random() to res_init.c and res_mkquery.c for the resolver, and to bindrsvprt.c to randomize the port numbers. I haven't checked it out, but I would love to know if this addresses the dns vulnerability. These modifications were taken from Owl Linux, and I added arc4random() for better entropy (and were sent to Glibc's bugzilla). More specifically, the arc4 patch modifies glibc-2.5.1/resolv/res_init.c to use arc4random() instead of getpid() in the res_randomid() function. In glibc-2.5.1/resolv/res_mkquery.c arc4random() replaces gettimeofday(). In glibc-2.5.1/sunrpc/bindrsvprt.c arc4random() replaces getpid(). I hope one of you can find the time to test out this vulnerability in hlfs, but the credit for this patch goes to Owl Linux. robert
pgpqlFhcce8tW.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
