BZ #21361 backport to version prior 2.26?
Florian Weimer
fweimer@redhat.com
Sun Jan 1 00:00:00 GMT 2017
On 11/20/2017 10:49 AM, Sudler, Simon wrote:
>>> I noticed, that the #21361 (CVE-2017-12132) issue was fixed for 2.26, but was not applied in the any older release branches. The patch
>> applies perfectly for the code with the vulnerability, only the tests requires some backporting.
> I was just wondering, why no one was locking into this.
It requires an obscure system configuration configuration, and the
attacker would have to be able to spoof DNS traffic between the stub
resolver and the recursive resolver. The glibc fix is also not fully
effective because fragmentation needs to be avoided at the sending side.
That's why it's a low-severity issue.
> This glibc version is used by many distros and the CVE is also unpatched there.
The core issue also affects name servers such as BIND, NSD, and Unbound.
There, the vulnerability allows DNS cache poisoning. And if the name
server is attacked, it does not matter if your glibc has the fix or not.
To be honest, I fixed this in glibc only to draw attention to this
issue. Several of us discovered this problem while analyzing the
security properties of source port randomization in 2008. Even then, it
probably was a rediscovery, and every few years, someone independently
publishes a new write-up, like this one:
<https://arxiv.org/abs/1205.4011>
So if you want to truly address the vulnerability, you need to talk to
authors of DNS server and request that *they* patch their software to
avoid fragmentation. BIND and Unbound use the special kernel support on
Linux (something which is not necessary on the glibc side because it
will send only packets shorter than the minimum Internet MTU), but both
still default to 4096 byte EDNS buffers unfortunately, so they remain
vulnerable to the fragmentation issue, depending on zone contents.
Thanks,
Florian
More information about the Libc-stable
mailing list