Tag Archives: apt-get

How to patch bind9 in Debian sarge to get DNS cache poisoning exploit patch

UPDATE (8/7/08):

The patch posted below actually does NOT fix the cache poisoning problem, please check out my follow up post instead. The original is included below but please note that it does not fix the security problem.

original blog post:

Most of you have heard about the DNS cache poisoning exploit, it is serious, most operating systems have security updates to get the latest bind9/named package and if you update you’re ok. However, Debian terminated security supports for Sarge/3.1 on March 1st. So if you’re like me still running sarge and don’t have the time to upgrade to etch or something newer, you’re kindda in a bad situation if you need to run a DNS. Luckily, Debian makes it really easy to compile and install custom packages, so here is how you can patch it up manually.

Check what you have installed, yup, it’s vulnerable:

$ dpkg -l | grep bind9
ii bind9 9.2.4-1sarge3 Internet Domain Name Server
ii bind9-host 9.2.4-1sarge3 Version of 'host' bundled with BIND 9.X

Install the source package for BIND9.

$ cd /usr/src && sudo apt-get source bind9
Reading Package Lists... Done
Building Dependency Tree... Done
Need to get 4667kB of source archives.
Get:1 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (dsc) [741B]
Get:2 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (tar) [4564kB]
Get:3 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (diff) [102kB]
Fetched 4667kB in 8s (534kB/s)
dpkg-source: extracting bind9 in bind9-9.2.4

Go patch it up:

$ cd bind9-9.2.4/

Apply this patch, either with patch(1) or manually, I did it manually just to be safe:

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5	Wed Apr 27 04:56:21 2005
+++ inet_network.c	Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}
$ sudo vi lib/bind/inet/inet_network.c

build the package, this will generate a .deb:

$ cd .. && sudo apt-get -b source bind9

install the package:

$ sudo dpkg -i bind9_9.2.4-1sarge3_i386.deb