Author Archives: ayn

How to patch bind9 in Debian sarge to get DNS cache poisoning exploit patch

10 Replies

UPDATE (8/7/08):

The patch posted below actually does NOT fix the cache poisoning problem, please check out my follow up post instead. The original is included below but please note that it does not fix the security problem.

original blog post:

Most of you have heard about the DNS cache poisoning exploit, it is serious, most operating systems have security updates to get the latest bind9/named package and if you update you’re ok. However, Debian terminated security supports for Sarge/3.1 on March 1st. So if you’re like me still running sarge and don’t have the time to upgrade to etch or something newer, you’re kindda in a bad situation if you need to run a DNS. Luckily, Debian makes it really easy to compile and install custom packages, so here is how you can patch it up manually.

Check what you have installed, yup, it’s vulnerable:

$ dpkg -l | grep bind9
ii bind9 9.2.4-1sarge3 Internet Domain Name Server
ii bind9-host 9.2.4-1sarge3 Version of 'host' bundled with BIND 9.X

Install the source package for BIND9.

$ cd /usr/src && sudo apt-get source bind9
Reading Package Lists... Done
Building Dependency Tree... Done
Need to get 4667kB of source archives.
Get:1 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (dsc) [741B]
Get:2 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (tar) [4564kB]
Get:3 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (diff) [102kB]
Fetched 4667kB in 8s (534kB/s)
dpkg-source: extracting bind9 in bind9-9.2.4

Go patch it up:

$ cd bind9-9.2.4/

Apply this patch, either with patch(1) or manually, I did it manually just to be safe:

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5	Wed Apr 27 04:56:21 2005
+++ inet_network.c	Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}
$ sudo vi lib/bind/inet/inet_network.c

build the package, this will generate a .deb:

$ cd .. && sudo apt-get -b source bind9

install the package:

$ sudo dpkg -i bind9_9.2.4-1sarge3_i386.deb

Tweets on 2008-07-31

Leave a reply

Powered by Twitter Tools.

Tweets on 2008-07-30

Leave a reply

Powered by Twitter Tools.

Tweets on 2008-07-29

Leave a reply
  • @gpoon w00t! #
  • @christmascarol ec2 ftw lol #
  • Trying to decide what to order from Tuk Tuk Thai. #
  • WHOA! iTunez crashed while syncing phonez! #
  • @seoulfully it is indeed #
  • Just applied Martin Fields on @sherryberry’s phn, it’s SO MUCH better than the Power Supply film! sharper & feels much better… #
  • was a perfect application too, I haven’t done my phone coz I’m waiting for my IS film to arrive to do it… #
  • Just applied Martin Fields on @sherryberry’s phn, it’s SO MUCH better than the Power Support film! WAY sharper & feels much better… #
  • It was a perfect application too, I haven’t done my phone coz I’m waiting for my Invisible Shield rear protection skin… #
  • latest venture from @rayvinly and yours truly: http://dealistic.com, check it! #
  • nice Levi’s: http://tinyurl.com/5lr7yd #
  • @christmascarol didn’t get pink? hard case is so asian though, the MBP doesn’t even scratch that easily… #
  • i want ical/mail to-do and notes sync to iphonez #
  • gonna go for a run even tho im done with july challenge… #
  • Got half sole and heels on the F+B. Much better. #
  • @bigdirtgarden WOOT! #
  • @seoulfully galbi is so good #
  • ilounge’s IS review: http://tinyurl.com/54rc55 #
  • most difficult to install, very nice, we’ll see how it goes when I get mine… #
  • There needs to be a Korean restaurant in North Beach. Like Tuk Tuk Thai but Korean. #

Powered by Twitter Tools.

Tweets on 2008-07-28

Leave a reply
  • Tried to eat at E’ Tutta Qua based on good reviews. Waiter never got our order, wasted an hr of my time. Now getting Cantonese food on Bway. #
  • black coffee and bagel with cream cheese #
  • @seoulfully i can set it up if we can decide what to do #
  • digging the last.fm app more than pandora #
  • @rayvinly damn, that’s why u’r not on skype! nice… #
  • filling out technorati survey #

Powered by Twitter Tools.