Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
FIXED: Incorrect error checking (negative array read) #20
#19 is non-exploitable, since index will never be DKEYCOUNT in production code #20 would only be exploitable if 1) An attacker controls one’s mararc file (at this point, the attacker would probably need to already be root) 2) The memory location two pointers below the beginning of dvar is set to zero This is not serious enough for me to make a 2.0.13 MaraDNS release, but 2.0.13 will have the fix, along with a note that a minor security problem has been fixed. Thanks for the bug reports.
The exploit vector requires the attacker to control a mararc file, a file usually only edited by root, and requires whatever memory location two pointers before the beginning of dvar to be precisely zero, which should be unlikely.
I’ve fixed this, but this isn’t serious enough for me to waste two to three hours making a new MaraDNS release, especially since I just made a release last week.
I just checked, and, yes, MaraDNS 1.0.00 from 2002 has this particular bug. Most of the things like this people are finding these days come from the 2001-2002 codebase; I wrote too much code too quickly because there was a hurry to have an open-source DNS server that wasn’t BIND at the time.