Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 20 Feb 2014 12:44:25 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: cve-assign@...re.org
cc: oss security list <oss-security@...ts.openwall.com>
Subject: Re: CVE request New-djbdns: dnscache: possible DoS

+-- On Wed, 19 Feb 2014, cve-assign@...re.org wrote --+
| Changing the TCP read approach can be considered a performance
| improvement (and, somewhat marginally, a security improvement), with
| no CVE assignment. The commit mentions "making slight gain in
| performance" and "could also lead to potential denial of service."

  Yes, slight gain because it reduces 'read(2)' calls. And potential DoS 
because:

  On Tuesday, 11 February 2014 5:22 AM, Frank Denis wrote:
  >
  > ...
  > The spike of CPU between the first query for a name/type and
  > its resolution is an old standing bug.
  >
  > ... We spawn dnscache threads to balance the load on all CPU cores.
  > And when running the PoC, the whole system starts crawling because
  > of the high number of system calls.

'Frank Denis' is the author of the PoC and earlier article about the SipHash 
issue.


| The original implementation might have chosen its approach for 
| design-for-auditability reasons, i.e., it may not have been a "mistake" at 
| all. It seems impractical to assign CVE IDs to all opportunities to speed up 
| the processing of untrusted input in all products. The situation would be 
| different if it were clearly a logic error in the code, e.g., processing the 
| first byte once, the second byte four times, the third byte nine times, etc.

  I don't understand why is it relevant whether it's a genuine mistake or 
logic error or an intentional bug?

  The behaviour opens room for a practical DoS attack. That is a security 
issue. There is a PoC available for it. There is fix available for it, which 
has been applied. Why not a CVE?

--
Prasad J Pandit / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.