Sorry for the crosspost, but I wanted to include everyone potentially interested in this bug.
The home page for dnrd [1] seems to indicate that it is intended for use for a single computer or an internal network. The typical user will likely only want to allow input to dnrd from trusted sources [2]. This bug may be worked around (and therefore downgraded) by having a configuration to warn the user that they must trust the DNS servers (wherever this is configured), and must trust the users. To allow the ladder to be effective, configuration of who is allowed to query dnrd is needed too (default none allowed? configure allowed users through an inetd implementation?). This package however seems to be orphaned [3] and has another RC bug [4], so it may be worth removing this package [5]. Aj suggested [6] that if the bugs are left as RC (not downgraded/fixed) then the package should be removed or at least put in experimental. Rats [7], splint [8], flawfinder [9] or other tools may be useful in finding the buffer overflows. If upstream wants I can give them the output from a few of these audit tools to use as a starting point to *fix* these bugs. [1] http://users.zoominternet.net/~garsh/dnrd/ [2] ISP DNS's, local users, local network users, but they might not always be trusted. [3] http://packages.qa.debian.org/d/dnrd/news/1.html lists the only change as "* Orphaned, set maintainer to Debian QA Group" [4] Bug #189978: dnrd_2.10-7(unstable/ia64): FTBFS: warning treated as error http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=189978 [5] I dislike it when packages are removed, but if no one fixes or creates workarounds to downgrade RC bugs... [6] http://lists.debian.org/debian-release/2003/debian-release-200304/msg00024.html [7] http://www.securesoftware.com/auditing_tools_download.htm [8] http://www.splint.org/ [9] http://www.dwheeler.com/flawfinder/ Drew Daniels
