On 03/10/2023 16:48, Johnnie W Adams via Exim-users wrote:
What I take from this mitigation statement--Use a trustworthy DNS
resolver which is able to validate the data according to the DNS record
types--is that if our DNS service is solid, we are not vulnerable. Is this
accurate, or am I oversimplifying things?
It's in that vein, but not quite. The issue pointed to by ZDI was the trusting
of the "chunk sizes" for the possibly multiple chunks of an RR, versus the whole
RR size.
An opinion from another (non-Exim, but a name I recognize) dev was
- yes there's at least one resolver out there that doesn't check these
- this would pass straight though glibc (ie, my inference: libc does not check
this)
The mitigation statement from ZDI
was much more ominous, but I'm still parsing "network-adjacent attackers".
I wasn't sure about that, either.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
