PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206

Thanks, I've added it to the tracker now.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Attached debdiff for Precise. I've tested with help of upstream, and this patch solved the problem.
Please take a look and if everything is OK, I will do debdiffs for every release.
Thanks.

The attachment "debdiff vs. pdns_2.9.22-9ubuntu4" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Some more details on this fix. I've taken the patch recommended by upstream from http://doc.powerdns.com/powerdns-advisory-2012-01.html (scroll down to the end), and created a patch file in debian/patches. Seems to be a two-liner.
Testing of this package was done on Precise daily build server iso downloaded from http://cdimage.ubuntu.com/ubuntu-server/daily/current/precise-server-i386.iso .

Hi Imre - Thanks for the debdiff! The code changes look fine and passed our build checks. I have a couple small formatting suggestions to follow our normal security update style:

1) Since you recreated the patch based upon changes suggested in the advisory, the patch should follow the DEP-3 patch tagging guidelines:

http://dep.debian.net/deps/dep3/

You really just need a "Description: " tag followed by some descriptive text, along with an "Origin: upstream, http://doc.powerdns.com/powerdns-advisory-2012-01.html" tag.

2) By using the DEP-3 guidelines, you would then drop the URL from the changelog text and the patch description line would look something like this:

    - debian/patches/CVE-2012-0206: Short, but meaningful, description here. Based on upstream patch.

Note that there is no need to provide a debdiff for the Natty release, as I will do a fake sync from the Debian update (we don't have a delta on that specific package version).

Attaching the revised debdiff for Precise.

Attached debdiff for Oneiric. Built and tested the package with the patch, it works.

Attached debdiff for Maverick. Built and tested the package with the patch, it works.

Attached debdiff for Lucid. Built and tested the package with the patch, it works.

Also created a debdiff for Hardy. Patch applied without problems, it also solves the problem on Hardy, but the debdiff is rather big, I'm not sure what's all the extra stuff in there. The actual changes are at the end, the rest I have no clue.
I did create the 2.9.21-5ubuntu1.2 package on Lucid with debuild.

debdiff is done against the last version I found in hardy-security, namely 2.9.21-5ubuntu1.1.

Please take a look at this debdiff. The patch is a bit different, it's dpatch-style, but I added description just to be a bit clearer.

Hi Imre - The diffs look good. Thanks!

I touched up the Hardy diff a bit. DEP-3 defines how to do dpatch tagging (which I didn't realize before now) and I got rid of the rest of the junk at the top of the patch. I figure that you had some build files laying around when you created the dpatch.

The patches have been uploaded and are building.

This bug was fixed in the package pdns - 2.9.22-9ubuntu2.1

---------------
pdns (2.9.22-9ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: temporary DoS with specially crafted packets (LP: #918588)
    - debian/patches/CVE-2012-0206: prevent the auth servers from
      entering a packet loop. Based on upstream suggestion.
    - CVE-2012-0206
 -- Imre Gergely <email address hidden> Wed, 08 Feb 2012 22:54:35 +0200

The tracker at http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0206.html lists 12.04, 14.04 and 14.10 as "needed".

However it looks like it is actually fixed in all of them. The CVE description states "before 3.0.1" and 14.04 and 14.10 are newer than 3.01.

This is from the changelog in the current 12.04 package.

pdns (3.0-1.1) unstable; urgency=high

  * Non-maintainer upload.
  * Don't respond to responses fixes CVE-2012-0206
  * Make build dependency on mongodb-dev arch specific (Closes: #654568).

 -- Luk Claes <luk@debian....> Sun, 15 Jan 2012 19:13:17 +0100

And to confirm it I checked and the package and it does contain the patch CVE-2012-0206 in the debian/patches directory.

Thanks Charles, I've updated our database, it should propagate to the website in a few hours.