Re: CVE id request: tinydns crafted zone file cache poisoning vulnerability

["Steven M. Christey" <coley () linus mitre org>]

======================================================
Name: CVE-2009-0858
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0858
Reference: BUGTRAQ:20090226 djbdns misformats some long response packets; patch and example attack
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/501294/100/0/threaded
Reference: BUGTRAQ:20090228 Re: djbdns misformats some long response packets; patch and example attack
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/501340/100/0/threaded
Reference: BUGTRAQ:20090305 Re: djbdns misformats some long response packets; patch and example attack
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/501479/100/0/threaded
Reference: MLIST:[dns] 20090225 djbdns misformats some long response packets; patch and example
Reference: URL:http://marc.info/?l=djbdns&m=123554945710038
Reference: MLIST:[dns] 20090304 djbdns<=1.05 lets AXFRed subdomains overwrite domains
Reference: URL:http://marc.info/?l=djbdns&m=123613000920446&w=2
Reference: MISC:http://it.slashdot.org/article.pl?sid=09/03/05/2014249
Reference: MISC:http://securityandthe.net/2009/03/05/security-issue-in-djbdns-confirmed/
Reference: BID:33937
Reference: URL:http://www.securityfocus.com/bid/33937
Reference: XF:djbdns-response-packet-spoofing(49003)
Reference: URL:http://xforce.iss.net/xforce/xfdb/49003

The response_addname function in response.c in Daniel J. Bernstein
djbdns 1.05 and earlier does not constrain offsets in the required
manner, which allows remote attackers, with control over a third-party
subdomain served by tinydns and axfrdns, to trigger DNS responses
containing arbitrary records via crafted zone data for this subdomain.