Bug#773548: unblock: bind9/1:9.9.5.dfsg-7
Hi, Cyril Brulebois wrote: > Non-linux porters may want to double check this new version isn't going > to lead to regressions on their architecture(s) though, so letting them > know through Cc (patch available below). Thanks for checking with us. Seems like only DNS resolver code was changed, I don't think d-i uses any part of that, and needs only unrelated library functions for ISC dhcpd. Still, with the updated libs d-i still completed successfully (a netboot install involving DNS resolution and using DHCP). This test-run was more than 24 hours after 1:9.9.5.dfsg-7 built on kfreebsd-amd64 so would have been using the new udebs. https://jenkins.debian.net/view/g-i-installation/job/g-i-installation_debian_sid_daily_kfreebsd/447/ Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#773548: unblock: bind9/1:9.9.5.dfsg-7
Control: tag -1 confirmed Jonathan Wiltshire (2014-12-19): > Package: release.debian.org > Severity: normal > Tags: d-i > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package bind9 > > Fix for RC bug #772610, for some reason no unblock request from the maintainer > or uploader. I have not reviewed the attached debdiff; also needs a kibi-ack. > > unblock bind9/1:9.9.5.dfsg-7 bind9 is only related to d-i on non-linux architectures (through netcfg → isc-dhcp → bind9), so no objection from me. Non-linux porters may want to double check this new version isn't going to lead to regressions on their architecture(s) though, so letting them know through Cc (patch available below). Mraw, KiBi. > -- System Information: > Debian Release: 8.0 > APT prefers testing > APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500, > 'unstable'), (500, 'stable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > diff -u bind9-9.9.5.dfsg/bin/named/config.c > bind9-9.9.5.dfsg/bin/named/config.c > --- bind9-9.9.5.dfsg/bin/named/config.c > +++ bind9-9.9.5.dfsg/bin/named/config.c > @@ -162,6 +162,8 @@ > dnssec-accept-expired no;\n\ > clients-per-query 10;\n\ > max-clients-per-query 100;\n\ > + max-recursion-depth 7;\n\ > + max-recursion-queries 50;\n\ > zero-no-soa-ttl-cache no;\n\ > nsec3-test-zone no;\n\ > allow-new-zones no;\n\ > diff -u bind9-9.9.5.dfsg/bin/named/server.c > bind9-9.9.5.dfsg/bin/named/server.c > --- bind9-9.9.5.dfsg/bin/named/server.c > +++ bind9-9.9.5.dfsg/bin/named/server.c > @@ -3223,6 +3223,16 @@ > cfg_obj_asuint32(obj), > max_clients_per_query); > > + obj = NULL; > + result = ns_config_get(maps, "max-recursion-depth", &obj); > + INSIST(result == ISC_R_SUCCESS); > + dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj)); > + > + obj = NULL; > + result = ns_config_get(maps, "max-recursion-queries", &obj); > + INSIST(result == ISC_R_SUCCESS); > + dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); > + > #ifdef ALLOW_FILTER__ON_V4 > obj = NULL; > result = ns_config_get(maps, "filter--on-v4", &obj); > diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog > --- bind9-9.9.5.dfsg/debian/changelog > +++ bind9-9.9.5.dfsg/debian/changelog > @@ -1,3 +1,10 @@ > +bind9 (1:9.9.5.dfsg-7) unstable; urgency=medium > + > + * Fix CVE-2014-8500: limit recursion in order to avoid memory consuption > +issues that can lead to denial-of-service (closes: #772610). > + > + -- Michael Gilbert Sun, 14 Dec 2014 05:05:48 + > + > bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium > >* Include dlz_dlopen.h in libbind-dev (closes: #769117). > diff -u bind9-9.9.5.dfsg/lib/dns/resolver.c > bind9-9.9.5.dfsg/lib/dns/resolver.c > --- bind9-9.9.5.dfsg/lib/dns/resolver.c > +++ bind9-9.9.5.dfsg/lib/dns/resolver.c > @@ -21,6 +21,7 @@ > > #include > > +#include > #include > #include > #include > @@ -131,6 +132,16 @@ > #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the > whole query to live. */ > #endif > > +/* The default maximum number of recursions to follow before giving up. */ > +#ifndef DEFAULT_RECURSION_DEPTH > +#define DEFAULT_RECURSION_DEPTH 7 > +#endif > + > +/* The default maximum number of iterative queries to allow before giving > up. */ > +#ifndef DEFAULT_MAX_QUERIES > +#define DEFAULT_MAX_QUERIES 50 > +#endif > + > /*% > * Maximum EDNS0 input packet size. > */ > @@ -234,12 +245,13 @@ > isc_sockaddrlist_t edns; > isc_sockaddrlist_t edns512; > isc_sockaddrlist_t bad_edns; > - dns_validator_t *validator; > + dns_validator_t * validator; > ISC_LIST(dns_validator_t) validators; > dns_db_t * cache; > dns_adb_t * adb; > isc_boolean_t ns_ttl_ok; > isc_uint32_tns_ttl; > + isc_counter_t * qc; > > /*% >* The number of events we're waiting for. > @@ -307,6 +319,7 @@ > isc_boolean_t timeout; > dns_adbaddrinfo_t *addrinfo; > isc_sockaddr_t *client; > + unsigned intdepth; > }; > > #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') > @@ -418,6 +431,8 @@ > isc_timer_t * spillattimer; > isc_boolean_t zero_no_soa_ttl; > unsigned intquery_timeout; > + unsigned in
Bug#773548: unblock: bind9/1:9.9.5.dfsg-7
Package: release.debian.org Severity: normal Tags: d-i User: release.debian@packages.debian.org Usertags: unblock Please unblock package bind9 Fix for RC bug #772610, for some reason no unblock request from the maintainer or uploader. I have not reviewed the attached debdiff; also needs a kibi-ack. unblock bind9/1:9.9.5.dfsg-7 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -u bind9-9.9.5.dfsg/bin/named/config.c bind9-9.9.5.dfsg/bin/named/config.c --- bind9-9.9.5.dfsg/bin/named/config.c +++ bind9-9.9.5.dfsg/bin/named/config.c @@ -162,6 +162,8 @@ dnssec-accept-expired no;\n\ clients-per-query 10;\n\ max-clients-per-query 100;\n\ + max-recursion-depth 7;\n\ + max-recursion-queries 50;\n\ zero-no-soa-ttl-cache no;\n\ nsec3-test-zone no;\n\ allow-new-zones no;\n\ diff -u bind9-9.9.5.dfsg/bin/named/server.c bind9-9.9.5.dfsg/bin/named/server.c --- bind9-9.9.5.dfsg/bin/named/server.c +++ bind9-9.9.5.dfsg/bin/named/server.c @@ -3223,6 +3223,16 @@ cfg_obj_asuint32(obj), max_clients_per_query); + obj = NULL; + result = ns_config_get(maps, "max-recursion-depth", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "max-recursion-queries", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); + #ifdef ALLOW_FILTER__ON_V4 obj = NULL; result = ns_config_get(maps, "filter--on-v4", &obj); diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog --- bind9-9.9.5.dfsg/debian/changelog +++ bind9-9.9.5.dfsg/debian/changelog @@ -1,3 +1,10 @@ +bind9 (1:9.9.5.dfsg-7) unstable; urgency=medium + + * Fix CVE-2014-8500: limit recursion in order to avoid memory consuption +issues that can lead to denial-of-service (closes: #772610). + + -- Michael Gilbert Sun, 14 Dec 2014 05:05:48 + + bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium * Include dlz_dlopen.h in libbind-dev (closes: #769117). diff -u bind9-9.9.5.dfsg/lib/dns/resolver.c bind9-9.9.5.dfsg/lib/dns/resolver.c --- bind9-9.9.5.dfsg/lib/dns/resolver.c +++ bind9-9.9.5.dfsg/lib/dns/resolver.c @@ -21,6 +21,7 @@ #include +#include #include #include #include @@ -131,6 +132,16 @@ #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */ #endif +/* The default maximum number of recursions to follow before giving up. */ +#ifndef DEFAULT_RECURSION_DEPTH +#define DEFAULT_RECURSION_DEPTH 7 +#endif + +/* The default maximum number of iterative queries to allow before giving up. */ +#ifndef DEFAULT_MAX_QUERIES +#define DEFAULT_MAX_QUERIES 50 +#endif + /*% * Maximum EDNS0 input packet size. */ @@ -234,12 +245,13 @@ isc_sockaddrlist_t edns; isc_sockaddrlist_t edns512; isc_sockaddrlist_t bad_edns; - dns_validator_t *validator; + dns_validator_t * validator; ISC_LIST(dns_validator_t) validators; dns_db_t * cache; dns_adb_t * adb; isc_boolean_t ns_ttl_ok; isc_uint32_t ns_ttl; + isc_counter_t * qc; /*% * The number of events we're waiting for. @@ -307,6 +319,7 @@ isc_boolean_t timeout; dns_adbaddrinfo_t *addrinfo; isc_sockaddr_t *client; + unsigned int depth; }; #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') @@ -418,6 +431,8 @@ isc_timer_t * spillattimer; isc_boolean_t zero_no_soa_ttl; unsigned int query_timeout; + unsigned int maxdepth; + unsigned int maxqueries; /* Locked by lock. */ unsigned int references; @@ -1535,6 +1550,7 @@ if (result != ISC_R_SUCCESS) goto cleanup_dispatch; } + fctx->querysent++; ISC_LIST_APPEND(fctx->queries, query, link); @@ -2188,9 +2204,9 @@ */ INSIST(!SHUTTINGDOWN(fctx)); fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; - if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) + if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) { want_try = ISC_TRUE; - else { + } else { fctx->findfail++; if (fctx->pending == 0) { /* @@ -2219,7 +2235,7 @@ else if (want_done) fctx_done(fctx, ISC_R_FAILURE, __LINE__); else if (destroy) { - fctx_destroy(fctx); + fctx_destroy(fctx); if (bucket_empty) empty_bucket(res); } @@ -2473,12 +2489,13 @@ * See what we know about this address. */ find = NULL; - result = dns_adb_createfind(fctx->adb, -res->buckets[fctx->bucketnum].task, -fctx_finddone, fctx, name, -&fctx->name, fctx->type, -options, now, NULL, -res->view->dstport, &find); + result = dns_adb_createfind2(fctx->adb, +