Bug#690142: remote named DoS on recursor (CVE-2012-5166)
On Mon, Oct 15, 2012 at 11:52 PM, Matthew Grant wrote: Thanks for that: Bit of a situation brewing for bind9 re #690569 (failure to resolve dnssec-validated wildcards - major non-compliance to RFC etc) and #690142 (this CVE) Would appreciate your advice on how to proceed please. Note: Will use nmudiff next time, and be careful about .orig.tar.gz. The junk comes from bind's clean rule being insufficiently cleanly. For packages like this, I usually make changes, then copy them to a new dir to build so that my original dir stays clean. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Hi, I've canceled this nmu. There were a lot of Makefile and other files unrelated to the security fix that got included vs -4.2. Also, an nmu requirement is to attach the full diff to the bug report to help the maintainer out later. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.2 Followup-For: Bug #690142 Dear Maintainer, Attaching a patch for this version of Debian bind9. NMUing in 2 days with 1:9.8.1.dfsg.P1-4.3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- /tmp/bind9-9.8.1.dfsg.P1/bin/named/query.c 2011-11-16 22:32:08.0 +1300 +++ bind9-9.8.1.dfsg.P1/bin/named/query.c 2012-10-15 13:48:55.572735596 +1300 @@ -1137,13 +1137,6 @@ mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE(query_isduplicate: false: done); @@ -1341,6 +1334,7 @@ if (dns_rdataset_isassociated(rdataset) !query_isduplicate(client, fname, type, mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, fname); fname = mname; } else @@ -1401,11 +1395,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, mname)) { -if (mname != NULL) { - query_releasename(client, fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname-list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL @@ -1444,11 +1440,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_, mname)) { -if (mname != NULL) { - query_releasename(client, fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname-list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL @@ -1960,22 +1958,24 @@ crdataset-type == dns_rdatatype_) { if (!query_isduplicate(client, fname, crdataset-type, mname)) { -if (mname != NULL) { - /* - * A different type of this name is - * already stored in the additional - * section. We'll reuse the name. - * Note that this should happen at most - * once. Otherwise, fname-link could - * leak below. - */ - INSIST(mname0 == NULL); - - query_releasename(client, fname); - fname = mname; - mname0 = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname-link could + * leak below. + */ + INSIST(mname0 == NULL); + + query_releasename(client, fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname-list, crdataset, link); added_something = ISC_TRUE;
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9 Tags: security Severity: grave A security relevant bug on all versions of bind9 has been discovered. Only recursive servers are vulnerable. To mitigate the effects of a possible attack it should be sufficient to set minimal-responses yes; in the global options {} section. As information on that bug already leaked (and even got mailed to full-disclosure by Mandriva), I am reporting to the Debian bugtracker. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 and https://kb.isc.org/article/AA-00801 for details. best regards, Adi Kriegisch signature.asc Description: Digital signature
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Tags: security, patch find the Ubuntu patch attached. best regards, Adi Kriegisch === modified file 'bin/named/query.c' --- bin/named/query.c 2011-11-16 14:22:11 + +++ bin/named/query.c 2012-10-05 09:45:39 + @@ -1024,13 +1024,6 @@ mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE(query_isduplicate: false: done); @@ -1228,6 +1221,7 @@ if (dns_rdataset_isassociated(rdataset) !query_isduplicate(client, fname, type, mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, fname); fname = mname; } else @@ -1288,11 +1282,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, mname)) { -if (mname != NULL) { - query_releasename(client, fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname-list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL @@ -1331,11 +1327,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_, mname)) { -if (mname != NULL) { - query_releasename(client, fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname-list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL @@ -1846,22 +1844,24 @@ crdataset-type == dns_rdatatype_) { if (!query_isduplicate(client, fname, crdataset-type, mname)) { -if (mname != NULL) { - /* - * A different type of this name is - * already stored in the additional - * section. We'll reuse the name. - * Note that this should happen at most - * once. Otherwise, fname-link could - * leak below. - */ - INSIST(mname0 == NULL); +if (mname != fname) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname-link could + * leak below. + */ + INSIST(mname0 == NULL); - query_releasename(client, fname); - fname = mname; - mname0 = mname; -} else - need_addname = ISC_TRUE; + query_releasename(client, fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname-list, crdataset, link); added_something = ISC_TRUE; === modified file 'debian/changelog' --- debian/changelog 2012-09-12 16:16:57 + +++ debian/changelog 2012-10-05 09:45:39 + @@ -1,3 +1,12 @@ +bind9 (1:9.7.3.dfsg-1ubuntu4.5) oneiric-security; urgency=low + + * SECURITY UPDATE: denial of service via specific combinations of RDATA +- bin/named/query.c: fix logic +- Patch backported from 9.8.3-P4 +- CVE-2012-5166 + + -- Marc Deslauriers marc.deslauri...@ubuntu.com Fri, 05 Oct 2012 09:45:39 -0400 + bind9 (1:9.7.3.dfsg-1ubuntu4.4) oneiric-security; urgency=low * SECURITY UPDATE: denial of service via large crafted resource record signature.asc Description: Digital signature