Bug#690142: remote named DoS on recursor (CVE-2012-5166)
On Mon, Oct 15, 2012 at 11:52 PM, Matthew Grant wrote: Thanks for that: Bit of a situation brewing for bind9 re #690569 (failure to resolve dnssec-validated wildcards - major non-compliance to RFC etc) and #690142 (this CVE) Would appreciate your advice on how to proceed please. Note: Will use nmudiff next time, and be careful about .orig.tar.gz. The junk comes from bind's clean rule being insufficiently cleanly. For packages like this, I usually make changes, then copy them to a new dir to build so that my original dir stays clean. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Hi, I've canceled this nmu. There were a lot of Makefile and other files unrelated to the security fix that got included vs -4.2. Also, an nmu requirement is to attach the full diff to the bug report to help the maintainer out later. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9
Version: 1:9.8.1.dfsg.P1-4.2
Followup-For: Bug #690142
Dear Maintainer,
Attaching a patch for this version of Debian bind9. NMUing in 2 days with
1:9.8.1.dfsg.P1-4.3
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- /tmp/bind9-9.8.1.dfsg.P1/bin/named/query.c 2011-11-16 22:32:08.0 +1300
+++ bind9-9.8.1.dfsg.P1/bin/named/query.c 2012-10-15 13:48:55.572735596 +1300
@@ -1137,13 +1137,6 @@
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE(query_isduplicate: false: done);
@@ -1341,6 +1334,7 @@
if (dns_rdataset_isassociated(rdataset)
!query_isduplicate(client, fname, type, mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, fname);
fname = mname;
} else
@@ -1401,11 +1395,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, mname)) {
-if (mname != NULL) {
- query_releasename(client, fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname-list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL
@@ -1444,11 +1440,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_, mname)) {
-if (mname != NULL) {
- query_releasename(client, fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname-list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL
@@ -1960,22 +1958,24 @@
crdataset-type == dns_rdatatype_) {
if (!query_isduplicate(client, fname, crdataset-type,
mname)) {
-if (mname != NULL) {
- /*
- * A different type of this name is
- * already stored in the additional
- * section. We'll reuse the name.
- * Note that this should happen at most
- * once. Otherwise, fname-link could
- * leak below.
- */
- INSIST(mname0 == NULL);
-
- query_releasename(client, fname);
- fname = mname;
- mname0 = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ /*
+ * A different type of this name is
+ * already stored in the additional
+ * section. We'll reuse the name.
+ * Note that this should happen at most
+ * once. Otherwise, fname-link could
+ * leak below.
+ */
+ INSIST(mname0 == NULL);
+
+ query_releasename(client, fname);
+ fname = mname;
+ mname0 = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname-list, crdataset, link);
added_something = ISC_TRUE;
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9
Tags: security
Severity: grave
A security relevant bug on all versions of bind9 has been discovered. Only
recursive servers are vulnerable. To mitigate the effects of a possible
attack it should be sufficient to set minimal-responses yes; in the
global options {} section.
As information on that bug already leaked (and even got mailed to
full-disclosure by Mandriva), I am reporting to the Debian bugtracker.
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 and
https://kb.isc.org/article/AA-00801 for details.
best regards,
Adi Kriegisch
signature.asc
Description: Digital signature
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Tags: security, patch
find the Ubuntu patch attached.
best regards,
Adi Kriegisch
=== modified file 'bin/named/query.c'
--- bin/named/query.c 2011-11-16 14:22:11 +
+++ bin/named/query.c 2012-10-05 09:45:39 +
@@ -1024,13 +1024,6 @@
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE(query_isduplicate: false: done);
@@ -1228,6 +1221,7 @@
if (dns_rdataset_isassociated(rdataset)
!query_isduplicate(client, fname, type, mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, fname);
fname = mname;
} else
@@ -1288,11 +1282,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, mname)) {
-if (mname != NULL) {
- query_releasename(client, fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname-list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL
@@ -1331,11 +1327,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_, mname)) {
-if (mname != NULL) {
- query_releasename(client, fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname-list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL
@@ -1846,22 +1844,24 @@
crdataset-type == dns_rdatatype_) {
if (!query_isduplicate(client, fname, crdataset-type,
mname)) {
-if (mname != NULL) {
- /*
- * A different type of this name is
- * already stored in the additional
- * section. We'll reuse the name.
- * Note that this should happen at most
- * once. Otherwise, fname-link could
- * leak below.
- */
- INSIST(mname0 == NULL);
+if (mname != fname) {
+ if (mname != NULL) {
+ /*
+ * A different type of this name is
+ * already stored in the additional
+ * section. We'll reuse the name.
+ * Note that this should happen at most
+ * once. Otherwise, fname-link could
+ * leak below.
+ */
+ INSIST(mname0 == NULL);
- query_releasename(client, fname);
- fname = mname;
- mname0 = mname;
-} else
- need_addname = ISC_TRUE;
+ query_releasename(client, fname);
+ fname = mname;
+ mname0 = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname-list, crdataset, link);
added_something = ISC_TRUE;
=== modified file 'debian/changelog'
--- debian/changelog 2012-09-12 16:16:57 +
+++ debian/changelog 2012-10-05 09:45:39 +
@@ -1,3 +1,12 @@
+bind9 (1:9.7.3.dfsg-1ubuntu4.5) oneiric-security; urgency=low
+
+ * SECURITY UPDATE: denial of service via specific combinations of RDATA
+- bin/named/query.c: fix logic
+- Patch backported from 9.8.3-P4
+- CVE-2012-5166
+
+ -- Marc Deslauriers marc.deslauri...@ubuntu.com Fri, 05 Oct 2012 09:45:39 -0400
+
bind9 (1:9.7.3.dfsg-1ubuntu4.4) oneiric-security; urgency=low
* SECURITY UPDATE: denial of service via large crafted resource record
signature.asc
Description: Digital signature
