ISC has a new bind version : http://www.isc.org/sw/bind/view?release=9.3.3 This new version fixe at least 2 vulnerabilities in the BIND name server could allow a remote attacker to cause a denial of service against an affected system. http://www.kb.cert.org/vuls/id/915404 http://www.kb.cert.org/vuls/id/697164 http://www.kb.cert.org/vuls/id/938617
Created attachment 104090 [details] Simple 9.3.3 ebuild This is my very dumb ebuild for version 9.3.3.
*** Bug 158216 has been marked as a duplicate of this bug. ***
thanks Jakub. Hi Konstantin, this is a version bump request for you.
9.3.3 is committed.
Thanks Konstantin. Hi arches, please test bind-9.3.3 and mark it stable if appropriate.
arches, you may also want to test & stabilize bind-9.2.7 since it corrects another vulnerability in the 9.2.x branch: see bug 131337
Both versions stable on x86
x86: bind-tools must be in sync with bind.
bind{,-tools}-9.{2.7,3.3} amd64 stable.
Sec team, after having deeply looked into the announcements, i think that the corrected vulnerabilities are old ones, which have already been corrected by patches in bind-9.3.2-r4 and bind-9.2.6-r4 ... except CVE-2006-2073 (TSIG DoS). But it is unclear which version does fix that TSIG DoS. It is possible that this vulnerability is not fixed yet. In that case, since the mentionned CVEs on [1] and [2] are : CVE-2006-4095 CVE-2006-4096 CAN-2005-0034 That would mean this bug is Invalid because these three CVEs have already been previously fixed by patches (9.3.2-r4 and 9.2.6-r4). Your opinion? [1] http://www.isc.org/index.pl?/sw/bind/view/?release=9.2.7 [2] http://www.isc.org/index.pl?/sw/bind/view/?release=9.3.3
You can sort it out between yourselves...x86 is stable anyway with bind-tools too now.
bind-9.3.3 dies miserably on startup on my x86 hardened system: loki ~ # named -n 2 -u named -f named: stack smashing attack in function query_find() Aborted (core dumped) Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17-hardened-r1 i686) ================================================================= System uname: 2.6.17-hardened-r1 i686 Intel(R) Xeon(TM) CPU 2.66GHz Gentoo Base System version 1.12.6 Last Sync: Mon, 18 Dec 2006 11:30:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=pentium3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.osuosl.org http://distfiles.gentoo.org" LC_ALL="en_US.utf8" MAKEOPTS="-j5" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://localhost/gentoo-portage" USE="a52 aac aalib acl apache2 bash-completion bcmath berkdb bzip2 caps cli cracklib crypt ctype cups curl dba dlloader ecc elibc_glibc encode exif extensions flash foomaticdb ftp gd gdbm gif gmp hardened hash hpn iconv idea idn imap imlib innodb input_devices_keyboard input_devices_mouse ipv6 jpeg jpeg2k kernel_linux lcms ldap libclamav mailwrapper mcal mhash milter ming mmx mpm-worker mysql mysqli ncurses network nls nptl oav ogg oscar pam pcre pear perl pic plotutils png ppds readline rle samba sasl session slp snmp spell spf sse ssl tcpd theora threads tiff tokenizer tools truetype unicode userland_GNU userlocales vhosts vorbis x86 xml xml2 xorg xsl xvid zip zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
gustavoz: yep, reproducible. cc'ing hardened. == Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17-hardened-r1 i686) ================================================================= System uname: 2.6.17-hardened-r1 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System version 1.12.6 Last Sync: Mon, 18 Dec 2006 11:00:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=pentium4 -march=pentium4 -Os -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer prelink sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.shadanakar.org/ http://distfiles.gentoo.org/" MAKEOPTS="-j3" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/opt/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="bash-completion bzip2 dlloader elibc_glibc hardened input_devices_keyboard input_devices_mouse kernel_linux logrotate nptl nptlonly offensive pam pic readline ssl threads unicode userland_GNU userlocales vhosts x86 xorg zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
sparc stable - i'll stay around for the x86-hardened one.
Confirm the problem on hardened kernel (hardened-sources-2.6.19-r1) grsec enabled (all RBAC policies disabled) : Dec 18 09:33:45 xwing grsec: From 192.168.14.10: signal 6 sent to /usr/sbin/named[named:28981] uid/euid:40/40 gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /usr/sbin/named[named:625] uid/euid:40/40 gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Dec 18 09:33:45 xwing grsec: From 192.168.14.10: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/named[named:28981] uid/euid:40/40 gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
ppc64 stable
9.3.3 is EXTREMELY unstable locally on a hardened x86 box, just masked it do have core files here from it, no idea how to actually backtrace them tho, if anyone wants them or wants me to do something to them just tell me what bind runs in chroot Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.19-hardened-r1 i686) ================================================================= System uname: 2.6.19-hardened-r1 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.12.6 Last Sync: Tue, 19 Dec 2006 01:47:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.5, 1.6.3, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.iinet.net.au/linux/Gentoo/ http://gentoo.osuosl.org/" LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/overlays/qmr-portage /usr/portage/local/layman/php-testing /usr/portage/local/layman/php-experimental /usr/portage/local/layman/postgresql-testing /usr/portage/local/layman/xeffects /usr/portage/local/layman/xeffects-experimental" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 authdaemond bash-completion berkdb crypt dlloader elibc_glibc fam graphviz hardened idea imap input_devices_keyboard input_devices_mouse ithreads jpeg jpeg2k kernel_linux logrotate maildir nptl nptlonly pam pic rc5 readline ssl tcpd threads urandom userland_GNU userlocales valias vhosts x86 xorg zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Portage 2.1.1-r2 (default-linux/amd64/2006.1, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17.13 x86_64) ================================================================= System uname: 2.6.17.13 x86_64 AMD Opteron(tm) Processor 246 Gentoo Base System version 1.12.6 Last Sync: Tue, 19 Dec 2006 17:30:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X509 accessibility acl acpi adns aim amd64 apache2 apm berkdb bitmap-fonts bzlib calendar chroot cli cracklib crypt cscope ctype cups curl curlwrappers dba dbm dbx dedicated dio dlloader dri elibc_glibc erandom exif fam fastcgi fftw flatfile foomaticdb fortran freedts ftp gd gdbm gif gps hardened imap imlib inifile innodb input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog ithreads jabber jikes jpeg justify kerberos kernel_linux libedit libwww maildir mailwrapper mbox mcal mcve memlimit mhash mime ming mmap mng msession mysql mysqli ncurses nis nls nocardbus nptl nptlonly odbc offensive pam pcntl pcre pdflib perl php pic pie png posix pppd prelude pwdb python readline recode reflection sasl session sftplogging simplexml skey snmp sockets spell spl ssl sysvipc szip tcpd threads tidy tiff tokensizer truetype-fonts type1-fonts udev unicode usb userland_GNU vhosts video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo wmf xml xml-rpc xml2 xorg xsl zeo zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS I yesterday tried upgrade to bind 9.3.3 [ebuild U ] net-dns/bind-9.3.3 [9.3.2-r4] USE="berkdb idn ipv6 mysql odbc ssl threads -dlz -doc -ldap -postgres -resolvconf% (-selinux)" 0 kB After upgrade a restart named but after few seconds crashed down without any errors in my daemond logs. Version 9.3.2-r4 works great.
ppc stable, nixnut tested on hardened/ppc and couldn't reproduce any errors.
wrt comment #10 - i think, we should mask bind-9.3.3 until stability issues are sorted out. ?
stable on hppa.
so i'm going to mask bind/bind-tools 9.2.7/9.3.3 tomorrow, 22-12-2006, since there are no objections against it.
(In reply to comment #22) > so i'm going to mask bind/bind-tools 9.2.7/9.3.3 tomorrow, 22-12-2006, since > there are no objections against it. > As you want. I think there is no security issue in the portage tree fixed with these versions. I'll close that bug as Invalid unless someone disagrees here.
bind{,-tools}-9.{2.7,3.3} masked.
Well, I have the same problem, bind-9.3.3 was only capable of answering the first request for a local domain, after answering it died with "named: stack smashing attack in function query_find()", I reported it in bug 158664 comment #8, you have to run named from command line in order to see the error. I think the problem could be in the -O flag of gcc I was able to run bind-9.3.3 stable downgrading from -O2 to just -O. I'm using bind chrooted in a hardened amd64.
Closing as Invalid since 9.3.3 brings no security fix; please follow bug 158664 if you are concerned about the 9.3.3 stack smashing issues. Feel free to reopen if you disagree
ia64 done
