254134 – (CVE-2009-0025) net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-2009-0025)

Bug 254134 (CVE-2009-0025) - net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-2009-0025)

Summary: net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-200...

Status:	RESOLVED FIXED

Alias:	CVE-2009-0025

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://groups.google.com/group/comp.p...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-01-07 18:34 UTC by Robert Buchholz (RETIRED)
Modified:	2020-04-10 11:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-01-07 18:34:17 UTC

BIND uses the OpenSSL DSA_verify function and incorrectly checks the return code,
code, refer to bug 251346 for details.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-01-07 18:40:04 UTC

According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1. Can't connect to isc.org to check though.

Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev

2009-01-07 18:46:44 UTC

(In reply to comment #1)
> According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1.
> Can't connect to isc.org to check though.
> 

I'll quickly bump to 9.4.3_p1, 9.5.1_p1 and 9.6.0_p1 will follow.

from: ftp://ftp.isc.org/isc/bind9/9.4.3-P1/9.4.3-P1

		BIND 9.4.3-P1 is now available.

BIND 9.4.3-P1 is a SECURITY patch for BIND 9.4.3.  It addresses a bug
in which return values from some OpenSSL functions were left unchecked,
making it theoretically possible to spoof answers from some signed
zones.

	Bugs should be reported to bind9-bugs@isc.org.

BIND 9.4.3-P1 can be downloaded from

	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz

The PGP signature of the distribution is at

	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/ISC/isckey.txt>.

A binary kit for Windows XP and Window 2003 is at

	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at
	
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha512.asc

Changes since 9.4.3:

2522.	[security]	Handle -1 from DSA_do_verify().

2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev

2009-01-07 19:20:03 UTC

9.4.3_p1 is inCVS.

Candidates for stabilization:
=net-dns/bind-9.4.3_p1
=net-dns/bind-tools-9.4.3_p1

Comment 4 Guy Martin (RETIRED) gentoo-dev

2009-01-08 15:48:36 UTC

both stable on hppa

Comment 5 Brent Baude (RETIRED) gentoo-dev

2009-01-08 16:25:23 UTC

ppc64 done

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2009-01-09 16:22:36 UTC

ppc stable

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2009-01-09 21:06:47 UTC

Both stable on alpha.

Comment 8 Markus Meier gentoo-dev

2009-01-10 10:04:09 UTC

amd64/x86 stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2009-01-10 16:52:11 UTC

ia64/sparc stable

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2009-01-10 18:17:59 UTC

Ready to vote, I vote YES.

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2009-01-11 17:55:11 UTC

voting yes too, request filed.

Comment 12 Robert Buchholz (RETIRED) gentoo-dev

2009-03-09 13:10:24 UTC

GLSA 200903-14