Gentoo Bug 254134 - net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-2009-0025)

Description:

Opened: 2009-01-07 18:34 0000

BIND uses the OpenSSL DSA_verify function and incorrectly checks the return
code,
code, refer to bug 251346 for details.

------- Comment #1 From Robert Buchholz 2009-01-07 18:40:04 0000 -------

According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1.
Can't connect to isc.org to check though.

------- Comment #2 From Tobias Scherbaum 2009-01-07 18:46:44 0000 -------

(In reply to comment #1)
> According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1.
> Can't connect to isc.org to check though.
> 

I'll quickly bump to 9.4.3_p1, 9.5.1_p1 and 9.6.0_p1 will follow.

from: ftp://ftp.isc.org/isc/bind9/9.4.3-P1/9.4.3-P1

                BIND 9.4.3-P1 is now available.

BIND 9.4.3-P1 is a SECURITY patch for BIND 9.4.3.  It addresses a bug
in which return values from some OpenSSL functions were left unchecked,
making it theoretically possible to spoof answers from some signed
zones.

        Bugs should be reported to bind9-bugs@isc.org.

BIND 9.4.3-P1 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/ISC/isckey.txt>.

A binary kit for Windows XP and Window 2003 is at

        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha512.asc
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha512.asc

Changes since 9.4.3:

2522.   [security]      Handle -1 from DSA_do_verify().

2498.   [bug]           Removed a bogus function argument used with
                        ISC_SOCKET_USE_POLLWATCH: it could cause compiler
                        warning or crash named with the debug 1 level
                        of logging. [RT #18917]

------- Comment #3 From Tobias Scherbaum 2009-01-07 19:20:03 0000 -------

9.4.3_p1 is inCVS.

Candidates for stabilization:
=net-dns/bind-9.4.3_p1
=net-dns/bind-tools-9.4.3_p1

------- Comment #4 From Guy Martin 2009-01-08 15:48:36 0000 -------

both stable on hppa

------- Comment #5 From Brent Baude 2009-01-08 16:25:23 0000 -------

ppc64 done

------- Comment #6 From Tobias Scherbaum 2009-01-09 16:22:36 0000 -------

ppc stable

------- Comment #7 From Tobias Klausmann 2009-01-09 21:06:47 0000 -------

Both stable on alpha.

------- Comment #8 From Markus Meier 2009-01-10 10:04:09 0000 -------

amd64/x86 stable

------- Comment #9 From Raúl Porcel 2009-01-10 16:52:11 0000 -------

ia64/sparc stable

------- Comment #10 From Stefan Behte 2009-01-10 18:17:59 0000 -------

Ready to vote, I vote YES.

------- Comment #11 From Pierre-Yves Rofes 2009-01-11 17:55:11 0000 -------

voting yes too, request filed.

------- Comment #12 From Robert Buchholz 2009-03-09 13:10:24 0000 -------

GLSA 200903-14

Bug 254134 depends on:			Show dependency tree
Bug 254134 blocks:			Show dependency tree

Bugzilla Bug 254134

net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-2009-0025)

Last modified: 2009-03-09 13:10:24 0000