Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 231201 (CVE-2008-1447)

Summary: net-dns/bind < 9.4.2_p1 <9.5.0_p1 Port randomization/cache poisoning (CVE-2008-1447)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bind+disabled, martin.holzer, rich0, stefan, tb
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://ftp.isc.org/isc/bind9/9.5.1b1/9.5.1b1
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 225885    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-08 17:43:11 UTC
BIND 9.5.1 Beta 1 is now available.

    BIND 9.5.1b1 is a beta maintenance release of BIND 9.5.

  URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
  URGENT                                                                URGENT 
  URGENT                Please read security alert below!               URGENT 
  URGENT                                                                URGENT 
  URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT

    BIND 9.5.1b1 contains the following security fixes:

2375.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949]

2384.	[security]	Additional support for query port randomization (change
			#2375) including performance improvement and port range
			specification.  [RT #17949, #18098]

    Thanks to recent work by Dan Kaminsky of IOActive, ISC has become
    aware of a potential attack exploiting weaknesses in the DNS protocol
    itself to enable the poisoning of caching recurive resolvers with
    spoofed data.

    For additional information about this vulnerability, see US-CERT
    (CERT VU#800113 DNS Cache Poisoning Issue).  For more details on the
    changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php.

    IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.

    DNSSEC is the only definitive solution for this issue.  Understanding
    that immediate DNSSEC deployment is not a realistic expectation, ISC
    is releasing patched versions of BIND that improve its resilience
    against this attack.  The method used makes it harder to spoof answers
    to a resolver by expanding the range of UDP ports from which queries
    are sent by the nameserver, thereby increasing the variability of
    parameters in outgoing queries.

BIND 9.5.1b1 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.

A binary kit for Windows 2000, Windows XP and Window 2003 is at

	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip

The PGP signature of the binary kit for Windows 2000, Windows XP and
Window 2003 is at
        
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.sha512.asc

Changes since 9.5.0:

	--- 9.5.1b1 released ---

2385.	[bug]		A condition variable in socket.c could leak in
			rare error handling [RT #17968].

2384.	[security]	Additional support for query port randomization (change
			#2375) including performance improvement and port range
			specification.  [RT #17949, #18098]

2383.	[bug]		named could double queries when they resulted in
			SERVFAIL due to overkilling EDNS0 failure detection.
			[RT #18182]

2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
			to ARM.

2381.	[port]		dlz/mysql: support multiple install layouts for
			mysql.  <prefix>/include/{,mysql/}mysql.h and
			<prefix>/lib/{,mysql/}. [RT #18152]

2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
			proofs which, in turn, caused validation failures
			for insecure zones immediately below a secure zone
			the server was authoritative for. [RT #18112] 

2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
			TLDs and supported RRs with TTLs [RT #17972]

2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
			[RT #18169]

2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]

2376.	[bug]		Change #2144 was not complete.

2375.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949]

2373.	[bug]		Default values of zone ACLs were re-parsed each time a
			new zone was configured, causing an overconsumption
			of memory. [RT #18092]
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-08 18:23:50 UTC
Linux since 2.6.24 independently randomizes UDP source ports if none is specified.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-08 19:00:31 UTC
I just committed 9.4.2_p1 and 9.5.0_p1.

Candidates for stabilization:
=net-dns/bind-9.4.2_p1
=net-dns/bind-tools-9.4.2_p1
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-07-08 19:21:49 UTC
Arches, please test and mark stable:
=net-dns/bind-9.4.2_p1
=net-dns/bind-tools-9.4.2_p1

Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Angelo Arrifano (RETIRED) gentoo-dev 2008-07-08 21:53:11 UTC
net-dns/bind-9.4.2_p1  USE="berkdb doc mysql ssl threads -dlz -idn -ipv6 -ldap -odbc -postgres -resolvconf (-selinux) -urandom"
net-dns/bind-tools-9.4.2_p1  USE="-idn -ipv6"

* Emerges on AMD64.
* Works:
  bind runs and works (some queries were made).
  dig, nslookup and dnssec-keygen from bind-tools are also working.

- -

Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.24-gentoo-r8 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-56
Timestamp of tree: Tue, 08 Jul 2008 20:38:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r13
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -Os -msse3 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=k8 -Os -msse3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://darkstar.ist.utl.pt/gentoo/ http://cesium.di.uminho.pt/pub/gentoo/"
LANG="pt_PT@euro"
LINGUAS="en pt pt_PT"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr amrnb amrwb bash-completion berkdb branding bzip2 cairo cli cracklib crypt cups dbus devhelp divx doc dvd dvdr emerald encode exif fam ffmpeg firefox flac fortran gd gdbm gif gimp glade glib glitz gstreamer gtk gtkspell hal hddtemp iconv ieee1394 imagemagick insecure-savers isdnlog javascript jpeg jpeg2k kde kqemu lame laptop libcaca libnotify midi mmx mmxext mp2 mp3 mp4 mpeg mplayer mudflap musicbrainz mysql ncurses nls nptl nptlonly offensive ogg opengl openmp pam pcre png pppd python quicktime readline realmedia reflection samba sdl session smp sndfile sourceview spell spl sse sse2 ssl stream svg syslog taglib tcpd threads tiff truetype type1 unicode v4l v4l2 vhosts vim-syntax vorbis wifi wmp xcomposite xfs xorg xosd xpm xscreensaver xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="spca50x" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics joystick" KERNEL="linux" LCD_DEVICES="xosd" LINGUAS="en pt pt_PT" USERLAND="GNU" VIDEO_CARDS="nv nvidia none"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 5 Richard Freeman gentoo-dev 2008-07-09 01:45:58 UTC
If you install bind-tools first you get a collision on:
/usr/share/man/man8/dnssec-keygen.8

It apparently used to belong to bind.  Ideally bind-tools should block on older versions of bind.  However, being a security bug I'm not sure if we normally let these issues slide...
Comment 6 Richard Freeman gentoo-dev 2008-07-09 01:51:21 UTC
bind triggers a repoman error - unquoted variable on line 63 (filesdir - trivial to fix). 

Both are ready to stable on amd64 other than the minor QA issues.  I'm not sure how we normally handle QA policy vs urgency of security issues - I can commit them if this is appropriate.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-07-09 06:15:08 UTC
ppc64 stable

[ fixed quoting, too ]
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-09 08:22:38 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-07-09 10:32:02 UTC
alpha/ia64/sparc stable
Comment 10 Richard Freeman gentoo-dev 2008-07-09 10:42:08 UTC
amd64 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-09 16:41:28 UTC
ppc stable
Comment 12 Guy Martin (RETIRED) gentoo-dev 2008-07-10 20:48:55 UTC
Stable on hppa.
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-11 18:26:34 UTC
GLSA 200807-08

thanks everyone
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-07-15 13:26:06 UTC
*** Bug 231832 has been marked as a duplicate of this bug. ***