Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 347621 (CVE-2010-3613)

Summary: <net-dns/bind-{9.6.2_p3-r1,9.7.2_p3-r1}: Multiple vulnerabilities (CVE-2010-{3613,3614,3615})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: barzog, boss.gentoo, hanno, idl0r
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.isc.org/advisories
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 337638    
Bug Blocks:    

Description Tim Sammut (RETIRED) gentoo-dev 2010-12-03 07:15:05 UTC
From $URL:

<--

BIND: allow-query processed incorrectly
Summary: Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones has no effect.
CVE: CVE-2010-3615
CERT: VU#510208
Posting date: 01 Dec 2010
Program Impacted: BIND
Versions affected: 9.7.2-P2
Severity: High
Exploitable: remotely

BIND: cache incorrectly allows a ncache entry and a rrsig for the same type
Summary: 
Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named.
CVE: CVE-2010-3613
CERT: VU#706148
Posting date: 01 Dec 2010
Program Impacted: BIND
Versions affected: 9.6.2 - 9.6.2-P2, 9.6-ESV - 9.6-ESV-R2, 9.7.0 - 9.7.2-P2
Severity: High
Exploitable: remotely

BIND: Key algorithm rollover bug in bind9
Summary: named (acting as DNSSEC validating resolver) could incorrectly mark zone data as insecure when the zone being queried is undergoing a key algorithm rollover.
CVE: CVE-2010-3614
CERT: VU#837744
Posting date: 01 Dec 2010
Program Impacted: BIND
Versions affected: 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2
Severity: Low
Exploitable: remotely

<--

Fixed versions for 9.6.x and 9.7.x are already in the tree. I believe the 9.4.x ebuilds should be replaced with an ebuild based on BIND 9.4-ESV-R4.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2010-12-03 18:20:09 UTC
(In reply to comment #0)
> I believe the 9.4.x
> ebuilds should be replaced with an ebuild based on BIND 9.4-ESV-R4.
> 

To be honest... I'm not sure how to version it properly.
I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a rid of 9.4 instead. It seems they dropped support for 9.4 except for security updates, like in this case. It's no longer listed at their download page, just left in their "archive".
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-12-03 21:49:53 UTC
(In reply to comment #1)
> I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a
> rid of 9.4 instead. 
> 

I am a little confused. You just added:

*bind-9.7.2_p3-r1 (03 Dec 2010)
*bind-9.6.2_p3-r1 (03 Dec 2010)
*bind-9.4.3_p5-r3 (03 Dec 2010) 

We should stabilize bind-9.7.2_p3-r1 and bind-9.6.2_p3-r1 on amd64 since the current stable versions are vulnerable. 

Do you want to stabilize bind-9.4.3_p5-r3 on all stable archs? Or remove 9.4.* from the tree and stabilize bind-9.7.2_p3-r1 on all archs? Or, something else. ;)
Comment 3 Christian Ruppert (idl0r) gentoo-dev 2010-12-03 22:23:01 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a
> > rid of 9.4 instead. 
> > 
> 
> I am a little confused. You just added:
> 
> *bind-9.7.2_p3-r1 (03 Dec 2010)
> *bind-9.6.2_p3-r1 (03 Dec 2010)
> *bind-9.4.3_p5-r3 (03 Dec 2010) 
> 
> We should stabilize bind-9.7.2_p3-r1 and bind-9.6.2_p3-r1 on amd64 since the
> current stable versions are vulnerable. 
> 
> Do you want to stabilize bind-9.4.3_p5-r3 on all stable archs? Or remove 9.4.*
> from the tree and stabilize bind-9.7.2_p3-r1 on all archs? Or, something else.
> ;)
> 

Ignore 9.4 there :P
I'd like to stabilize bind-9.6.2_p3-r1 *and* bind-9.7.2_p3-r1 on all arches and then remove 9.4 from the tree.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2010-12-03 22:37:10 UTC
(In reply to comment #3)
> 
> Ignore 9.4 there :P
> I'd like to stabilize bind-9.6.2_p3-r1 *and* bind-9.7.2_p3-r1 on all arches
> and then remove 9.4 from the tree.
> 

Great, thanks.

Arches, please test and mark stable:
=net-dns/bind-9.7.2_p3-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

=net-dns/bind-9.6.2_p3-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-12-04 10:08:31 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-04 17:30:09 UTC
Stable for HPPA PPC.
Comment 7 Richard Freeman gentoo-dev 2010-12-04 17:44:39 UTC
9.7.2 is amd64 stable - have not tested 9.6.2
Comment 8 Agostino Sarubbo gentoo-dev 2010-12-04 20:00:45 UTC
checking for ODBC DLZ driver... not found
configure: error: ODBC headers were not found in any of /usr /usr/local /usr/pkg; use --with-dlz-odbc=/path

!!! Please attach the following file when seeking support:
!!! /tmp/portage/net-dns/bind-9.6.2_p3-r1/work/bind-9.6.2-P3/config.log
 * ERROR: net-dns/bind-9.6.2_p3-r1 failed:
 *   econf failed
 * 
 * Call stack:
 *     ebuild.sh, line   56:  Called src_configure
 *   environment, line 3366:  Called econf '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--with-openssl' '--with-idn' '--enable-ipv6' '--with-libxml2' '--with-gssapi' '--with-dlz-filesystem' '--with-dlz-stub' '--with-dlz-postgres' '--with-dlz-mysql' '--with-dlz-bdb' '--with-dlz-ldap' '--with-dlz-odbc' '--disable-linux-caps' '--disable-threads' '--with-randomdev=/dev/urandom' '--with-geoip


someone else, with +odbc, can reproduce it?
Comment 9 Alex Buell 2010-12-04 22:24:05 UTC
Tested on SPARC, works. Stabilisation would be good. 
Comment 10 Christian Ruppert (idl0r) gentoo-dev 2010-12-04 22:25:36 UTC
(In reply to comment #8)
> checking for ODBC DLZ driver... not found
> configure: error: ODBC headers were not found in any of /usr /usr/local
> /usr/pkg; use --with-dlz-odbc=/path
> 
> !!! Please attach the following file when seeking support:
> !!! /tmp/portage/net-dns/bind-9.6.2_p3-r1/work/bind-9.6.2-P3/config.log
>  * ERROR: net-dns/bind-9.6.2_p3-r1 failed:
>  *   econf failed
>  * 
>  * Call stack:
>  *     ebuild.sh, line   56:  Called src_configure
>  *   environment, line 3366:  Called econf '--sysconfdir=/etc/bind'
> '--localstatedir=/var' '--with-libtool' '--with-openssl' '--with-idn'
> '--enable-ipv6' '--with-libxml2' '--with-gssapi' '--with-dlz-filesystem'
> '--with-dlz-stub' '--with-dlz-postgres' '--with-dlz-mysql' '--with-dlz-bdb'
> '--with-dlz-ldap' '--with-dlz-odbc' '--disable-linux-caps' '--disable-threads'
> '--with-randomdev=/dev/urandom' '--with-geoip
> 
> 
> someone else, with +odbc, can reproduce it?
> 

Works for me with both versions.
Comment 11 Markus Meier gentoo-dev 2010-12-08 16:50:17 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2010-12-08 21:21:36 UTC
(In reply to comment #10)
> 
> Works for me with both versions.
> 


Tested in a new clean installation, same problem. It does not work for me on amd64
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2010-12-19 17:12:22 UTC
alpha/ia64/s390/sh/sparc stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2010-12-27 14:43:32 UTC
ppc64 done
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2010-12-29 10:45:33 UTC
amd64 done
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2010-12-31 08:51:22 UTC
Thank you, folks.

GLSA Vote: Yes, remote DoS (CVE-2010-3613).
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:54:45 UTC
Yes, GLSA request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-06-02 13:59:46 UTC
This issue was resolved and addressed in
 GLSA 201206-01 at http://security.gentoo.org/glsa/glsa-201206-01.xml
by GLSA coordinator Stefan Behte (craig).