Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 568982 (CVE-2015-8000)

Summary: <net-dns/bind{,-tools}-9.10.3_p2: two vulnerabilities (CVE-2015-{8000,8461})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-12-21 11:35:16 UTC
From http://www.openwall.com/lists/oss-security/2015/12/15/15:

CVE:                CVE-2015-8461
Document Version:   2.0
Posting date:       15 December 2015
Program Impacted:   BIND
Versions affected:  9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 ->
9.10.3-P1
Severity:           Medium
Exploitable:        Remotely

Description:

   Beginning with the September 2015 maintenance releases 9.9.8 and
   9.10.3, an error was introduced into BIND 9 which can cause a
   server to exit after encountering an INSIST assertion failure
   in resolver.c

Impact:

   An uncommonly occurring condition can cause affected servers to
   exit with an INSIST failure depending on the outcome of a race
   condition in resolver.c  While difficult to exploit reliably, a
   malicious party could, through deliberate behavior, significantly
   increase the probability of encountering the triggering condition,
   resulting in denial-of-service to clients if successful.

CVSS Score:         5.4
CVSS Vector:        (AV:N/AC:H/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C)

Workarounds:        None.
Active exploits:    None known.

Solution:

   Upgrade to the patched release most closely related to your
   current version of BIND. Public open-source branches can be
   downloaded from http://www.isc.org/downloads.

     BIND 9 version 9.9.8-P2
     BIND 9 version 9.10.3-P2




From http://www.openwall.com/lists/oss-security/2015/12/15/14:

CVE:                CVE-2015-8000
Document Version:   2.0
Posting date:       15 December 2015
Program Impacted:   BIND
Versions affected:  9.0.x -> 9.9.8, 9.10.0 -> 9.10.3
Severity:           Critical
Exploitable:        Remotely

Description:

   An error in the parsing of incoming responses allows some records
   with an incorrect class to be accepted by BIND instead of
   being rejected as malformed.  This can trigger a REQUIRE assertion
   failure when those records are subsequently cached. Intentional
   exploitation of this condition is possible and could be used as
   a denial-of-service vector against servers performing recursive
   queries.

Impact:

   An attacker who can cause a server to request a record with a
   malformed class attribute can use this bug to trigger a REQUIRE
   assertion in db.c, causing named to exit and denying service to
   clients.  The risk to recursive servers is high. Authoritative
   servers are at limited risk if they perform authentication when
   making recursive queries to resolve addresses for servers listed
   in NS RRSETs.

CVSS Score:         7.1

CVSS Vector:        (AV:N/AC:M/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:C)

Workarounds:        None.
Active exploits:    No known active exploits.

Solution:

   Upgrade to the patched release most closely related to your
   current version of BIND. Public open-source branches can be
   downloaded from http://www.isc.org/downloads.

     BIND 9 version 9.9.8-P2
     BIND 9 version 9.10.3-P2



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-27 19:43:18 UTC
net-dns/bind-9.10.3_p2 and net-dns/bind-tools-9.10.3_p2 have been added. Please stabilize both together, net-dns/bind and net-dns/bind-tools, if you'd like to stabilize the fixed version.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-31 07:40:28 UTC
Arches, please test and mark stable:

=net-dns/bind-9.10.3_p2
=net-dns/bind-tools-9.10.3_p2

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Thank you!
Comment 3 Craig Inches 2016-01-01 00:40:31 UTC
Depends on =dev-libs/libressl-2.2.5 which is ~amd64 

[ebuild   R   ~] net-dns/bind-tools-9.10.3_p2::gentoo  USE="ipv6 libressl* readline seccomp ssl -doc -gost -gssapi -idn -uran
dom -xml" 0 KiB
Comment 4 Jeroen Roovers gentoo-dev 2016-01-02 07:24:15 UTC
Stable for HPPA PPC64.
Comment 5 Jeroen Roovers gentoo-dev 2016-01-02 07:26:04 UTC
(In reply to Craig Inches from comment #3)
> Depends on =dev-libs/libressl-2.2.5 which is ~amd64 

That's why it's masked in profiles/base/use.stable.mask, so it doesn't matter.
Comment 6 Craig Inches 2016-01-02 07:53:21 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Craig Inches from comment #3)
> > Depends on =dev-libs/libressl-2.2.5 which is ~amd64 
> 
> That's why it's masked in profiles/base/use.stable.mask, so it doesn't
> matter.

Then AMD64 OK
Comment 7 Richard Freeman gentoo-dev 2016-01-02 14:22:10 UTC
amd64 stable
Comment 8 Andreas Schürch gentoo-dev 2016-01-07 17:20:56 UTC
x86 done
Comment 9 Markus Meier gentoo-dev 2016-01-07 20:23:46 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-09 07:10:19 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-01-10 11:22:46 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-01-11 09:56:33 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-01-17 17:25:15 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-30 09:33:42 UTC
@maintainer(s), please cleanup the vulnerable versions.
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-06 03:44:33 UTC
=net-dns/bind-tools-9.10.1_p1 remains in the tree.  Unsupported arches remain unstable for 9.10.1_p2.  Please let us know if you can clean or need to stabilize the remaining arches.