Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 595340 (CVE-2016-2776)

Summary: <net-dns/bind-9.10.4_p3: DoS via assert (CVE-2016-2776)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: duncan, idl0r, vk-gentoo-bugs, yamada
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://kb.isc.org/article/AA-01419
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 598750    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2016-09-28 07:55:58 UTC 
From
https://kb.isc.org/article/AA-01419
"Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response.  A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.

This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query')."

Fixed versions according to advisory:
BIND 9 version 9.9.9-P3
BIND 9 version 9.10.4-P3
BIND 9 version 9.11.0rc3
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2016-09-28 19:13:45 UTC 
9.10.4_p3 has just been added. In case of stabilization please stabilize both, bind and bind-tools 9.10.4_p3.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-09-29 10:16:31 UTC 
Arches, please stabilize: 
=net-dns/bind-9.10.4_p3
=net-dns/bind-tools-9.10.4_p3
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-29 11:36:35 UTC 
Stable on alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2016-09-29 12:40:30 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-09-29 13:16:20 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-09-29 13:32:59 UTC 
ia64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-30 14:52:39 UTC 
Stable for HPPA PPC64.
Comment 8 Richard Freeman gentoo-dev 2016-10-03 13:38:41 UTC 
amd64 stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 18:50:37 UTC 
CVE-2016-2776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2776):
  buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3,
  and 9.11.x before 9.11.0rc3 does not properly construct responses, which
  allows remote attackers to cause a denial of service (assertion failure and
  daemon exit) via a crafted query.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 18:55:55 UTC 
This issue was resolved and addressed in
 GLSA 201610-07 at https://security.gentoo.org/glsa/201610-07
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-10-11 18:56:12 UTC 
Reopening for completion of slacking arches
Comment 12 Robert R. Richter 2016-10-12 21:10:22 UTC 
Please mark x86 as STABLE
Comment 13 Christian Ruppert (idl0r) gentoo-dev 2016-10-14 21:17:05 UTC 
*** Bug 595498 has been marked as a duplicate of this bug. ***
Comment 14 Robert R. Richter 2016-10-25 12:13:44 UTC 
are there any reasons why x86 is not marked stable?
Comment 15 Agostino Sarubbo gentoo-dev 2016-11-20 13:46:10 UTC 
x86 stable
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-28 17:50:26 UTC 
@ Arches, please continue in bug 598750.
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2017-01-11 02:43:56 UTC 
Newer version already stable.  Will proceed in that bug.