Bug 738250 (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624)

Summary:	<net-dns/bind-9.16.6: Multiple vulnerabilities (CVE-2020-{8620,8621,8622,8623,8624)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	ajak, austin.m.english, chutzpah, idl0r, ole+gentoo, zlogene
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://lists.isc.org/pipermail/bind-announce/2020-August/001162.html
Whiteboard:	A3 [glsa+ cve]
Package list:	net-dns/bind-9.16.6 amd64 arm arm64 ppc ppc64 sparc x86 net-dns/bind-tools-9.16.6	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	736709

Description Sam James archtester

2020-08-20 18:41:54 UTC

* CVE-2020-8620

Description:
"In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum buffer size allows a specially crafted large TCP payload to trigger an assertion failure when it is received."

URL: https://kb.isc.org/docs/cve-2020-8620

* CVE-2020-8621

Description:
"While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit."

URL: https://kb.isc.org/docs/cve-2020-8621

* CVE-2020-8622

Description:
"Attempting to verify a truncated response to a TSIG-signed request leads to an assertion failure."

URL: https://kb.isc.org/docs/cve-2020-8622

* CVE-2020-8623

Description:
"If BIND is built with "--enable-native-pkcs11" then a specially crafted query for a zone signed with RSA can trigger an assertion failure."

URL: https://kb.isc.org/docs/cve-2020-8623

* CVE-2020-8624

Description:
"Change 4885 inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain."

URL: https://kb.isc.org/docs/cve-2020-8624

Comment 1 Sam James archtester

2020-08-20 18:42:44 UTC

Please bump to 9.16.6. Not sure if 9.14 is still supported?

Comment 2 Larry the Git Cow gentoo-dev

2020-08-21 18:56:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8b03442b587308a6f6a38f5cb47bd5c6df64f1c

commit e8b03442b587308a6f6a38f5cb47bd5c6df64f1c
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-08-21 18:54:29 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-08-21 18:56:14 +0000

    net-dns/bind-tools-9.16.6: Version bump (bug 738250)
    
    Also add myself to metadata.xml
    
    Bug: https://bugs.gentoo.org/738250
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-dns/bind-tools/Manifest                 |   1 +
 net-dns/bind-tools/bind-tools-9.16.6.ebuild | 149 ++++++++++++++++++++++++++++
 net-dns/bind-tools/metadata.xml             |   4 +
 3 files changed, 154 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12ad14e5a4e4a40b0d847aa573743ef108d08410

commit 12ad14e5a4e4a40b0d847aa573743ef108d08410
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-08-21 18:52:20 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-08-21 18:56:14 +0000

    net-dns/bind-9.16.6: Bump (bug 738250), rework python, GLEP 81
    
    This supports installing for multiple python implementations, as well as
    a security version bump.
    
    - Move to GLEP 81 (bug #701262)
    - Add myself to metadata.xml
    
    Bug: https://bugs.gentoo.org/738250
    Bug: https://bugs.gentoo.org/701262
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-dns/bind/Manifest           |   1 +
 net-dns/bind/bind-9.16.6.ebuild | 373 ++++++++++++++++++++++++++++++++++++++++
 net-dns/bind/metadata.xml       |   4 +
 3 files changed, 378 insertions(+)

Comment 3 Sam James archtester

2020-08-21 21:17:25 UTC

Tell us when ready to stable, thanks!

Nothing here [0] looks particularly worrisome but upstream have changed other things in security releases before, so I guess a day or two is not a bad idea.

[0] https://downloads.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6

Comment 4 Sam James archtester

2020-08-24 17:27:47 UTC

x86 done

Comment 5 Sam James archtester

2020-08-24 23:56:14 UTC

arm64 done

Comment 6 Sam James archtester

2020-08-25 10:30:32 UTC

arm done

Comment 7 Sam James archtester

2020-08-25 12:15:50 UTC

amd64 done

Comment 8 Sam James archtester

2020-08-25 19:41:10 UTC

sparc done

Comment 9 Sam James archtester

2020-08-25 19:56:35 UTC

ppc64 done

Comment 10 Rolf Eike Beer archtester

2020-08-28 17:40:41 UTC

hppa stable

Comment 11 Mikle Kolyada (RETIRED) archtester

2020-08-29 08:31:06 UTC

ppc stable; cleanup done.

Comment 12 John Helmert III archtester

2020-08-29 20:46:09 UTC

A3 -> glsa.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2020-08-29 22:13:09 UTC

This issue was resolved and addressed in
 GLSA 202008-19 at https://security.gentoo.org/glsa/202008-19
by GLSA coordinator Sam James (sam_c).