Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572414 (CVE-2015-8704, cve-2015-8705) - <net-dns/bind{,-tools}-9.10.3_p4: Specific APL data could trigger an INSIST in apl_42.c causing BIND named to exit (CVE-2015-{8704,8705})
Summary: <net-dns/bind{,-tools}-9.10.3_p4: Specific APL data could trigger an INSIST i...
Status: RESOLVED FIXED
Alias: CVE-2015-8704, cve-2015-8705
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-20 08:18 UTC by Agostino Sarubbo
Modified: 2016-10-11 18:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-20 08:18:16 UTC
From ${URL} :

CVE:                   CVE-2015-8704
Document Version:      2.0
Posting date:          19 January 2016
Program Impacted:      BIND
Versions affected:     9.3.0->9.8.8, 9.9.0->9.9.8-P2,
                       9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2
Severity:              High
Exploitable:           Remotely

Description:

   A buffer size check used to guard against overflow could cause
   named to exit with an INSIST failure In apl_42.c.

Impact:

   A server could exit due to an INSIST failure in apl_42.c when
   performing certain string formatting operations.  Examples include
   (but may not be limited to):

    -  Slaves using text-format db files could be vulnerable if
       receiving a malformed record in a zone transfer from their master.

    -  Masters using text-format db files could be vulnerable if
       they accept a malformed record in a DDNS update message.

    -  Recursive resolvers are potentially vulnerable when debug
       logging, if they are fed a deliberately malformed record by
       a malicious server.

    -  A server which has cached a specially constructed record
       could encounter this condition while performing 'rndc dumpdb'.

Please Note:

   Versions of BIND from 9.3 through 9.8 are also affected, but
   these branches are beyond their "end of life" (EOL) and no longer
   receive testing or security fixes from ISC. For current information
   on which versions are actively supported, please see
   http://www.isc.org/downloads/.

CVSS Score:            6.8
CVSS Vector:           (AV:N/AC:L/Au:S/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:C)

Workarounds:

   None

Active exploits:

   No known active exploits.

Solution:

   Upgrade to the patched release most closely related to your
   current version of BIND.  These can all be downloaded from
   http://www.isc.org/downloads.

    -  BIND 9 version 9.9.8-P3
    -  BIND 9 version 9.10.3-P3

   BIND 9 Supported Preview edition is a feature preview version
   of BIND provided exclusively to eligible ISC Support customers.

    -  BIND 9 version 9.9.8-S4


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2016-01-20 18:57:28 UTC
net-dns/bind-9.10.3_p3 has just been added.
Comment 2 Agostino Sarubbo gentoo-dev 2016-01-21 08:13:10 UTC
(In reply to Christian Ruppert (idl0r) from comment #1)
> net-dns/bind-9.10.3_p3 has just been added.

do we need to stabilize also a newer bind-tools?
Comment 3 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2016-01-30 18:46:57 UTC
(In reply to Agostino Sarubbo from comment #2)
> (In reply to Christian Ruppert (idl0r) from comment #1)
> > net-dns/bind-9.10.3_p3 has just been added.
> 
> do we need to stabilize also a newer bind-tools?

Not this time. Thanks!
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-11 10:54:00 UTC
Added to existing GLSA.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-07-11 10:54:28 UTC
CVE-2015-8705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8705):
  buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is
  enabled, allows remote attackers to cause a denial of service (REQUIRE
  assertion failure and daemon exit, or daemon crash) or possibly have
  unspecified other impact via (1) OPT data or (2) an ECS option.

CVE-2015-8704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8704):
  apl_42.c in ISC BIND 9.x before 9.9.8-P3 and 9.9.x and 9.10.x before
  9.10.3-P3 allows remote authenticated users to cause a denial of service
  (INSIST assertion failure and daemon exit) via a malformed Address Prefix
  List (APL) record.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 18:55:25 UTC
This issue was resolved and addressed in
 GLSA 201610-07 at https://security.gentoo.org/glsa/201610-07
by GLSA coordinator Kristian Fiskerstrand (K_F).