Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 595340 (CVE-2016-2776) - <net-dns/bind-9.10.4_p3: DoS via assert (CVE-2016-2776)
Summary: <net-dns/bind-9.10.4_p3: DoS via assert (CVE-2016-2776)
Status: RESOLVED FIXED
Alias: CVE-2016-2776
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://kb.isc.org/article/AA-01419
Whiteboard: A3 [glsa cve]
Keywords:
: 595498 (view as bug list)
Depends on: CVE-2016-8864
Blocks:
  Show dependency tree
 
Reported: 2016-09-28 07:55 UTC by Hanno Böck
Modified: 2017-01-11 02:43 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2016-09-28 07:55:58 UTC
From
https://kb.isc.org/article/AA-01419
"Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response.  A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.

This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query')."

Fixed versions according to advisory:
BIND 9 version 9.9.9-P3
BIND 9 version 9.10.4-P3
BIND 9 version 9.11.0rc3
Comment 1 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2016-09-28 19:13:45 UTC
9.10.4_p3 has just been added. In case of stabilization please stabilize both, bind and bind-tools 9.10.4_p3.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2016-09-29 10:16:31 UTC
Arches, please stabilize: 
=net-dns/bind-9.10.4_p3
=net-dns/bind-tools-9.10.4_p3
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Tobias Klausmann gentoo-dev 2016-09-29 11:36:35 UTC
Stable on alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2016-09-29 12:40:30 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-09-29 13:16:20 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-09-29 13:32:59 UTC
ia64 stable
Comment 7 Jeroen Roovers gentoo-dev 2016-09-30 14:52:39 UTC
Stable for HPPA PPC64.
Comment 8 Richard Freeman gentoo-dev 2016-10-03 13:38:41 UTC
amd64 stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 18:50:37 UTC
CVE-2016-2776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2776):
  buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3,
  and 9.11.x before 9.11.0rc3 does not properly construct responses, which
  allows remote attackers to cause a denial of service (assertion failure and
  daemon exit) via a crafted query.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 18:55:55 UTC
This issue was resolved and addressed in
 GLSA 201610-07 at https://security.gentoo.org/glsa/201610-07
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 11 Kristian Fiskerstrand gentoo-dev Security 2016-10-11 18:56:12 UTC
Reopening for completion of slacking arches
Comment 12 Robert R. Richter 2016-10-12 21:10:22 UTC
Please mark x86 as STABLE
Comment 13 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2016-10-14 21:17:05 UTC
*** Bug 595498 has been marked as a duplicate of this bug. ***
Comment 14 Robert R. Richter 2016-10-25 12:13:44 UTC
are there any reasons why x86 is not marked stable?
Comment 15 Agostino Sarubbo gentoo-dev 2016-11-20 13:46:10 UTC
x86 stable
Comment 16 Thomas Deutschmann gentoo-dev Security 2016-11-28 17:50:26 UTC
@ Arches, please continue in bug 598750.
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-11 02:43:56 UTC
Newer version already stable.  Will proceed in that bug.