Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 254134 (CVE-2009-0025) - net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-2009-0025)
Summary: net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-200...
Status: RESOLVED FIXED
Alias: CVE-2009-0025
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://groups.google.com/group/comp.p...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-07 18:34 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-10 11:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-01-07 18:34:17 UTC
BIND uses the OpenSSL DSA_verify function and incorrectly checks the return code,
code, refer to bug 251346 for details.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-07 18:40:04 UTC
According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1. Can't connect to isc.org to check though.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-07 18:46:44 UTC
(In reply to comment #1)
> According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1.
> Can't connect to isc.org to check though.
> 

I'll quickly bump to 9.4.3_p1, 9.5.1_p1 and 9.6.0_p1 will follow.

from: ftp://ftp.isc.org/isc/bind9/9.4.3-P1/9.4.3-P1

		BIND 9.4.3-P1 is now available.

BIND 9.4.3-P1 is a SECURITY patch for BIND 9.4.3.  It addresses a bug
in which return values from some OpenSSL functions were left unchecked,
making it theoretically possible to spoof answers from some signed
zones.

	Bugs should be reported to bind9-bugs@isc.org.

BIND 9.4.3-P1 can be downloaded from

	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz

The PGP signature of the distribution is at

	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/ISC/isckey.txt>.

A binary kit for Windows XP and Window 2003 is at

	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at
	
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha512.asc

Changes since 9.4.3:

2522.	[security]	Handle -1 from DSA_do_verify().

2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]

Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-07 19:20:03 UTC
9.4.3_p1 is inCVS.

Candidates for stabilization:
=net-dns/bind-9.4.3_p1
=net-dns/bind-tools-9.4.3_p1
Comment 4 Guy Martin (RETIRED) gentoo-dev 2009-01-08 15:48:36 UTC
both stable on hppa
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-01-08 16:25:23 UTC
ppc64 done
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-09 16:22:36 UTC
ppc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2009-01-09 21:06:47 UTC
Both stable on alpha.
Comment 8 Markus Meier gentoo-dev 2009-01-10 10:04:09 UTC
amd64/x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-01-10 16:52:11 UTC
ia64/sparc stable
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-10 18:17:59 UTC
Ready to vote, I vote YES.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 17:55:11 UTC
voting yes too, request filed.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 13:10:24 UTC
GLSA 200903-14