Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20111117184351.GA21076@openwall.com>
Date: Thu, 17 Nov 2011 22:43:51 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c

On Thu, Nov 17, 2011 at 10:13:41AM -0700, Vincent Danen wrote:
> Our bind maintainer believes that 9.3.6 is affected (but possibly harder
> to exploit or via a different vector).
> 
> However, he does not believe that 9.2.x and earlier are affected due to
> the old DNSSEC implementation (so 9.2.x wouldn't understand current
> DNSSEC signatures so would not cache them).

Thanks for the info!

> Some further details can be found in our bug:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4313

This has Adam Tkac's comment about the patch for 9.3.x that I posted
yesterday:

"The patch is not 100% correct because 9.3.X version handles negative rdatasets
differently. The rbtdb.c part of the patch uses RDATASET_ATTR_NEGATIVE
attribute but this attribute is never set. However the query.c part of the
patch is correct and in my opinion it's sufficient to prevent the crash."

This confirms my understanding that the changes to rbtdb.c were a no-op
in 9.3.x and it adds the opinion that the changes to query.c are both
needed and sufficient to prevent the crash.

So do we (distro vendors) choose to go ahead and release updates with
just those changes for now?

So far, I haven't heard a single report of 9.3.x crashing in the wild
(ours are running fine, too, but most of them are built without DNSSEC),
and several reports regarding newer versions crashing.

It's a pity that we do not have a reproducer even though the crashes are
happening in the wild.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.