Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20111117205517.GA21920@openwall.com>
Date: Fri, 18 Nov 2011 00:55:17 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c

Speaking of BIND 9.3.x:

On Thu, Nov 17, 2011 at 10:43:51PM +0400, Solar Designer wrote:
> So do we (distro vendors) choose to go ahead and release updates with
> just those changes for now?

Red Hat has just released an update for 9.3.6 in RHEL5:

https://rhn.redhat.com/errata/RHSA-2011-1458.html

bind-9.3.6-16.P1.el5_7.1.src.rpm

Meanwhile, per my further analysis, BIND 9.3.x's affected code in
query.c is only reached if the dnssec-enable option is set to yes,
regardless of whether the build of BIND includes full DNSSEC support
(is linked against OpenSSL) or not.

In 9.4.x+, it probably does not take "dnssec-enable yes" to make the
issue triggerable, because of the added query_addadditional2() function
with an extra instance of the assertion.  This extra function does not
have the same check for DNSSEC being enabled that query_addadditional()
does.  Here's query_addadditional()'s check in 9.3.x:

	if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
		return (ISC_R_SUCCESS);

where WANTDNSSEC() is:

#define WANTDNSSEC(c)           (((c)->attributes & \
                                  NS_CLIENTATTR_WANTDNSSEC) != 0)

where the NS_CLIENTATTR_WANTDNSSEC flag is set when:

	if (!client->view->enablednssec) {
		message->flags &= ~DNS_MESSAGEFLAG_CD;
		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
	}
[...]
	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;

where server.c sets:

	result = ns_config_get(maps, "dnssec-enable", &obj);
	INSIST(result == ISC_R_SUCCESS);
	view->enablednssec = cfg_obj_asboolean(obj);

I hope I am not misreading this.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.