Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of bind9:
https://security-tracker.debian.org/tracker/CVE-2015-4620
I have already prepared a patched package, available for review and test
at the repository:
deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/
Please, tell me if you want to upload it by yourself, following the
workflow we have defined here:
http://wiki.debian.org/LTS/Development
Otherwise, I will upload it in the following couple of days.
Santiago Ruano Rincón,
on behalf of the Debian LTS team.
diff -u bind9-9.7.3.dfsg/lib/dns/validator.c bind9-9.7.3.dfsg/lib/dns/validator.c
--- bind9-9.7.3.dfsg/lib/dns/validator.c
+++ bind9-9.7.3.dfsg/lib/dns/validator.c
@@ -1775,7 +1775,6 @@
*/
static isc_boolean_t
isselfsigned(dns_validator_t *val) {
- dns_fixedname_t fixed;
dns_rdataset_t *rdataset, *sigrdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -1825,8 +1824,7 @@
continue;
result = dns_dnssec_verify2(name, rdataset, dstkey,
- ISC_TRUE, mctx, &sigrdata,
- dns_fixedname_name(&fixed));
+ ISC_TRUE, mctx, &sigrdata, NULL);
dst_key_free(&dstkey);
if (result != ISC_R_SUCCESS)
continue;
diff -u bind9-9.7.3.dfsg/debian/changelog bind9-9.7.3.dfsg/debian/changelog
--- bind9-9.7.3.dfsg/debian/changelog
+++ bind9-9.7.3.dfsg/debian/changelog
@@ -1,3 +1,12 @@
+bind9 (1:9.7.3.dfsg-1~squeeze15~1) santiago-squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by the Squeeze LTS Team.
+ * CVE-2015-1349: avoid crash due to managed-key rollover.
+ Revoking a managed trust anchor and supplying an untrusted replacement
+ could cause named to crash with an assertion failure.
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Sat, 11 Jul 2015 09:28:06 +0200
+
bind9 (1:9.7.3.dfsg-1~squeeze14) squeeze-lts; urgency=high
* Non-maintainer upload by the Squeeze LTS Team.
only in patch2:
unchanged:
--- bind9-9.7.3.dfsg.orig/debian/patches-applied/CVE-2015-4620.patch
+++ bind9-9.7.3.dfsg/debian/patches-applied/CVE-2015-4620.patch
@@ -0,0 +1,27 @@
+Description: A uninitialized value in validator.c could result in a assertion failure (CVE-2015-4620).
+Origin: upstream, https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=a85c6b35affa7179434c41b277109dca2cbe01ec
+
+---
+
+diff --git a/lib/dns/validator.c b/lib/dns/validator.c
+index 9e8a057..cd97781 100644
+--- a/lib/dns/validator.c
++++ b/lib/dns/validator.c
+@@ -1775,7 +1775,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
+ */
+ static isc_boolean_t
+ isselfsigned(dns_validator_t *val) {
+- dns_fixedname_t fixed;
+ dns_rdataset_t *rdataset, *sigrdataset;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
+@@ -1825,8 +1824,7 @@ isselfsigned(dns_validator_t *val) {
+ continue;
+
+ result = dns_dnssec_verify2(name, rdataset, dstkey,
+- ISC_TRUE, mctx, &sigrdata,
+- dns_fixedname_name(&fixed));
++ ISC_TRUE, mctx, &sigrdata, NULL);
+ dst_key_free(&dstkey);
+ if (result != ISC_R_SUCCESS)
+ continue;
only in patch2:
unchanged:
--- bind9-9.7.3.dfsg.orig/debian/patches-applied/README
+++ bind9-9.7.3.dfsg/debian/patches-applied/README
@@ -0,0 +1,4 @@
+The patches included in this directory are not applied during build
+time. They have been applied directly to the source code since bind9
+1:9.7.3.dfsg-1~squeeze15 revision, and they are here for documentation
+purposes.
Attachment:
signature.asc
Description: Digital signature