squeeze update of bind9?

To: LaMont Jones <lamont@debian.org>, mgilbert@debian.org
Cc: debian-lts@lists.debian.org, 808081@bugs.debian.org
Subject: squeeze update of bind9?
From: Raphael Hertzog <hertzog@debian.org>
Date: Wed, 16 Dec 2015 21:22:35 +0100
Message-id: <[🔎] 20151216202235.GA28999@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, LaMont Jones <lamont@debian.org>, mgilbert@debian.org, debian-lts@lists.debian.org, 808081@bugs.debian.org

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of bind9:
https://security-tracker.debian.org/tracker/CVE-2015-8000

This issue has already been fixed in other stable releases
and I'm attaching the debdiff of the wheezy version as basis
to backport it to the squeeze version (it applies without conflicts).

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

diff -u bind9-9.8.4.dfsg.P1/debian/changelog bind9-9.8.4.dfsg.P1/debian/changelog
--- bind9-9.8.4.dfsg.P1/debian/changelog
+++ bind9-9.8.4.dfsg.P1/debian/changelog
@@ -1,3 +1,13 @@
+bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u8) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add patch to fix CVE-2015-8000.
+    CVE-2015-8000: Insufficient testing when parsing a message allowed
+    records with an incorrect class to be be accepted, triggering a REQUIRE
+    failure when those records were subsequently cached.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 14 Dec 2015 20:09:13 +0100
+
 bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u7) wheezy-security; urgency=high
 
   * CVE-2015-5722: maliciously crafted DNSSEC key can cause named to crash.
diff -u bind9-9.8.4.dfsg.P1/lib/dns/resolver.c bind9-9.8.4.dfsg.P1/lib/dns/resolver.c
--- bind9-9.8.4.dfsg.P1/lib/dns/resolver.c
+++ bind9-9.8.4.dfsg.P1/lib/dns/resolver.c
@@ -6762,6 +6762,8 @@
 			goto done;
 	}
 
+    dns_message_setclass(message, fctx->res->rdclass);
+
 	result = dns_message_parse(message, &devent->buffer, 0);
 	if (result != ISC_R_SUCCESS) {
 		switch (result) {
@@ -6841,6 +6843,12 @@
 	}
 
 
+	if (message->rdclass != fctx->res->rdclass) {
+		resend = ISC_TRUE;
+		FCTXTRACE("bad class");
+		goto done;
+	}
+
 	/*
 	 * Log the incoming packet.
 	 */
only in patch2:
unchanged:
--- bind9-9.8.4.dfsg.P1.orig/lib/dns/message.c
+++ bind9-9.8.4.dfsg.P1/lib/dns/message.c
@@ -436,6 +436,8 @@
 	m->saved.base = NULL;
 	m->saved.length = 0;
 	m->free_saved = 0;
+	m->tkey = 0;
+	m->rdclass_set = 0;
 	m->querytsig = NULL;
 }
 
@@ -1084,13 +1086,19 @@
 		 * If this class is different than the one we already read,
 		 * this is an error.
 		 */
-		if (msg->state == DNS_SECTION_ANY) {
-			msg->state = DNS_SECTION_QUESTION;
+		if (msg->rdclass_set == 0) {
 			msg->rdclass = rdclass;
+			msg->rdclass_set = 1;
 		} else if (msg->rdclass != rdclass)
 			DO_FORMERR;
 
 		/*
+		 * Is this a TKEY query?
+		 */
+		if (rdtype == dns_rdatatype_tkey)
+			msg->tkey = 1;
+
+		/*
 		 * Can't ask the same question twice.
 		 */
 		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
@@ -1234,12 +1242,12 @@
 		 * If there was no question section, we may not yet have
 		 * established a class.  Do so now.
 		 */
-		if (msg->state == DNS_SECTION_ANY &&
+		if (msg->rdclass_set == 0 &&
 		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
 		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
 		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
 			msg->rdclass = rdclass;
-			msg->state = DNS_SECTION_QUESTION;
+			msg->rdclass_set = 1;
 		}
 
 		/*
@@ -1249,7 +1257,7 @@
 		if (msg->opcode != dns_opcode_update
 		    && rdtype != dns_rdatatype_tsig
 		    && rdtype != dns_rdatatype_opt
-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
+		    && rdtype != dns_rdatatype_key /* in a TKEY query */
 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
 		    && msg->rdclass != dns_rdataclass_any
@@ -1257,6 +1265,16 @@
 			DO_FORMERR;
 
 		/*
+		 * If this is not a TKEY query/response then the KEY
+		 * record's class needs to match.
+		 */
+		if (msg->opcode != dns_opcode_update && !msg->tkey &&
+		    rdtype == dns_rdatatype_key &&
+		    msg->rdclass != dns_rdataclass_any &&
+		    msg->rdclass != rdclass)
+			DO_FORMERR;
+
+		/*
 		 * Special type handling for TSIG, OPT, and TKEY.
 		 */
 		if (rdtype == dns_rdatatype_tsig) {
@@ -1370,6 +1388,10 @@
 				skip_name_search = ISC_TRUE;
 				skip_type_search = ISC_TRUE;
 				issigzero = ISC_TRUE;
+			} else {
+				if (msg->rdclass != dns_rdataclass_any &&
+				    msg->rdclass != rdclass)
+					DO_FORMERR;
 			}
 		} else
 			covers = 0;
@@ -1601,6 +1623,7 @@
 	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
 
 	msg->header_ok = 1;
+	msg->state = DNS_SECTION_QUESTION;
 
 	/*
 	 * -1 means no EDNS.
@@ -3449,3 +3472,15 @@
 	isc_buffer_putstr(target, opcodetext[opcode]);
 	return (ISC_R_SUCCESS);
 }
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+	REQUIRE(msg->rdclass_set == 0);
+
+	msg->rdclass = rdclass;
+	msg->rdclass_set = 1;
+}
only in patch2:
unchanged:
--- bind9-9.8.4.dfsg.P1.orig/lib/dns/xfrin.c
+++ bind9-9.8.4.dfsg.P1/lib/dns/xfrin.c
@@ -1233,6 +1233,8 @@
 	msg->tsigctx = xfr->tsigctx;
 	xfr->tsigctx = NULL;
 
+	dns_message_setclass(msg, xfr->rdclass);
+
 	if (xfr->nmsg > 0)
 		msg->tcp_continuation = 1;
 
only in patch2:
unchanged:
--- bind9-9.8.4.dfsg.P1.orig/lib/dns/include/dns/message.h
+++ bind9-9.8.4.dfsg.P1/lib/dns/include/dns/message.h
@@ -210,6 +210,8 @@
 	unsigned int			verify_attempted : 1;
 	unsigned int			free_query : 1;
 	unsigned int			free_saved : 1;
+	unsigned int			tkey : 1;
+	unsigned int			rdclass_set : 1;
 
 	unsigned int			opt_reserved;
 	unsigned int			sig_reserved;
@@ -1350,6 +1352,15 @@
  *\li	msg be a valid message.
  */
 
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li   msg be a valid message with parsing intent.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_MESSAGE_H */

Reply to:

Follow-Ups:
- Re: Bug#808081: squeeze update of bind9?
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Re: squeeze update of cacti?
Next by Date: About the security issues affecting man-db in Squeeze
Previous by thread: Re: [SECURITY] [DLA 359-1] MySQL 5.5 packages added; end of support for MySQL 5.1
Next by thread: Re: Bug#808081: squeeze update of bind9?
Index(es):
- Date
- Thread