triage of CVE-2025-40775/bind9

To: team@security.debian.org
Cc: debian-lts@lists.debian.org
Subject: triage of CVE-2025-40775/bind9
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 20 Jun 2025 17:56:48 -0400
Message-id: <[🔎] aFXZIKHYtHbrmCsE@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, team@security.debian.org, debian-lts@lists.debian.org

Hello Security Team,

Today I investigated CVE-2025-40775/bind9, which was initially marked as
<not-affected> for bookworm and bullseye. However, I believe that this
is incorrect.

Based on the description given in the upstream issue [0] (which is
linked from the fixing commit linked in the security tracker), I traced
the flow throw the older code bases present in bookworm and bullseye. I
found that the abort in question appears to be reachable like this:

name.c:dns_name_toregion() -> REQUIRE() -> abort()

While the code looks very different from that of 9.20 (which is the
oldest backported fix from upstream), there still appears to be a path
through the code, when the tsig signature algorithm is invalid, that
will produce the behavior described in the CVE and which the upstream
commit addresses.

I have removed the <not-affected> tag referencing bullseye, and I
recommend that you do the same for the one referencing bookworm.

Regards,

-Roberto

[0] https://gitlab.isc.org/isc-projects/bind9/-/issues/5300

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: triage of CVE-2025-40775/bind9
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: busybox security fixes
Next by Date: Re: triage of CVE-2025-40775/bind9
Previous by thread: Re: busybox security fixes
Next by thread: Re: triage of CVE-2025-40775/bind9
Index(es):
- Date
- Thread