Re: triage of CVE-2025-40775/bind9
Hi,
Let's loop in Ondrej here.
On Fri, Jun 20, 2025 at 05:56:48PM -0400, Roberto C. Sánchez wrote:
> Hello Security Team,
>
> Today I investigated CVE-2025-40775/bind9, which was initially marked as
> <not-affected> for bookworm and bullseye. However, I believe that this
> is incorrect.
>
> Based on the description given in the upstream issue [0] (which is
> linked from the fixing commit linked in the security tracker), I traced
> the flow throw the older code bases present in bookworm and bullseye. I
> found that the abort in question appears to be reachable like this:
>
> name.c:dns_name_toregion() -> REQUIRE() -> abort()
>
> While the code looks very different from that of 9.20 (which is the
> oldest backported fix from upstream), there still appears to be a path
> through the code, when the tsig signature algorithm is invalid, that
> will produce the behavior described in the CVE and which the upstream
> commit addresses.
>
> I have removed the <not-affected> tag referencing bullseye, and I
> recommend that you do the same for the one referencing bookworm.
Ondrej I remember when we discussed the CVE-2025-40775 back around end
of may, we had basically the conclusion, that it's not an issue for
older series, as it is purely 9.20 issue introduced during
refactoring.
In the light of the above from Roberto, is that still correct
assessment?
Regards,
Salvatore
Reply to: