Re: triage of CVE-2025-40775/bind9
Well, I believe the correct way would be to contact upstream with your findings and discuss this directly with the engineers. Mistakes happen and if you have PoC, we can fix this in the older versions too, but I do believe that our investigation shown that at least the current PoC didn’t work with anything older than 9.20.
Either open confidential issue in the GitLab or you can use the service desk by emailing to bind-security@isc.org.
Ondrej
--
Ondřej Surý (He/Him)
> On 21. 6. 2025, at 1:06, Salvatore Bonaccorso <carnil@debian.org> wrote:
>
> Hi,
>
> Let's loop in Ondrej here.
>
>> On Fri, Jun 20, 2025 at 05:56:48PM -0400, Roberto C. Sánchez wrote:
>> Hello Security Team,
>>
>> Today I investigated CVE-2025-40775/bind9, which was initially marked as
>> <not-affected> for bookworm and bullseye. However, I believe that this
>> is incorrect.
>>
>> Based on the description given in the upstream issue [0] (which is
>> linked from the fixing commit linked in the security tracker), I traced
>> the flow throw the older code bases present in bookworm and bullseye. I
>> found that the abort in question appears to be reachable like this:
>>
>> name.c:dns_name_toregion() -> REQUIRE() -> abort()
>>
>> While the code looks very different from that of 9.20 (which is the
>> oldest backported fix from upstream), there still appears to be a path
>> through the code, when the tsig signature algorithm is invalid, that
>> will produce the behavior described in the CVE and which the upstream
>> commit addresses.
>>
>> I have removed the <not-affected> tag referencing bullseye, and I
>> recommend that you do the same for the one referencing bookworm.
>
> Ondrej I remember when we discussed the CVE-2025-40775 back around end
> of may, we had basically the conclusion, that it's not an issue for
> older series, as it is purely 9.20 issue introduced during
> refactoring.
>
> In the light of the above from Roberto, is that still correct
> assessment?
>
> Regards,
> Salvatore
Reply to: