svn commit: r47869 - in head/share: security/advisories security/patches/SA-15:27 xml
Xin LI
delphij at FreeBSD.org
Wed Dec 16 13:56:41 UTC 2015
Author: delphij
Date: Wed Dec 16 06:28:03 2015
New Revision: 47869
URL: https://svnweb.freebsd.org/changeset/doc/47869
Log:
Add advisory and patches for SA-15:27.bind.
Added:
head/share/security/advisories/FreeBSD-SA-15:27.bind.asc (contents, props changed)
head/share/security/patches/SA-15:27/
head/share/security/patches/SA-15:27/bind.patch (contents, props changed)
head/share/security/patches/SA-15:27/bind.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-15:27.bind.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:27.bind.asc Wed Dec 16 06:28:03 2015 (r47869)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:27.bind Security Advisory
+ The FreeBSD Project
+
+Topic: BIND remote denial of service vulnerability
+
+Category: contrib
+Module: bind
+Announced: 2015-12-16
+Credits: ISC
+Affects: FreeBSD 9.x
+Corrected: 2015-12-16 06:10:05 UTC (stable/9, 9.3-STABLE)
+ 2015-12-16 06:21:26 UTC (releng/9.3, 9.3-RELEASE-p32)
+CVE Name: CVE-2015-8000
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server. The libdns
+library is a library of DNS protocol support functions.
+
+II. Problem Description
+
+An error in the parsing of incoming responses allows some records with an
+incorrect class to be be accepted by BIND instead of being rejected as
+malformed. This can trigger a REQUIRE assertion failure when those records
+are subsequently cached.
+
+III. Impact
+
+An attacker who can cause a server to request a record with a malformed class
+attribute can use this bug to trigger a REQUIRE assertion in db.c, causing
+named to exit and denying service to clients.
+
+The risk to recursive servers is high. Authoritative servers are at limited
+risk if they perform authentication when making recursive queries to resolve
+addresses for servers listed in NS RRSETs.
+
+IV. Workaround
+
+No workaround is available, but hosts not running named(8) are not
+vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The named service has to be restarted after the update. A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The named service has to be restarted after the update. A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r292320
+releng/9.3/ r292321
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01317>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:27.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAEBCgAGBQJWcQOeAAoJEO1n7NZdz2rnpUoQAIjWIowpcRnteiQ8xJFnebHN
+iXj0vEWBGXofefDF1QzMZe0+mu688Brw1UGC89alhJVKfcmUP66okW5KP+4KDWUp
++jkIqjw0VLrWztc8V+YzGKkbFNprvYUKhzJJ/Y5TLjadqGRc5BBBDxwzY+9CnDfC
+P+OzaTHwO2HIrqclt5nVyhgBTXSGZHai6Eyw2fBuhmEqbOWNr4cBu8IVhAtvw6SR
+0lFSSITZ2z6YrDTq7l7fkeJwv+MnerpBXfe57P6r6tbDzzmsmZiNKABsk9wW2lkP
+kuOTf14VNoMySCwQ60PUEtflERCTJ/QRZxZTbBRh4YZXJxPsERwj3dlfguMA/5Pq
+sO9cxbhSKdoaiswKev67uVUkJXCePb8YIfcxui9Wj5YgcYaN5Au9F/tX2xMmWwfp
+2+XwiRkLoNao+NYrx6hAJjWxAUTZJJJhWvu6L7mpBiImsqczd5AJq52bqD/C2M5C
+v0acQ6ozNz2Fdkxy4YA1kuXm1STwFuCAfWSVYOpaLz42PeRrHzfqXFuAsoJCp8k1
+2m2pFgLgQKGhje6XY9rtaFPLulGFDOem8tdYDHH94lgToinVIZ/+GcMbV4My7vr/
+gWRnbzxr8J8/kdhUSp2+rlwnpdPEhgfcnxzwwr9F6duuwb5lLYCqNH/N4SOxRIAV
+En2VQ4vrDSCP7rszpvI7
+=89Kp
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:27/bind.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:27/bind.patch Wed Dec 16 06:28:03 2015 (r47869)
@@ -0,0 +1,188 @@
+Index: contrib/bind9/lib/dns/include/dns/message.h
+===================================================================
+--- contrib/bind9/lib/dns/include/dns/message.h (revision 292253)
++++ contrib/bind9/lib/dns/include/dns/message.h (working copy)
+@@ -15,8 +15,6 @@
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+-/* $Id$ */
+-
+ #ifndef DNS_MESSAGE_H
+ #define DNS_MESSAGE_H 1
+
+@@ -211,6 +209,8 @@ struct dns_message {
+ unsigned int verify_attempted : 1;
+ unsigned int free_query : 1;
+ unsigned int free_saved : 1;
++ unsigned int tkey : 1;
++ unsigned int rdclass_set : 1;
+
+ unsigned int opt_reserved;
+ unsigned int sig_reserved;
+@@ -1375,6 +1375,15 @@ dns_message_buildopt(dns_message_t *msg, dns_rdata
+ * \li other.
+ */
+
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
++/*%<
++ * Set the expected class of records in the response.
++ *
++ * Requires:
++ * \li msg be a valid message with parsing intent.
++ */
++
+ ISC_LANG_ENDDECLS
+
+ #endif /* DNS_MESSAGE_H */
+Index: contrib/bind9/lib/dns/message.c
+===================================================================
+--- contrib/bind9/lib/dns/message.c (revision 292253)
++++ contrib/bind9/lib/dns/message.c (working copy)
+@@ -436,6 +436,8 @@ msginit(dns_message_t *m) {
+ m->saved.base = NULL;
+ m->saved.length = 0;
+ m->free_saved = 0;
++ m->tkey = 0;
++ m->rdclass_set = 0;
+ m->querytsig = NULL;
+ }
+
+@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_message_t *
+ * If this class is different than the one we already read,
+ * this is an error.
+ */
+- if (msg->state == DNS_SECTION_ANY) {
+- msg->state = DNS_SECTION_QUESTION;
++ if (msg->rdclass_set == 0) {
+ msg->rdclass = rdclass;
++ msg->rdclass_set = 1;
+ } else if (msg->rdclass != rdclass)
+ DO_FORMERR;
+
+ /*
++ * Is this a TKEY query?
++ */
++ if (rdtype == dns_rdatatype_tkey)
++ msg->tkey = 1;
++
++ /*
+ * Can't ask the same question twice.
+ */
+ result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_message_t *ms
+ * If there was no question section, we may not yet have
+ * established a class. Do so now.
+ */
+- if (msg->state == DNS_SECTION_ANY &&
++ if (msg->rdclass_set == 0 &&
+ rdtype != dns_rdatatype_opt && /* class is UDP SIZE */
+ rdtype != dns_rdatatype_tsig && /* class is ANY */
+ rdtype != dns_rdatatype_tkey) { /* class is undefined */
+ msg->rdclass = rdclass;
+- msg->state = DNS_SECTION_QUESTION;
++ msg->rdclass_set = 1;
+ }
+
+ /*
+@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_message_t *ms
+ if (msg->opcode != dns_opcode_update
+ && rdtype != dns_rdatatype_tsig
+ && rdtype != dns_rdatatype_opt
+- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
++ && rdtype != dns_rdatatype_key /* in a TKEY query */
+ && rdtype != dns_rdatatype_sig /* SIG(0) */
+ && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+ && msg->rdclass != dns_rdataclass_any
+@@ -1259,6 +1267,16 @@ getsection(isc_buffer_t *source, dns_message_t *ms
+ DO_FORMERR;
+
+ /*
++ * If this is not a TKEY query/response then the KEY
++ * record's class needs to match.
++ */
++ if (msg->opcode != dns_opcode_update && !msg->tkey &&
++ rdtype == dns_rdatatype_key &&
++ msg->rdclass != dns_rdataclass_any &&
++ msg->rdclass != rdclass)
++ DO_FORMERR;
++
++ /*
+ * Special type handling for TSIG, OPT, and TKEY.
+ */
+ if (rdtype == dns_rdatatype_tsig) {
+@@ -1372,6 +1390,10 @@ getsection(isc_buffer_t *source, dns_message_t *ms
+ skip_name_search = ISC_TRUE;
+ skip_type_search = ISC_TRUE;
+ issigzero = ISC_TRUE;
++ } else {
++ if (msg->rdclass != dns_rdataclass_any &&
++ msg->rdclass != rdclass)
++ DO_FORMERR;
+ }
+ } else
+ covers = 0;
+@@ -1610,6 +1632,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t
+ msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+
+ msg->header_ok = 1;
++ msg->state = DNS_SECTION_QUESTION;
+
+ /*
+ * -1 means no EDNS.
+@@ -3550,3 +3573,15 @@ dns_message_buildopt(dns_message_t *message, dns_r
+ dns_message_puttemprdatalist(message, &rdatalist);
+ return (result);
+ }
++
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
++
++ REQUIRE(DNS_MESSAGE_VALID(msg));
++ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
++ REQUIRE(msg->state == DNS_SECTION_ANY);
++ REQUIRE(msg->rdclass_set == 0);
++
++ msg->rdclass = rdclass;
++ msg->rdclass_set = 1;
++}
+Index: contrib/bind9/lib/dns/resolver.c
+===================================================================
+--- contrib/bind9/lib/dns/resolver.c (revision 292253)
++++ contrib/bind9/lib/dns/resolver.c (working copy)
+@@ -6941,6 +6941,8 @@ resquery_response(isc_task_t *task, isc_event_t *e
+ goto done;
+ }
+
++ dns_message_setclass(message, fctx->res->rdclass);
++
+ result = dns_message_parse(message, &devent->buffer, 0);
+ if (result != ISC_R_SUCCESS) {
+ switch (result) {
+@@ -7013,6 +7015,12 @@ resquery_response(isc_task_t *task, isc_event_t *e
+ */
+ log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
+
++ if (message->rdclass != fctx->res->rdclass) {
++ resend = ISC_TRUE;
++ FCTXTRACE("bad class");
++ goto done;
++ }
++
+ /*
+ * Process receive opt record.
+ */
+Index: contrib/bind9/lib/dns/xfrin.c
+===================================================================
+--- contrib/bind9/lib/dns/xfrin.c (revision 292253)
++++ contrib/bind9/lib/dns/xfrin.c (working copy)
+@@ -1211,6 +1211,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev)
+ msg->tsigctx = xfr->tsigctx;
+ xfr->tsigctx = NULL;
+
++ dns_message_setclass(msg, xfr->rdclass);
++
+ if (xfr->nmsg > 0)
+ msg->tcp_continuation = 1;
+
Added: head/share/security/patches/SA-15:27/bind.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:27/bind.patch.asc Wed Dec 16 06:28:03 2015 (r47869)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWcQOtAAoJEO1n7NZdz2rnTmwQAONDOW3LyJq2BL/pjENDM7k5
+5jCfPi8VoS2Lt6tO8ZrKA84GUt+L0RwDN9NYgxdTy7iwVN2A5sYXlG51stvQFjIl
+0Pr1/LShtXAy4VL9GKXBkrLvb+RHAhuz43R2AqH+fjO+sb8SwAHlvspP753bV1BQ
+P28sHyVhNQalUEJIoBcKgGJ3q5DUUzmQg7zdCGf2+nksk5JY5dagKFFZbZ1zFHnZ
+/rcQvAZ/1yfQeML38aBXpVq2pYthwtKhL813WeoEpiAeTxSH+WfWyhyJKz/oJ69E
+MhugQvIUjJkf1YmQo/ovjigS5fAGdImEWH6jIcFpwbQZaXZhhSBeDlxDVfl0pQk0
+YJ74aIRyNThTpPFV2dpPmrkSvDxR0Fn7oWHggxE3U11rN8eJ+U0ep2GLyUpzuQSu
+PagKPpJoyODBKVed9U1CHyhJF7pKDkVWbIxhhlrQJSylc/6UZ1FHW8nA6U5tWz3L
+9gAbfpuRwEKtyM90pX+BDtTDQ8Iqzqnhc+mJsRVzRiUqUi1NBsCqk9PFkcZTuYV8
+vllbPHYHvIJrl+3sXqJYNDkKQSWIl931eMLYRf9ReHjWc8VpzfLeZxU4lE8v328f
+x/huRJkoBkznFJlE4AsELHbEf72ovZijXH1G1xtMZLw8CaByeao85R9fIjjiRssp
+FomqFBFv1cuoA8FUra6U
+=BKj+
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Dec 15 18:41:16 2015 (r47868)
+++ head/share/xml/advisories.xml Wed Dec 16 06:28:03 2015 (r47869)
@@ -11,6 +11,14 @@
<name>12</name>
<day>
+ <name>26</name>
+
+ <advisory>
+ <name>FreeBSD-SA-15:27.bind</name>
+ </advisory>
+ </day>
+
+ <day>
<name>6</name>
<advisory>
More information about the svn-doc-all
mailing list