oss-sec mailing list archives
Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c
From: Solar Designer <solar () openwall com>
Date: Fri, 18 Nov 2011 00:55:17 +0400
Speaking of BIND 9.3.x: On Thu, Nov 17, 2011 at 10:43:51PM +0400, Solar Designer wrote:
So do we (distro vendors) choose to go ahead and release updates with just those changes for now?
Red Hat has just released an update for 9.3.6 in RHEL5: https://rhn.redhat.com/errata/RHSA-2011-1458.html bind-9.3.6-16.P1.el5_7.1.src.rpm Meanwhile, per my further analysis, BIND 9.3.x's affected code in query.c is only reached if the dnssec-enable option is set to yes, regardless of whether the build of BIND includes full DNSSEC support (is linked against OpenSSL) or not. In 9.4.x+, it probably does not take "dnssec-enable yes" to make the issue triggerable, because of the added query_addadditional2() function with an extra instance of the assertion. This extra function does not have the same check for DNSSEC being enabled that query_addadditional() does. Here's query_addadditional()'s check in 9.3.x: if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) return (ISC_R_SUCCESS); where WANTDNSSEC() is: #define WANTDNSSEC(c) (((c)->attributes & \ NS_CLIENTATTR_WANTDNSSEC) != 0) where the NS_CLIENTATTR_WANTDNSSEC flag is set when: if (!client->view->enablednssec) { message->flags &= ~DNS_MESSAGEFLAG_CD; client->extflags &= ~DNS_MESSAGEEXTFLAG_DO; } [...] if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) client->attributes |= NS_CLIENTATTR_WANTDNSSEC; where server.c sets: result = ns_config_get(maps, "dnssec-enable", &obj); INSIST(result == ISC_R_SUCCESS); view->enablednssec = cfg_obj_asboolean(obj); I hope I am not misreading this. Alexander
Current thread:
- CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Solar Designer (Nov 16)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Solar Designer (Nov 16)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Solar Designer (Nov 16)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c The Fungi (Nov 16)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Vincent Danen (Nov 17)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Solar Designer (Nov 17)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Solar Designer (Nov 17)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Vincent Danen (Nov 17)
- Re: CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c Solar Designer (Nov 16)