Date: Wed, 16 Dec 2015 06:28:03 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47869 - in head/share: security/advisories security/patches/SA-15:27 xml Message-ID: <201512160628.tBG6S3wW099911@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Dec 16 06:28:03 2015 New Revision: 47869 URL: https://svnweb.freebsd.org/changeset/doc/47869 Log: Add advisory and patches for SA-15:27.bind. Added: head/share/security/advisories/FreeBSD-SA-15:27.bind.asc (contents, props changed) head/share/security/patches/SA-15:27/ head/share/security/patches/SA-15:27/bind.patch (contents, props changed) head/share/security/patches/SA-15:27/bind.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:27.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:27.bind.asc Wed Dec 16 06:28:03 2015 (r47869) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:27.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service vulnerability + +Category: contrib +Module: bind +Announced: 2015-12-16 +Credits: ISC +Affects: FreeBSD 9.x +Corrected: 2015-12-16 06:10:05 UTC (stable/9, 9.3-STABLE) + 2015-12-16 06:21:26 UTC (releng/9.3, 9.3-RELEASE-p32) +CVE Name: CVE-2015-8000 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. The libdns +library is a library of DNS protocol support functions. + +II. Problem Description + +An error in the parsing of incoming responses allows some records with an +incorrect class to be be accepted by BIND instead of being rejected as +malformed. This can trigger a REQUIRE assertion failure when those records +are subsequently cached. + +III. Impact + +An attacker who can cause a server to request a record with a malformed class +attribute can use this bug to trigger a REQUIRE assertion in db.c, causing +named to exit and denying service to clients. + +The risk to recursive servers is high. Authoritative servers are at limited +risk if they perform authentication when making recursive queries to resolve +addresses for servers listed in NS RRSETs. + +IV. Workaround + +No workaround is available, but hosts not running named(8) are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch +# fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch.asc +# gpg --verify bind.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r292320 +releng/9.3/ r292321 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://kb.isc.org/article/AA-01317> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:27.bind.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAEBCgAGBQJWcQOeAAoJEO1n7NZdz2rnpUoQAIjWIowpcRnteiQ8xJFnebHN +iXj0vEWBGXofefDF1QzMZe0+mu688Brw1UGC89alhJVKfcmUP66okW5KP+4KDWUp ++jkIqjw0VLrWztc8V+YzGKkbFNprvYUKhzJJ/Y5TLjadqGRc5BBBDxwzY+9CnDfC +P+OzaTHwO2HIrqclt5nVyhgBTXSGZHai6Eyw2fBuhmEqbOWNr4cBu8IVhAtvw6SR +0lFSSITZ2z6YrDTq7l7fkeJwv+MnerpBXfe57P6r6tbDzzmsmZiNKABsk9wW2lkP +kuOTf14VNoMySCwQ60PUEtflERCTJ/QRZxZTbBRh4YZXJxPsERwj3dlfguMA/5Pq +sO9cxbhSKdoaiswKev67uVUkJXCePb8YIfcxui9Wj5YgcYaN5Au9F/tX2xMmWwfp +2+XwiRkLoNao+NYrx6hAJjWxAUTZJJJhWvu6L7mpBiImsqczd5AJq52bqD/C2M5C +v0acQ6ozNz2Fdkxy4YA1kuXm1STwFuCAfWSVYOpaLz42PeRrHzfqXFuAsoJCp8k1 +2m2pFgLgQKGhje6XY9rtaFPLulGFDOem8tdYDHH94lgToinVIZ/+GcMbV4My7vr/ +gWRnbzxr8J8/kdhUSp2+rlwnpdPEhgfcnxzwwr9F6duuwb5lLYCqNH/N4SOxRIAV +En2VQ4vrDSCP7rszpvI7 +=89Kp +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:27/bind.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:27/bind.patch Wed Dec 16 06:28:03 2015 (r47869) @@ -0,0 +1,188 @@ +Index: contrib/bind9/lib/dns/include/dns/message.h +=================================================================== +--- contrib/bind9/lib/dns/include/dns/message.h (revision 292253) ++++ contrib/bind9/lib/dns/include/dns/message.h (working copy) +@@ -15,8 +15,6 @@ + * PERFORMANCE OF THIS SOFTWARE. + */ + +-/* $Id$ */ +- + #ifndef DNS_MESSAGE_H + #define DNS_MESSAGE_H 1 + +@@ -211,6 +209,8 @@ struct dns_message { + unsigned int verify_attempted : 1; + unsigned int free_query : 1; + unsigned int free_saved : 1; ++ unsigned int tkey : 1; ++ unsigned int rdclass_set : 1; + + unsigned int opt_reserved; + unsigned int sig_reserved; +@@ -1375,6 +1375,15 @@ dns_message_buildopt(dns_message_t *msg, dns_rdata + * \li other. + */ + ++void ++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass); ++/*%< ++ * Set the expected class of records in the response. ++ * ++ * Requires: ++ * \li msg be a valid message with parsing intent. ++ */ ++ + ISC_LANG_ENDDECLS + + #endif /* DNS_MESSAGE_H */ +Index: contrib/bind9/lib/dns/message.c +=================================================================== +--- contrib/bind9/lib/dns/message.c (revision 292253) ++++ contrib/bind9/lib/dns/message.c (working copy) +@@ -436,6 +436,8 @@ msginit(dns_message_t *m) { + m->saved.base = NULL; + m->saved.length = 0; + m->free_saved = 0; ++ m->tkey = 0; ++ m->rdclass_set = 0; + m->querytsig = NULL; + } + +@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_message_t * + * If this class is different than the one we already read, + * this is an error. + */ +- if (msg->state == DNS_SECTION_ANY) { +- msg->state = DNS_SECTION_QUESTION; ++ if (msg->rdclass_set == 0) { + msg->rdclass = rdclass; ++ msg->rdclass_set = 1; + } else if (msg->rdclass != rdclass) + DO_FORMERR; + + /* ++ * Is this a TKEY query? ++ */ ++ if (rdtype == dns_rdatatype_tkey) ++ msg->tkey = 1; ++ ++ /* + * Can't ask the same question twice. + */ + result = dns_message_find(name, rdclass, rdtype, 0, NULL); +@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_message_t *ms + * If there was no question section, we may not yet have + * established a class. Do so now. + */ +- if (msg->state == DNS_SECTION_ANY && ++ if (msg->rdclass_set == 0 && + rdtype != dns_rdatatype_opt && /* class is UDP SIZE */ + rdtype != dns_rdatatype_tsig && /* class is ANY */ + rdtype != dns_rdatatype_tkey) { /* class is undefined */ + msg->rdclass = rdclass; +- msg->state = DNS_SECTION_QUESTION; ++ msg->rdclass_set = 1; + } + + /* +@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_message_t *ms + if (msg->opcode != dns_opcode_update + && rdtype != dns_rdatatype_tsig + && rdtype != dns_rdatatype_opt +- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */ ++ && rdtype != dns_rdatatype_key /* in a TKEY query */ + && rdtype != dns_rdatatype_sig /* SIG(0) */ + && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */ + && msg->rdclass != dns_rdataclass_any +@@ -1259,6 +1267,16 @@ getsection(isc_buffer_t *source, dns_message_t *ms + DO_FORMERR; + + /* ++ * If this is not a TKEY query/response then the KEY ++ * record's class needs to match. ++ */ ++ if (msg->opcode != dns_opcode_update && !msg->tkey && ++ rdtype == dns_rdatatype_key && ++ msg->rdclass != dns_rdataclass_any && ++ msg->rdclass != rdclass) ++ DO_FORMERR; ++ ++ /* + * Special type handling for TSIG, OPT, and TKEY. + */ + if (rdtype == dns_rdatatype_tsig) { +@@ -1372,6 +1390,10 @@ getsection(isc_buffer_t *source, dns_message_t *ms + skip_name_search = ISC_TRUE; + skip_type_search = ISC_TRUE; + issigzero = ISC_TRUE; ++ } else { ++ if (msg->rdclass != dns_rdataclass_any && ++ msg->rdclass != rdclass) ++ DO_FORMERR; + } + } else + covers = 0; +@@ -1610,6 +1632,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t + msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source); + + msg->header_ok = 1; ++ msg->state = DNS_SECTION_QUESTION; + + /* + * -1 means no EDNS. +@@ -3550,3 +3573,15 @@ dns_message_buildopt(dns_message_t *message, dns_r + dns_message_puttemprdatalist(message, &rdatalist); + return (result); + } ++ ++void ++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) { ++ ++ REQUIRE(DNS_MESSAGE_VALID(msg)); ++ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE); ++ REQUIRE(msg->state == DNS_SECTION_ANY); ++ REQUIRE(msg->rdclass_set == 0); ++ ++ msg->rdclass = rdclass; ++ msg->rdclass_set = 1; ++} +Index: contrib/bind9/lib/dns/resolver.c +=================================================================== +--- contrib/bind9/lib/dns/resolver.c (revision 292253) ++++ contrib/bind9/lib/dns/resolver.c (working copy) +@@ -6941,6 +6941,8 @@ resquery_response(isc_task_t *task, isc_event_t *e + goto done; + } + ++ dns_message_setclass(message, fctx->res->rdclass); ++ + result = dns_message_parse(message, &devent->buffer, 0); + if (result != ISC_R_SUCCESS) { + switch (result) { +@@ -7013,6 +7015,12 @@ resquery_response(isc_task_t *task, isc_event_t *e + */ + log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); + ++ if (message->rdclass != fctx->res->rdclass) { ++ resend = ISC_TRUE; ++ FCTXTRACE("bad class"); ++ goto done; ++ } ++ + /* + * Process receive opt record. + */ +Index: contrib/bind9/lib/dns/xfrin.c +=================================================================== +--- contrib/bind9/lib/dns/xfrin.c (revision 292253) ++++ contrib/bind9/lib/dns/xfrin.c (working copy) +@@ -1211,6 +1211,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) + msg->tsigctx = xfr->tsigctx; + xfr->tsigctx = NULL; + ++ dns_message_setclass(msg, xfr->rdclass); ++ + if (xfr->nmsg > 0) + msg->tcp_continuation = 1; + Added: head/share/security/patches/SA-15:27/bind.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:27/bind.patch.asc Wed Dec 16 06:28:03 2015 (r47869) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAABCgAGBQJWcQOtAAoJEO1n7NZdz2rnTmwQAONDOW3LyJq2BL/pjENDM7k5 +5jCfPi8VoS2Lt6tO8ZrKA84GUt+L0RwDN9NYgxdTy7iwVN2A5sYXlG51stvQFjIl +0Pr1/LShtXAy4VL9GKXBkrLvb+RHAhuz43R2AqH+fjO+sb8SwAHlvspP753bV1BQ +P28sHyVhNQalUEJIoBcKgGJ3q5DUUzmQg7zdCGf2+nksk5JY5dagKFFZbZ1zFHnZ +/rcQvAZ/1yfQeML38aBXpVq2pYthwtKhL813WeoEpiAeTxSH+WfWyhyJKz/oJ69E +MhugQvIUjJkf1YmQo/ovjigS5fAGdImEWH6jIcFpwbQZaXZhhSBeDlxDVfl0pQk0 +YJ74aIRyNThTpPFV2dpPmrkSvDxR0Fn7oWHggxE3U11rN8eJ+U0ep2GLyUpzuQSu +PagKPpJoyODBKVed9U1CHyhJF7pKDkVWbIxhhlrQJSylc/6UZ1FHW8nA6U5tWz3L +9gAbfpuRwEKtyM90pX+BDtTDQ8Iqzqnhc+mJsRVzRiUqUi1NBsCqk9PFkcZTuYV8 +vllbPHYHvIJrl+3sXqJYNDkKQSWIl931eMLYRf9ReHjWc8VpzfLeZxU4lE8v328f +x/huRJkoBkznFJlE4AsELHbEf72ovZijXH1G1xtMZLw8CaByeao85R9fIjjiRssp +FomqFBFv1cuoA8FUra6U +=BKj+ +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Dec 15 18:41:16 2015 (r47868) +++ head/share/xml/advisories.xml Wed Dec 16 06:28:03 2015 (r47869) @@ -11,6 +11,14 @@ <name>12</name> <day> + <name>26</name> + + <advisory> + <name>FreeBSD-SA-15:27.bind</name> + </advisory> + </day> + + <day> <name>6</name> <advisory>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201512160628.tBG6S3wW099911>