Bug 1108544 (CVE-2014-3859)

Summary: CVE-2014-3859 bind: assertion failure during EDNS option processing
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: psimerda, thozza, vdanen, vonsch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.10.0-P2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-12 08:35:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Murray McAllister 2014-06-12 08:27:25 UTC 
A flaw in the EDNS option processing could cause named to crash with an assertion failure when processing specially-crafted queries.

This issue only affected BIND versions 9.10.0 and 9.10.0-P1. This version is not shipped in any Red Hat products or in Fedora.

External References:

https://kb.isc.org/article/AA-01166
Comment 2 Murray McAllister 2014-06-12 08:30:52 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of bind or bind97 as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Comment 4 Murray McAllister 2014-06-12 08:34:45 UTC 
This issue (or some of it) was fixed with the following:

lib/dns/message.c
@@ -3359,6 +3360,8 @@
 				 * version
 				 */
 				ADD_STRING(target, "(\"");
+				if (isc_buffer_availablelength(target) < optlen)
+					return (ISC_R_NOSPACE);
 				for (i = 0; i < optlen; i++) {
 					if (isprint(optdata[i]))
 						isc_buffer_putmem(target,