Bug 1213832

Summary: CVE-2015-1868 powerdns (recursor) remote crash
Product: [Fedora] Fedora EPEL Reporter: Peter van Dijk (PowerDNS) <peter.van.dijk>
Component: pdns-recursorAssignee: Morten Stevens <mstevens>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: el5CC: ruben, sparks
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pdns-recursor-3.6.3-1.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-29 19:20:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1213377    
Attachments:
Description Flags
patch for recursor 3.7.1
none
patch for ALL affected products (both rec and auth!) excluding rec-3.7.1 none

Description Peter van Dijk (PowerDNS) 2015-04-21 11:46:48 UTC 
draft CVE follows. The referenced patches are pretty easy to backport, and are also present on our rel/rec-3.6.3 branch in a form that should apply directly to 3.6.x.


## PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes on specific platforms

* CVE: CVE-2015-1868
* Date: 23rd of April 2015
* Credit: Aki Tuomi
* Affects: PowerDNS Recursor versions 3.5 and up; Authoritative Server 3.2 and up
* Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4
* Severity: High
* Impact: Degraded service
* Exploit: This problem can be triggered by sending queries for specifically configured domains
* Risk of system compromise: No
* Solution: Upgrade to any of the non-affected versions
* Workaround: Run your Recursor under a supervisor. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.

A bug was discovered in our label decompression code, making it possible for
names to refer to themselves, thus causing a loop during decompression. This
loop is capped at a 1000 iterations by a failsafe, making the issue harmless
on most platforms.

However, on specific platforms (so far, we are only aware of this happening on
RHEL5/CentOS5), the recursion involved in these 1000 steps causes memory
corruption leading to a quick crash, presumably because the default stack is
too small.

We recommend that all users upgrade to a corrected version if at all possible.
Alternatively, if you want to apply a minimal fix to your own tree, it can be
found in three parts 
[here](https://github.com/PowerDNS/pdns/commit/adb10be102ddd4d2baf7a8adbb5673946fe5e555) and 
[here](https://github.com/PowerDNS/pdns/commit/3ec3e0fc71bc89ac41c7e6d8cd3f323f25233881) and
[here](https://github.com/PowerDNS/pdns/commit/dc02ebf65ab41ba3c84b05d8d7f1505695adcaf7) and

These should be trivial to backport to older versions by hand.

As for workarounds, only clients in allow-from are able to trigger the
degraded service, so this should be limited to your userbase; further,  we
recommend running your critical services under supervision such as systemd,
supervisord, daemontools, etc.
Comment 1 Morten Stevens 2015-04-21 11:55:37 UTC 
Hi Peter,

Thank you for informing us.
Comment 2 Peter van Dijk (PowerDNS) 2015-04-21 12:14:16 UTC 
Created attachment 1016814 [details]
patch for recursor 3.7.1
Comment 3 Peter van Dijk (PowerDNS) 2015-04-21 12:14:45 UTC 
Created attachment 1016815 [details]
patch for ALL affected products (both rec and auth!) excluding rec-3.7.1
Comment 4 Peter van Dijk (PowerDNS) 2015-04-21 12:18:10 UTC 
Just to clarify: the buggy code is in both auth (3.2 and up) and recursor (3.5 and up). However, we have only seen the actual crash with the recursor on el5. As such, I have not opened bugs for el6 and el7, and for auth on all distributions. I do recommend updating all these packages, however, as we may be missing part of the impact of the bug.
Comment 5 Morten Stevens 2015-04-23 12:21:18 UTC 
Hi Martin,

Could you please remove the private group flag here? It's now public.
Comment 6 Fedora Update System 2015-04-23 12:40:06 UTC 
pdns-recursor-3.6.3-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/pdns-recursor-3.6.3-1.el5
Comment 7 Fedora Update System 2015-04-23 19:03:41 UTC 
Package pdns-recursor-3.6.3-1.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing pdns-recursor-3.6.3-1.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-5952/pdns-recursor-3.6.3-1.el5
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2015-04-29 19:20:33 UTC 
pdns-recursor-3.6.3-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.