Bug 1299364 (CVE-2015-8704)

Summary: CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kfujii, mschena, mshimura, ppostler, security-response-team, slawomir, snavale, thozza, tkubota, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.9.8-P3, bind 9.10.3-P3 Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way BIND processed certain malformed Address Prefix List (APL) records. A remote, authenticated attacker could use this flaw to cause named to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-28 05:20:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1299375, 1299376, 1299377, 1299378, 1299379, 1299380, 1300051, 1300052    
Bug Blocks: 1299370    
Attachments:
Description Flags
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff
none
9.9.8-rt41396-CVE-2015-8704.diff none

Description Martin Prpič 2016-01-18 08:45:28 UTC 
The following flaw in BIND was reported by ISC:

A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c.

A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations. Examples include (but may not be limited to):

Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master.

Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message.

Recursive resolvers are potentially vulnerable when debug logging, if they are fed a deliberately malformed record by a malicious server.

A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'.
Comment 1 Martin Prpič 2016-01-18 08:45:46 UTC 
Acknowledgements:

Red Hat would like to thank ISC for reporting this issue.
Comment 2 Martin Prpič 2016-01-18 08:48:20 UTC 
Created attachment 1115780 [details]
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff
Comment 3 Martin Prpič 2016-01-18 08:48:22 UTC 
Created attachment 1115781 [details]
9.9.8-rt41396-CVE-2015-8704.diff
Comment 7 Tomas Hoger 2016-01-19 20:32:55 UTC 
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01335
Comment 8 Tomas Hoger 2016-01-19 20:37:22 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1300051]
Comment 9 Tomas Hoger 2016-01-19 20:37:27 UTC 
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1300052]
Comment 10 Tomas Hoger 2016-01-20 09:39:41 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=fb17e1f9a2e34211af8d42f513bc63a26972674c
Comment 12 errata-xmlrpc 2016-01-27 11:41:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:0074 https://rhn.redhat.com/errata/RHSA-2016-0074.html
Comment 13 errata-xmlrpc 2016-01-27 12:05:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:0073 https://rhn.redhat.com/errata/RHSA-2016-0073.html