Bug 1299367 (CVE-2015-8705)

Summary: CVE-2015-8705 bind: crash when converting OPT resource records and ECS options to text format
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.10.3-P3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-19 20:39:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1300051    
Bug Blocks: 1299370    
Attachments:
Description Flags
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff none

Description Martin Prpič 2016-01-18 08:57:27 UTC 
The following flaw in BIND was reported by ISC:

In versions of BIND 9.10, errors can occur when OPT pseudo-RR data or ECS options are formatted to text. In 9.10.3 through 9.10.3-P2, the issue may result in a REQUIRE assertion failure in buffer.c. In prior 9.10 versions, it may result in named crashing (such as with a segmentation fault) or other misbehavior due to a buffer overrun.

This issue can affect both authoritative and recursive servers if they are performing debug logging. (It may also crash related tools which use the same code, such as dig or delv.)

Mitigation:

Disable debug logging in named.
Comment 1 Martin Prpič 2016-01-18 08:57:48 UTC 
Acknowledgements:

Red Hat would like to thank ISC for reporting this issue.
Comment 2 Martin Prpič 2016-01-18 08:58:22 UTC 
Created attachment 1115783 [details]
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff
Comment 4 Tomas Hoger 2016-01-19 20:34:34 UTC 
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01336
Comment 5 Tomas Hoger 2016-01-19 20:37:33 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1300051]
Comment 6 Tomas Hoger 2016-01-19 20:39:30 UTC 
Only BIND 9.10 was affected by this issue, therefore no Red Hat Enterprise Linux version was affected.
Comment 7 Tomas Hoger 2016-01-20 09:39:56 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=3e0c1603a835c678b07f1147909bf196988ee0d3