Bug 1385450 (CVE-2016-2848)

Summary: CVE-2016-2848 bind: assertion failure triggered by a packet with malformed options
Product: [Other] Security Response Reporter: Dhiru Kholia <dkholia>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dkholia, fweimer, security-response-team, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way BIND handled packets with malformed options. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS packet.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-25 10:42:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1385452, 1385453, 1385454, 1385455, 1386548, 1386549, 1386550, 1386551, 1386552    
Bug Blocks: 1383236    

Description Dhiru Kholia 2016-10-17 05:02:43 UTC 
A packet with a malformed options section can be used to deliberately trigger an assertion failure affecting versions of BIND which do not contain change #3548.

A server vulnerable to this defect can be forced to exit with an assertion failure if it receives a malformed packet. Authoritative and recursive servers are both vulnerable.

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=CHANGES has more information on change #3548. The commit corresponding to this change is https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=4adf97c32fcca7d00e5756607fd045f2aab9c3d4.
Comment 6 Dhiru Kholia 2016-10-17 05:37:10 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=4adf97c32fcca7d00e5756607fd045f2aab9c3d4
Comment 14 Tomas Hoger 2016-10-20 18:19:58 UTC 
Public now via ISC upstream advisory.

External References:

https://kb.isc.org/article/AA-01433
Comment 15 errata-xmlrpc 2016-10-20 19:20:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:2094 https://rhn.redhat.com/errata/RHSA-2016-2094.html
Comment 16 errata-xmlrpc 2016-10-20 20:40:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:2093 https://rhn.redhat.com/errata/RHSA-2016-2093.html
Comment 17 errata-xmlrpc 2016-10-25 08:48:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support
  Red Hat Enterprise Linux 6.6 Extended Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support
  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2016:2099 https://rhn.redhat.com/errata/RHSA-2016-2099.html