Bug 1389652 (CVE-2016-8864)

Summary: CVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer
Product: [Other] Security Response Reporter: Dhiru Kholia <dkholia>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Petr Sklenar <psklenar>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chorn, luke, redhat-bugzilla, security-response-team, slawomir, slong, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-06 11:25:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390127, 1390128, 1390129, 1390130, 1390131, 1390159, 1391319, 1391320, 1398197, 1398199, 1398200, 1398201, 1398202, 1457186    
Bug Blocks: 1389641    

Description Dhiru Kholia 2016-10-28 06:12:18 UTC 
A defect in BIND's handling of responses containing a DNAME answer
can cause a resolver to exit after encountering an assertion failure
in db.c or resolver.c

During processing of a recursive response that contains a DNAME
record in the answer section, BIND can stop execution after
encountering an assertion error in resolver.c (error message:
"INSIST((valoptions & 0x0002U) != 0) failed") or db.c (error
message: "REQUIRE(targetp != ((void *)0) && *targetp == ((void
*)0)) failed").

A server encountering either of these error conditions will stop,
resulting in denial of service to clients. The risk to authoritative
servers is minimal; recursive servers are chiefly at risk.
Comment 1 Dhiru Kholia 2016-10-28 06:12:30 UTC 
Acknowledgments:

Name: ISC
Upstream: Tony Finch (University of Cambridge), Marco Davids (SIDN Labs)
Comment 8 Dhiru Kholia 2016-11-02 04:42:35 UTC 
External References:

https://kb.isc.org/article/AA-01434
Comment 9 Dhiru Kholia 2016-11-02 07:44:12 UTC 
Public via http://seclists.org/oss-sec/2016/q4/300
Comment 10 errata-xmlrpc 2016-11-02 18:25:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:2142 https://rhn.redhat.com/errata/RHSA-2016-2142.html
Comment 11 errata-xmlrpc 2016-11-02 18:29:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:2141 https://rhn.redhat.com/errata/RHSA-2016-2141.html
Comment 12 Robert Scheck 2016-11-02 21:11:15 UTC 
Is there a specific reason that no bug reports for Fedora were opened, too?
Fedora 23+ are shipping bind-9.10.4-2.P3, but not P4 currently.
Comment 13 Dhiru Kholia 2016-11-03 03:57:44 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1391319]
Comment 14 Dhiru Kholia 2016-11-03 03:58:19 UTC 
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1391320]
Comment 15 errata-xmlrpc 2016-11-04 09:04:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2615 https://rhn.redhat.com/errata/RHSA-2016-2615.html
Comment 17 errata-xmlrpc 2016-12-06 05:35:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.7 Extended Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2016:2871 https://rhn.redhat.com/errata/RHSA-2016-2871.html
Comment 19 errata-xmlrpc 2017-06-28 09:01:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:1583 https://access.redhat.com/errata/RHSA-2017:1583