Bug 20546

Summary: bind 8.2.2-P5 remote DoS
Product: [Retired] Red Hat Linux Reporter: Daniel Roesen <dr>
Component: bindAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED ERRATA QA Contact: Dale Lovelace <dale>
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: bruce, jarno.huuskonen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-11-10 09:37:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Roesen 2000-11-08 23:32:51 UTC 
see:

 From: "Fabio Pietrosanti (naif)" <fabio>
 To: BUGTRAQ
 Subject:      BIND 8.2.2-P5 Possible DOS
 Message-ID:  <Pine.LNX.4.30.0011071339510.29294-100000.it>
 Date:         Tue, 7 Nov 2000 13:40:49 +0100

I can reproduce that, but not 100% reliably. In strace im seeing SIGABORTs 
and SIGSEGVs.

My preferred and mosts-times-working reproduce path is:

- start named
- issue the ZXFR named-xfer
- do a _recursive_ query via named (non-recursive queries seem not to
  harm).
Comment 1 Daniel Roesen 2000-11-09 00:07:23 UTC 
the recursive queried data must NOT be in cache or in a zone that bind is 
authoritative for. These queries are answered and DON'T kill bind.

My now 100% reproducable testcase:

- machine is called "foo.whatever.de".
- local bind 8.2.2-P5, being authoritative for "whatever.de"
- named being open to zone transfers and doing recursive resolving by himself
- start named (==> empty caches)
- try ZXFR for "whatever.de"
- dig @localhost www.someelseoutthere.de A

=> crash

For a trace, hook up on named via strace -p `cat /var/run/named.pid` before the 
recursive query.
Comment 2 Daniel Roesen 2000-11-09 00:15:29 UTC 
workaround for the moment:

allow-transfer { trusted-hosts; };
Comment 3 Daniel Roesen 2000-11-09 03:25:15 UTC 
News: "8.2.2-P7 will be available shortly".

Answer from Mark.Andrews in response to my report to bind-
bugs.
Comment 4 Daniel Roesen 2000-11-10 00:22:58 UTC 
The fix is to change:
./bin/named/ns_defs.h:#define STREAM_AXFRIXFR           0x22
to:
./bin/named/ns_defs.h:#define STREAM_AXFRIXFR           0x40

Info from Mark and looks right.
Comment 5 Daniel Roesen 2000-11-10 05:45:44 UTC 
bind 8.2.2-P7 is released
Comment 6 Bernhard Rosenkraenzer 2000-11-10 09:37:12 UTC 
8.2.2-P7 has been built in our internal tree and is currently waiting for QA approval.
Comment 7 Daniel Roesen 2000-11-14 17:57:37 UTC 
OK, errata updates are out of the door, closing as RESOLVED/ERRATA.