Bug 224443

Summary: CVE-2007-0493 BIND might crash after attempting to read free()-ed memory
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 6CC: deisenst, ovasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://marc.theaimsgroup.com/?l=bind-announce&m=116968519321296&w=2
Whiteboard: impact=low,source=gentoo,public=20070125,reported=20070125,versions=fc5:fc6
Fixed In Version: bind-9.3.4-1.fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-30 13:53:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 230003    
Attachments:
Description Flags
Fix for BIND out-of bound read DoS sucked from upstream BIND release none

Description Lubomir Kundrak 2007-01-25 19:04:16 UTC 
Description of problem:

fetchctx structures,  not keeping count of its uses, might be read
even after beind deallocated resulting in name server denial of
service under certain circumstances.

Version-Release number of selected component (if applicable):

Unclear whether this issue also affects 3.2 BIND, besides 3.3.
For sure affects FC-5, FC-6 and RHEL-5

How reproducible:

Hardly ever.

Steps to Reproduce:

No known way to reproduce. The advisory notes, that the issue can be
partly mitigated by disabling recursion, so probably some deep recursive
queries might trigger the bug?
  
Actual results:

Server DoS?

Expected results:

What would you expect from read of deallocated memory? :)

Additional info:

ISC sucks at providing either patches or information about the flaws.
The attached patch incorporates another fix which changes roughly the
same code.
Comment 1 Lubomir Kundrak 2007-01-25 19:04:16 UTC 
Created attachment 146596 [details]
Fix for BIND out-of bound read DoS sucked from upstream BIND release
Comment 3 Josh Bressers 2007-01-29 21:07:50 UTC 
It looks like this update has been released for FC6, but has not been fixed in
FC5 yet.
Comment 4 David Eisenstein 2007-02-02 19:26:36 UTC 
Looks like updates for these issues have been issued now for both FC5 and
FC6.

FC6:  FEDORA-2007-147
http://www.redhat.com/archives/fedora-package-announce/2007-
January/msg00153.html

FC5:  FEDORA-2007-164
http://www.redhat.com/archives/fedora-package-announce/2007-
January/msg00180.html