Bug 8403

Summary: NXT records improperly validated could lead to buffer overflow
Product: [Retired] Red Hat Linux Reporter: T. Warfield <todd>
Component: bindAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: todd
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.cert.org/advisories/CA-99-14-bind.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-01-12 16:06:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description T. Warfield 2000-01-12 15:32:49 UTC
I. Description
Six vulnerabilities have been found in BIND, the popular domain name server
from the Internet Software Consortium (ISC). One of these
vulnerabilities may allow remote intruders to gain privileged access to
name servers.

Vulnerability #1: the "nxt bug"

Some versions of BIND fail to properly validate NXT records. This improper
validation could allow an intruder to overflow a buffer and execute
arbitrary code with the privileges of the name server.

NXT record support was introduced in BIND version 8.2. Prior versions of
BIND, including 4.x, are not vulnerable to this problem. The
ISC-supplied version of BIND corrected this problem in version 8.2.2.

Vulnerability #2: the "sig bug"

This vulnerability involves a failure to properly validate SIG records,
allowing a remote intruder to crash named; see the impact section for
additional details.
SIG record support is found in multiple versions of BIND, including 4.9.5
through 8.x.

Vulnerability #3: the "so_linger bug"

By intentionally violating the expected protocols for closing a TCP
session, remote intruders can cause named to pause for periods up to 120
seconds.

Vulnerability #4: the "fdmax bug"

Remote intruders can consume more file descriptors than BIND can properly
manage, causing named to crash.

Vulnerability #5: the "maxdname bug"

Improper handling of certain data copied from the network could allow a
remote intruder to disrupt the normal operation of your name server,
possibly including a crash.

Vulnerability #6: the "naptr bug"

Some versions of BIND fail to validate zone information loaded from disk
files. In environments with unusual combinations of permissions and
protections, this could allow an intruder to crash named.

Comment 1 T. Warfield 2000-01-12 15:34:59 UTC
bind 8.2.2.P5 has been released to resolve this problem - but isn't available
from RH as of yet.

Comment 2 Bernhard Rosenkraenzer 2000-01-12 15:59:59 UTC
We're well aware of those and have released fixed packages several weeks ago.
Look at your favorite updates mirror.

Comment 3 Bernhard Rosenkraenzer 2000-01-12 16:06:59 UTC
Actually 8.2.2P5 *is* available from Red Hat, in Raw Hide.
8.2.2P3 (with a p4 patch applied) is available for older versions in the updates
directory on the ftp server.
8.2.2P5 does *NOT* fix any security problems, and does *NOT* have any other
important fixes 8.2.2P4 doesn't have, so there's no reason to issue yet another
update for the older versions.