Bug 928027 (CVE-2013-2266)

Summary: CVE-2013-2266 bind: libdns regular expressions excessive resource consumption DoS
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: atkac, kmoriwak, njh, thozza, tis, tkubota, yohmura
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-28 22:07:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 928032, 928271, 928272, 928273, 928274    
Bug Blocks: 928028    

Description Jan Lieskovsky 2013-03-26 17:51:33 UTC
A denial of service flaw was found in the way libdns library implementation of BIND processed certain requests. A remote attacker could issue a specially-crafted DNS query that, when processed would lead to excessive memory consumption (memory exhaustion) at the side of the named server process, possibly leading to its crash.

References:
[1] https://kb.isc.org/article/AA-00871
[2] https://kb.isc.org/article/AA-00879
[3] https://lists.isc.org/pipermail/bind-users/2013-March/090211.html

Affected versions:
9.7.0 and later, BIND 10 is not affected

Solution:
Upgrade to BIND 9 version 9.8.4-P2, 9.9.2-P2 or recompile BIND without regular expression support.

Comment 4 Jan Lieskovsky 2013-03-26 18:25:40 UTC
Created bind tracking bugs for this issue

Affects: fedora-all [bug 928032]

Comment 11 Huzaifa S. Sidhpurwala 2013-03-27 10:36:35 UTC
*** Bug 928011 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2013-03-28 22:02:44 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0690 https://rhn.redhat.com/errata/RHSA-2013-0690.html

Comment 17 errata-xmlrpc 2013-03-28 22:03:06 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0689 https://rhn.redhat.com/errata/RHSA-2013-0689.html

Comment 18 Nigel Horne 2013-04-01 14:58:29 UTC
Is there a URL to a set of diffs for this fix?

Comment 19 Adam Tkac 2013-04-02 12:50:18 UTC
(In reply to comment #18)
> Is there a URL to a set of diffs for this fix?

You can simply diff bind-9.8.4-P1 and bind-9.8.4-P2 upstream releases. This is the patch (please note that I stripped regeneration of configure script and some comments):

diff -urp bind-9.8.4-P1/config.h.in bind-9.8.4-P2/config.h.in
--- bind-9.8.4-P1/config.h.in   2012-10-26 06:52:55.000000000 +0200
+++ bind-9.8.4-P2/config.h.in   2013-03-06 17:57:05.000000000 +0100
@@ -286,9 +286,6 @@ int sigwait(const unsigned int *set, int
 /* Define if your OpenSSL version supports GOST. */
 #undef HAVE_OPENSSL_GOST

-/* Define to 1 if you have the <regex.h> header file. */
-#undef HAVE_REGEX_H
-
 /* Define to 1 if you have the `setegid' function. */
 #undef HAVE_SETEGID

diff -urp bind-9.8.4-P1/configure.in bind-9.8.4-P2/configure.in
--- bind-9.8.4-P1/configure.in  2012-10-26 06:52:55.000000000 +0200
+++ bind-9.8.4-P2/configure.in  2013-03-06 17:57:05.000000000 +0100
@@ -298,7 +298,7 @@ esac

 AC_HEADER_STDC

-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>

Comment 20 Vincent Danen 2013-04-02 22:22:50 UTC
External References:

https://kb.isc.org/article/AA-00871
https://kb.isc.org/article/AA-00879

Comment 21 Tomas Hoger 2013-04-03 08:22:36 UTC
Statement:

This issue did not affect the versions of bind package as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue was corrected in bind97 packages in Red Hat Enterprise Linux 5 and bind packages in Red Hat Enterprise Linux 6.

Comment 22 Fedora Update System 2013-04-05 23:08:15 UTC
bind-9.9.2-10.P2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2013-04-07 00:24:44 UTC
bind-9.9.2-7.P2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.