Bug 1259085 (CVE-2015-5986) - CVE-2015-5986 Bind: fromwire_openpgpkey() incorrect boundary check Denial of Service
Summary: CVE-2015-5986 Bind: fromwire_openpgpkey() incorrect boundary check Denial of ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-5986
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1259563
Blocks: 1259089
TreeView+ depends on / blocked
 
Reported: 2015-09-01 23:40 UTC by Kurt Seifried
Modified: 2023-05-12 10:34 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-09-03 04:59:33 UTC
Embargoed:

Attachments (Terms of Use)
CVE-2015-5986.BIND.9.10.2.diff (477 bytes, patch)
2015-09-01 23:41 UTC, Kurt Seifried 		no flags Details | Diff
CVE-2015-5986.BIND-9.9.7.diff (475 bytes, patch)
2015-09-01 23:42 UTC, Kurt Seifried 		no flags Details | Diff
View All

Description Kurt Seifried 2015-09-01 23:40:48 UTC 
The following flaw, reported by ISC, was found in recent versions of BIND 9 ( 9.9.7 through 9.9.7-P2, and 9.10.2 through 9.10.2-P3):

An incorrect boundary check in openpgpkey_61.c can cause named to
terminate due to a REQUIRE assertion failure. This defect can be
deliberately exploited by an attacker who can provide a maliciously
constructed response in answer to a query.

Acknowledgements:

Red Hat would like to thank ISC for reporting this issue.
Comment 1 Kurt Seifried 2015-09-01 23:41:49 UTC 
Created attachment 1069242 [details]
CVE-2015-5986.BIND.9.10.2.diff
Comment 2 Kurt Seifried 2015-09-01 23:42:14 UTC 
Created attachment 1069243 [details]
CVE-2015-5986.BIND-9.9.7.diff
Comment 3 Kurt Seifried 2015-09-02 04:03:23 UTC 
Statement:

This issue did not affect the versions of Bind as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7 as they did not include support for fromwire_openpgpkey().
Comment 5 Huzaifa S. Sidhpurwala 2015-09-03 01:22:11 UTC 
External References:

https://kb.isc.org/article/AA-01291/0
Comment 6 Huzaifa S. Sidhpurwala 2015-09-03 04:54:45 UTC 
Created bind99 tracking bugs for this issue:

Affects: fedora-22 [bug 1259563]
Comment 7 Fedora Update System 2015-09-06 01:09:30 UTC 
bind99-9.9.7-7.P3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-09-06 17:04:53 UTC 
bind99-9.9.7-7.P3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-09-24 08:26:17 UTC 
bind99-9.9.7-7.P3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.