Bug 1299364 - (CVE-2015-8704) CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c
CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160119,repor...
: Security
Depends On: 1299375 1299376 1299377 1299378 1299379 1299380 1300051 1300052
Blocks: 1299370
  Show dependency treegraph
 
Reported: 2016-01-18 03:45 EST by Martin Prpič
Modified: 2016-03-10 21:24 EST (History)
10 users (show)

See Also:
Fixed In Version: bind 9.9.8-P3, bind 9.10.3-P3
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way BIND processed certain malformed Address Prefix List (APL) records. A remote, authenticated attacker could use this flaw to cause named to crash.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-28 00:20:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff (2.68 KB, text/plain)
2016-01-18 03:48 EST, Martin Prpič
no flags Details
9.9.8-rt41396-CVE-2015-8704.diff (687 bytes, text/plain)
2016-01-18 03:48 EST, Martin Prpič
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0073 normal SHIPPED_LIVE Moderate: bind security update 2016-01-27 12:04:41 EST
Red Hat Product Errata RHSA-2016:0074 normal SHIPPED_LIVE Moderate: bind97 security update 2016-01-27 11:40:55 EST

  None (edit)
Description Martin Prpič 2016-01-18 03:45:28 EST
The following flaw in BIND was reported by ISC:

A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c.

A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations. Examples include (but may not be limited to):

Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master.

Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message.

Recursive resolvers are potentially vulnerable when debug logging, if they are fed a deliberately malformed record by a malicious server.

A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'.
Comment 1 Martin Prpič 2016-01-18 03:45:46 EST
Acknowledgements:

Red Hat would like to thank ISC for reporting this issue.
Comment 2 Martin Prpič 2016-01-18 03:48:20 EST
Created attachment 1115780 [details]
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff
Comment 3 Martin Prpič 2016-01-18 03:48:22 EST
Created attachment 1115781 [details]
9.9.8-rt41396-CVE-2015-8704.diff
Comment 7 Tomas Hoger 2016-01-19 15:32:55 EST
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01335
Comment 8 Tomas Hoger 2016-01-19 15:37:22 EST
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1300051]
Comment 9 Tomas Hoger 2016-01-19 15:37:27 EST
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1300052]
Comment 12 errata-xmlrpc 2016-01-27 06:41:33 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:0074 https://rhn.redhat.com/errata/RHSA-2016-0074.html
Comment 13 errata-xmlrpc 2016-01-27 07:05:06 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:0073 https://rhn.redhat.com/errata/RHSA-2016-0073.html

Note You need to log in before you can comment on or make changes to this bug.