Bug 1299364 (CVE-2015-8704) - CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c
Summary: CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1299375 1299376 1299377 1299378 1299379 1299380 1300051 1300052
Blocks: 1299370
TreeView+ depends on / blocked
 
Reported: 2016-01-18 08:45 UTC by Martin Prpič
Modified: 2023-05-12 14:42 UTC (History)
10 users (show)

Fixed In Version: bind 9.9.8-P3, bind 9.10.3-P3
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way BIND processed certain malformed Address Prefix List (APL) records. A remote, authenticated attacker could use this flaw to cause named to crash.
Clone Of:
Environment:
Last Closed: 2016-01-28 05:20:57 UTC
Embargoed:

Attachments (Terms of Use)
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff (2.68 KB, text/plain)
2016-01-18 08:48 UTC, Martin Prpič 		no flags Details
9.9.8-rt41396-CVE-2015-8704.diff (687 bytes, text/plain)
2016-01-18 08:48 UTC, Martin Prpič 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0073 0 normal SHIPPED_LIVE Moderate: bind security update 2016-01-27 17:04:41 UTC
Red Hat Product Errata RHSA-2016:0074 0 normal SHIPPED_LIVE Moderate: bind97 security update 2016-01-27 16:40:55 UTC

Description Martin Prpič 2016-01-18 08:45:28 UTC 
The following flaw in BIND was reported by ISC:

A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c.

A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations. Examples include (but may not be limited to):

Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their master.

Masters using text-format db files could be vulnerable if they accept a malformed record in a DDNS update message.

Recursive resolvers are potentially vulnerable when debug logging, if they are fed a deliberately malformed record by a malicious server.

A server which has cached a specially constructed record could encounter this condition while performing 'rndc dumpdb'.
Comment 1 Martin Prpič 2016-01-18 08:45:46 UTC 
Acknowledgements:

Red Hat would like to thank ISC for reporting this issue.
Comment 2 Martin Prpič 2016-01-18 08:48:20 UTC 
Created attachment 1115780 [details]
9.10.3-rt41396-and-rt41397-CVE-2015-8704-and-CVE-2015-8705.diff
Comment 3 Martin Prpič 2016-01-18 08:48:22 UTC 
Created attachment 1115781 [details]
9.9.8-rt41396-CVE-2015-8704.diff
Comment 7 Tomas Hoger 2016-01-19 20:32:55 UTC 
Public now via upstream advisory.

External References:

https://kb.isc.org/article/AA-01335
Comment 8 Tomas Hoger 2016-01-19 20:37:22 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1300051]
Comment 9 Tomas Hoger 2016-01-19 20:37:27 UTC 
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1300052]
Comment 10 Tomas Hoger 2016-01-20 09:39:41 UTC 
Upstream commit:

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=fb17e1f9a2e34211af8d42f513bc63a26972674c
Comment 12 errata-xmlrpc 2016-01-27 11:41:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:0074 https://rhn.redhat.com/errata/RHSA-2016-0074.html
Comment 13 errata-xmlrpc 2016-01-27 12:05:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:0073 https://rhn.redhat.com/errata/RHSA-2016-0073.html
Note You need to log in before you can comment on or make changes to this bug.