558497 – malicious "debug" code in bind init script

Bug 558497 - malicious "debug" code in bind init script

Summary: malicious "debug" code in bind init script

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Adam Tkac
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-01-25 14:29 UTC by Radek Liboska
Modified:	2013-04-30 23:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:	9.6.1-16.P3.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-02-05 01:31:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Radek Liboska 2010-01-25 14:29:49 UTC

Description of problem:

malicious code ("setsebool named_write_master_zones 0") in named.init was inserted by the "Fedora Project" into bind-9.6.1-9.P3.fc11.i586 (Fedora Updates, was not present in original release).
This code sets the selinux boolean "named_write_master_zones" to "off"; which made bind-9.6.1-9.P3.fc11 usage as the secondary nameserver impossible. Update of the bind package cripples nameserver. The bug is hard to find, because the initscript overwrites the selinux parameters every time the server is reloaded. 


Version-Release number of selected component (if applicable):

bind-9.6.1-9.P3.fc11.i586


How reproducible:

always

Steps to Reproduce:
1. service named reload
2.
3.
  
Actual results:

sebool variable named_write_master_zones switched off

Expected results:

sebool variable named_write_master_zones unchanged

Additional info:

remove "DEBUG" code from named.init; such crap has no place in this file!

Comment 1 Fedora Update System 2010-01-27 15:34:19 UTC

bind-9.6.1-10.P3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bind-9.6.1-10.P3.fc11

Comment 2 Fedora Update System 2010-01-27 15:34:28 UTC

bind-9.6.1-16.P3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bind-9.6.1-16.P3.fc12

Comment 3 Radek Liboska 2010-01-27 16:04:10 UTC

fixed, thank you

Comment 4 Fedora Update System 2010-01-29 03:24:17 UTC

bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1186

Comment 5 Fedora Update System 2010-01-29 03:26:16 UTC

bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1195

Comment 6 Fedora Update System 2010-02-05 01:30:57 UTC

bind-9.6.1-10.P3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2010-02-05 01:38:47 UTC

bind-9.6.1-16.P3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.