Bug 8403 – NXT records improperly validated could lead to buffer overflow

Bug 8403 - NXT records improperly validated could lead to buffer overflow

Summary:	NXT records improperly validated could lead to buffer overflow

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	bind (Show other bugs)
Sub Component:
Version:	6.0
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Bernhard Rosenkraenzer
QA Contact:
Docs Contact:

URL:	http://www.cert.org/advisories/CA-99-...
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2000-01-12 10:32 EST by T. Warfield
Modified:	2008-05-01 11:37 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2000-01-12 11:06:59 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description T. Warfield 2000-01-12 10:32:49 EST

I. Description
Six vulnerabilities have been found in BIND, the popular domain name server
from the Internet Software Consortium (ISC). One of these
vulnerabilities may allow remote intruders to gain privileged access to
name servers.

Vulnerability #1: the "nxt bug"

Some versions of BIND fail to properly validate NXT records. This improper
validation could allow an intruder to overflow a buffer and execute
arbitrary code with the privileges of the name server.

NXT record support was introduced in BIND version 8.2. Prior versions of
BIND, including 4.x, are not vulnerable to this problem. The
ISC-supplied version of BIND corrected this problem in version 8.2.2.

Vulnerability #2: the "sig bug"

This vulnerability involves a failure to properly validate SIG records,
allowing a remote intruder to crash named; see the impact section for
additional details.
SIG record support is found in multiple versions of BIND, including 4.9.5
through 8.x.

Vulnerability #3: the "so_linger bug"

By intentionally violating the expected protocols for closing a TCP
session, remote intruders can cause named to pause for periods up to 120
seconds.

Vulnerability #4: the "fdmax bug"

Remote intruders can consume more file descriptors than BIND can properly
manage, causing named to crash.

Vulnerability #5: the "maxdname bug"

Improper handling of certain data copied from the network could allow a
remote intruder to disrupt the normal operation of your name server,
possibly including a crash.

Vulnerability #6: the "naptr bug"

Some versions of BIND fail to validate zone information loaded from disk
files. In environments with unusual combinations of permissions and
protections, this could allow an intruder to crash named.

Comment 1 T. Warfield 2000-01-12 10:34:59 EST

bind 8.2.2.P5 has been released to resolve this problem - but isn't available
from RH as of yet.

Comment 2 Bernhard Rosenkraenzer 2000-01-12 10:59:59 EST

We're well aware of those and have released fixed packages several weeks ago.
Look at your favorite updates mirror.

Comment 3 Bernhard Rosenkraenzer 2000-01-12 11:06:59 EST

Actually 8.2.2P5 *is* available from Red Hat, in Raw Hide.
8.2.2P3 (with a p4 patch applied) is available for older versions in the updates
directory on the ftp server.
8.2.2P5 does *NOT* fix any security problems, and does *NOT* have any other
important fixes 8.2.2P4 doesn't have, so there's no reason to issue yet another
update for the older versions.

Note You need to log in before you can comment on or make changes to this bug.