Bug 903417 - (CVE-2012-5689) CVE-2012-5689 bind: denial of service when processing queries and with both DNS64 and RPZ enabled
CVE-2012-5689 bind: denial of service when processing queries and with both D...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 903832 906665 906666
Blocks: 903419
  Show dependency treegraph
Reported: 2013-01-23 18:29 EST by Vincent Danen
Modified: 2015-11-24 10:26 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-02 05:34:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-01-23 18:29:37 EST
An error condition may occur when a nameserver which is configured to use DNS64 performs a AAAA lookup for a record with an A record rewrite rule in a Response Policy Zone (RPZ.) If the RPZ is unable to provide a AAAA record for the name, but does provide a rewritten A record, then the DNS64 processing code will attempt to remap that A record into a AAAA record. Due to a coding error, this interaction between the RPZ database and the DNS64 remapping code can cause the named process to terminate with an assertion failure.

This only affects BIND 9.8.0 through to 9.8.4-P1 and 9.9.0 through to 9.9.2-P1.  It also requires the server to be using RPZ rewrite rules (specifically, A rewrite rules but not AAAA rewrite rules) and also using DNS64.  Systems that only use RPZ to generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to rewrite other resources record types besides the A type, will not trigger this bug.  In particular, this will only affect those systems using RPZ ro rewrite DNS records into A records, and then attempt to map those same A records into AAAA records via DNS64.

ISC has provided the following workaround that is effective against this bug:

If using DNS64 and Response Policy Zones together, make sure the RPZ contains a AAAA rewrite rule for every A rewrite rule. If the RPZ provides a AAAA answer without the assistance of DNS64, the bug is not triggered.
Comment 1 Vincent Danen 2013-01-23 18:31:20 EST
ISC will be publishing the fix as part of beta releases that are slated to be released tomorrow (Jan 24).
Comment 2 Vincent Danen 2013-01-24 16:53:58 EST
External References:

Comment 3 Vincent Danen 2013-01-24 17:02:08 EST
Created bind tracking bugs for this issue

Affects: fedora-all [bug 903832]
Comment 9 Vincent Danen 2013-02-21 11:18:35 EST

This issue did not affect the versions of bind or bind97 packages as shipped with Red Hat Enterprise Linux 4 and 5.
Comment 10 errata-xmlrpc 2013-02-21 14:22:00 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0550 https://rhn.redhat.com/errata/RHSA-2013-0550.html

Note You need to log in before you can comment on or make changes to this bug.