A denial of service flaw was found in the way the bind-dyndb-ldap, a dynamic LDAP back-end plug-in for BIND, performed DN escaping for LDAP queries. A DNS request containing a specially-crafted name (such as one containing the "$" character) from a domain stored in an LDAP back-end could cause named to exit unexpectedly because of the failed assertion. This issue was introduced in the following commit that introduced DN escaping, partially in response to CVE-2012-2134 (bug #815846): http://git.fedorahosted.org/git?p=bind-dyndb-ldap.git;a=commitdiff;h=3d43fd66aa68ef275855391a94e47e9d2f30309d In Red Hat Enterprise Linux 6, this problem was introduced via bind-dyndb-ldap erratum RHBA-2012:0837 released as part of Red Hat Enterprise Linux 6.3: https://rhn.redhat.com/errata/RHBA-2012-0837.html Note that bind-dyndb-ldap packages from RHSA-2012:0683 are not affected by this issue, as a different fix was used there to address CVE-2012-2134. DN escaping was only introduced later via the mentioned RHBA-2012:0837. Acknowledgment: Red Hat would like to thank Sigbjorn Lie of the Atea Norway for reporting this issue.
Fixed in upstream git via: http://git.fedorahosted.org/git/?p=bind-dyndb-ldap.git;a=commitdiff;h=f345805c73c294db42452ae966c48fbc36c48006
Created bind-dyndb-ldap tracking bugs for this issue Affects: fedora-all [bug 845038]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1139 https://rhn.redhat.com/errata/RHSA-2012-1139.html
bind-dyndb-ldap-1.1.0-0.14.rc1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
bind-dyndb-ldap-1.1.0-0.14.rc1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
The flaw mentioned in this bug manifests itself with following error message (it is written to /var/log/messages usually): Jul 30 15:44:23 nightcrawler named[31694]: ldap_convert.c:253: REQUIRE(dns_str_len > dns_idx + 3) failed, back trace Jul 30 15:44:23 nightcrawler named[31694]: #0 0xf0d401 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #1 0x94ada4 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #2 0x323db5 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #3 0x324030 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #4 0x329ff9 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #5 0x3260e2 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #6 0x656f2d in ?? Jul 30 15:44:23 nightcrawler named[31694]: #7 0xf1849f in ?? Jul 30 15:44:23 nightcrawler named[31694]: #8 0xf1ec15 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #9 0xf029d8 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #10 0x96e00b in ?? Jul 30 15:44:23 nightcrawler named[31694]: #11 0xadea49 in ?? Jul 30 15:44:23 nightcrawler named[31694]: #12 0x42fe1e in ?? Jul 30 15:44:23 nightcrawler named[31694]: exiting (due to assertion failure)