Add SA-15:11.bind.

svn path=/head/; revision=46937
2015-07-07 23:10:24 +00:00 · 2015-07-07 23:10:24 +00:00 · 47eed586a2 · 2020-12-08 03:00:23 +00:00
commit 47eed586a2
parent 0afe8a63d9
6 changed files with 226 additions and 0 deletions
--- a/share/security/advisories/FreeBSD-SA-15:11.bind.asc
+++ b/share/security/advisories/FreeBSD-SA-15:11.bind.asc
@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:11.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          BIND resolver remote denial of service when validating
+
+Category:       contrib
+Module:         bind
+Announced:      2015-07-07
+Credits:        ISC
+Affects:        FreeBSD 8.4 and FreeBSD 9.3.
+Corrected:      2015-07-07 21:43:23 UTC (stable/9, 9.3-STABLE)
+                2015-07-07 21:44:01 UTC (releng/9.3, 9.3-RELEASE-p19)
+                2015-07-07 21:43:23 UTC (stable/8, 8.4-STABLE)
+                2015-07-07 21:44:01 UTC (releng/8.4, 8.4-RELEASE-p33)
+CVE Name:       CVE-2015-4620
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocol.
+The named(8) daemon is an Internet Domain Name Server.  The libdns
+library is a library of DNS protocol support functions.
+
+II.  Problem Description
+
+Due to a software defect, specially constructed zone data could cause
+named(8) to crash with an assertion failure and rejecting the malformed
+query when DNSSEC validation is enabled.
+
+III. Impact
+
+An attacker who can cause specific queries to be sent to a nameserver
+could cause named(8) to crash, resulting in a denial of service.
+
+IV.  Workaround
+
+No workaround is available, but hosts not running named(8) are not
+vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-15:11/bind-9.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:11/bind-9.patch.asc
+# gpg --verify bind-9.patch.asc
+
+[FreeBSD 8.4]
+# fetch https://security.FreeBSD.org/patches/SA-15:11/bind-8.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:11/bind-8.patch.asc
+# gpg --verify bind-8.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r285257
+releng/8.4/                                                       r285258
+stable/9/                                                         r285257
+releng/9.3/                                                       r285258
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01267/>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:11.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAEBCgAGBQJVnEi/AAoJEO1n7NZdz2rnw4cP/jg5odJDqjzynxVweq+rCo7q
+10Wwa5Is3BOFAMxE+qVvIyjPKwBTlYOud4Lwp9+6GXpEa6DQDTrqwGsgsEKsqrNN
+WF8mfOhsSSHuhKNdcCT3+9/ERhdS6JwmvIgMhmEvBAWhf2HA6FRPQ1J6TP0ZoGKm
+0x745/cqiYM4eCwH8kbC1tmMYBHqYapuI9aTZ8iuiddBR1lunE03GVlNn1A6e2U6
+CUt6rHNslup4C7sGq6fBt/5qlJZ4yOGCXHDys9l0OSeYUfKohbDi2TILhoMhio2x
+8OdFIdr5U7sOtLPirbfLAUTb1C/H/BsKZfIX3Ff7iZQruVQrU4hKR1hd+GjZQb2G
+5foI9jP3AIRZ3xaHjH0Y95/4diJz+nauH5BTeD9OLGJC3Mg/NsVVtoflg3o+AWKn
+692ovG1csdkT598K0VV7Kp36n4tR43SPFZ8bqo8TMdt40H9imaN7ghXOFhpG1Yw8
+A6EU/yHJ5Jn9XyGM0E803pFodZEQk8wM8/LllA1txz85eDy+6HOQsxJeROcwJFeH
+rtzJ6bweqV3keJPkP/AR+QLqFMEbySHp2al7uGAIHyd/3fGlvWhP10CTyxvG7ucY
+Ak9PwH11UTw+RexOhOTWF+Bz9A5vVWG/wDPfGFLbhdmK00gX4y9xNOk2/QP6fTL3
+8Sz9sMkdOx3Vrbq+PPmu
+=SVcF
+-----END PGP SIGNATURE-----
--- a/share/security/patches/SA-15:11/bind-8.patch
+++ b/share/security/patches/SA-15:11/bind-8.patch
@ -0,0 +1,21 @@
+Index: contrib/bind9/lib/dns/validator.c
+===================================================================
+--- contrib/bind9/lib/dns/validator.c	(revision 284940)
+++ contrib/bind9/lib/dns/validator.c	(working copy)
+@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnske
+  */
+ static isc_boolean_t
+ isselfsigned(dns_validator_t *val) {
+-	dns_fixedname_t fixed;
+ 	dns_rdataset_t *rdataset, *sigrdataset;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+@@ -1461,7 +1460,7 @@ isselfsigned(dns_validator_t *val) {
+ 
+ 			result = dns_dnssec_verify2(name, rdataset, dstkey,
+ 						    ISC_TRUE, mctx, &sigrdata,
+-						    dns_fixedname_name(&fixed));
+						    NULL);
+ 			dst_key_free(&dstkey);
+ 			if (result != ISC_R_SUCCESS)
+ 				continue;
--- a/share/security/patches/SA-15:11/bind-8.patch.asc
+++ b/share/security/patches/SA-15:11/bind-8.patch.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAABCgAGBQJVnEjTAAoJEO1n7NZdz2rngFYP/2wtQUC/zGqrgi4Rhl4zSXAW
+jmVMYd7shsczDj3Jk5bR+WkMFFO28bqb84/fTlIusaONTgF5gS4+5/tVf29/Uufs
+qtTPVilP0CD/vw3Pp8jKtBwC1fi+FHOZ3eGdVj0OWHwp+M8WdBB9iODNIZWtNzsu
+CPUxxR/4PoRkCai6TKm7wUY3gskOrx7ANNTS9nNGY0wn+3ByxT0tZCacTZP3ZOgs
+0xjjs+opBVLv5sAW9BpaUyoAhgbukkK7aBfoUxg+Wy0u64Nhj/FiPAXrvrmbnndZ
+qmpz0Kbt7cXEVy26W1vnrr/qeo0l+PjMIiP+rBU9jLYIxJZddTiMNR6cQspFtUnY
+Lsll0EfX5GkUH3Hp6E3kxk7BMZwBXRUcDnoPJKhU2A+2+szKKM5E7ltnCGVsOJHo
+4JYI1bVahIqWaz3LX567EU/I2LoqLAaEg2DubwkmM7jTNSlTvIVbknRuoHDe1ubV
+mEm/VV9feOxaJZJ832GV/8A7YeYIZBW3hhAetZmIpu7ovJncq2eVSQe3j7fskdqZ
+LJInkvV//HDyRUA+6Mtg9+gV5TJszzHb6LqVyQt40+pcx5aQr4fgkWvtdc5s6AVi
+PdUdheV8qx800uHipibSGITOSWHAq8rDLttiItCrmFhj/+vqvvTG8QpuwFMhLrqw
+BHJruPyeb0cjgai0EXJ6
+=LZAe
+-----END PGP SIGNATURE-----
--- a/share/security/patches/SA-15:11/bind-9.patch
+++ b/share/security/patches/SA-15:11/bind-9.patch
@ -0,0 +1,22 @@
+Index: contrib/bind9/lib/dns/validator.c
+===================================================================
+--- contrib/bind9/lib/dns/validator.c	(revision 284940)
+++ contrib/bind9/lib/dns/validator.c	(working copy)
+@@ -1420,7 +1420,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnske
+  */
+ static isc_boolean_t
+ isselfsigned(dns_validator_t *val) {
+-	dns_fixedname_t fixed;
+ 	dns_rdataset_t *rdataset, *sigrdataset;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+@@ -1476,8 +1475,7 @@ isselfsigned(dns_validator_t *val) {
+ 			result = dns_dnssec_verify3(name, rdataset, dstkey,
+ 						    ISC_TRUE,
+ 						    val->view->maxbits,
+-						    mctx, &sigrdata,
+-						    dns_fixedname_name(&fixed));
+						    mctx, &sigrdata, NULL);
+ 			dst_key_free(&dstkey);
+ 			if (result != ISC_R_SUCCESS)
+ 				continue;
--- a/share/security/patches/SA-15:11/bind-9.patch.asc
+++ b/share/security/patches/SA-15:11/bind-9.patch.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAABCgAGBQJVnEjTAAoJEO1n7NZdz2rnwbUP/ihtZzwvJjJrpQnur0Cw6sl0
+eBNutTlZPUw89mZtmi4Gpo6X6epA0ZSoUSnf13+k1hYnmZP5YXulGFyuAQ9zB9z8
+U52pgxg4MDqXUFK4nMHkv+EVCaxhIcmRHzAHejZh1LrH8RDxCO3kXomsTbIzJP3w
+qU3LGqne8cmNwERs+DbULolxRNpWnNwLW8DiLpZzDA6xVWKr1dMAEwDHcbOgJwrd
+WflSg5mpgx/cL6zL6+87Webk/D8pNc651f+UTJ7WmnLyB7qB1F7OkbUnGXykHVmc
+VILkKEJbmiHIP9fhu23WVrqX79EMCb7h6cMbGuPHx4otN8ykvaSozRlwvT1V1+EF
+VgKRZeW5rhFssxvzEijniHHRzsxM8/LW615Qs5Fp6ZFhVQ4WHUYRCaI8y7zE+GaM
+ty6JZlpnSgwF32i50xph5wUSdqtUo2lbgep8A6RYQ72NhErtEY8yU1OdqCOz2i0E
+TeT+FdABaAnR2q251EQzrmDqo1Ybkx3mIyYWDH7ds5sMcXq7GxX2Opv0o+aYRXtj
+xjWH0YZiHnx8gKWFL02VqDEdIFSqOBGES1QD548Up66X0XvEnZky2tuC/Nvqxk1o
+CJWk1HBEr/OSXrcMiPOH9Wg3kTwhvBGC76LvogPD48k/jOwCZVP7iGsVeVAgH58l
+H3ADWbhNddIUbHLZSy0w
+=CSh0
+-----END PGP SIGNATURE-----
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@ -7,6 +7,18 @@
  <year>
    <name>2015</name>

+    <month>
+      <name>7</name>
+
+      <day>
+        <name>7</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:11.bind</name>
+        </advisory>
+      </day>
+    </month>
+
    <month>
      <name>6</name>