oss-security November 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE-2011-4313: BIND 9 Resolver

Re: [oss-security] CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c

From: Solar Designer <solar_at_nospam>
Date: Thu Nov 17 2011 - 20:55:17 GMT
To: oss-security@lists.openwall.com

Speaking of BIND 9.3.x:

On Thu, Nov 17, 2011 at 10:43:51PM +0400, Solar Designer wrote:
> So do we (distro vendors) choose to go ahead and release updates with
> just those changes for now?

Red Hat has just released an update for 9.3.6 in RHEL5:



Meanwhile, per my further analysis, BIND 9.3.x's affected code in
query.c is only reached if the dnssec-enable option is set to yes,
regardless of whether the build of BIND includes full DNSSEC support
(is linked against OpenSSL) or not.

In 9.4.x+, it probably does not take "dnssec-enable yes" to make the
issue triggerable, because of the added query_addadditional2() function
with an extra instance of the assertion. This extra function does not
have the same check for DNSSEC being enabled that query_addadditional()
does. Here's query_addadditional()'s check in 9.3.x:

        if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
                return (ISC_R_SUCCESS);

where WANTDNSSEC() is:

#define WANTDNSSEC(c) (((c)->attributes & \
                                  NS_CLIENTATTR_WANTDNSSEC) != 0)

where the NS_CLIENTATTR_WANTDNSSEC flag is set when:

        if (!client->view->enablednssec) {
                message->flags &= ~DNS_MESSAGEFLAG_CD;
                client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
        if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
                client->attributes |= NS_CLIENTATTR_WANTDNSSEC;

where server.c sets:

        result = ns_config_get(maps, "dnssec-enable", &obj);
        INSIST(result == ISC_R_SUCCESS);
        view->enablednssec = cfg_obj_asboolean(obj);

I hope I am not misreading this.