diff -u bind9-9.8.1.dfsg.P1/debian/changelog bind9-9.8.1.dfsg.P1/debian/changelog --- bind9-9.8.1.dfsg.P1/debian/changelog +++ bind9-9.8.1.dfsg.P1/debian/changelog @@ -1,3 +1,13 @@ +bind9 (1:9.8.1.dfsg.P1-4ubuntu0.19) precise-security; urgency=medium + + * SECURITY UPDATE: denial of service via responses containing a DNAME + answer + - lib/dns/resolver.c: remove assertion failure. + - patch backported from 9.9.9-P4. + - CVE-2016-8864 + + -- Marc Deslauriers Mon, 31 Oct 2016 09:00:00 -0400 + bind9 (1:9.8.1.dfsg.P1-4ubuntu0.18) precise-security; urgency=medium * SECURITY UPDATE: denial of service via malformed options diff -u bind9-9.8.1.dfsg.P1/lib/dns/resolver.c bind9-9.8.1.dfsg.P1/lib/dns/resolver.c --- bind9-9.8.1.dfsg.P1/lib/dns/resolver.c +++ bind9-9.8.1.dfsg.P1/lib/dns/resolver.c @@ -503,7 +503,9 @@ valarg->addrinfo = addrinfo; if (!ISC_LIST_EMPTY(fctx->validators)) - INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); + valoptions |= DNS_VALIDATOR_DEFER; + else + valoptions &= ~DNS_VALIDATOR_DEFER; result = dns_validator_create(fctx->res->view, name, type, rdataset, sigrdataset, fctx->rmessage, @@ -4579,13 +4581,6 @@ rdataset, sigrdataset, valoptions, task); - /* - * Defer any further validations. - * This prevents multiple validators - * from manipulating fctx->rmessage - * simultaneously. - */ - valoptions |= DNS_VALIDATOR_DEFER; } } else if (CHAINING(rdataset)) { if (rdataset->type == dns_rdatatype_cname) @@ -4675,6 +4670,11 @@ eresult == DNS_R_NCACHENXRRSET); } event->result = eresult; + if (adbp != NULL && *adbp != NULL) { + if (anodep != NULL && *anodep != NULL) + dns_db_detachnode(*adbp, anodep); + dns_db_detach(adbp); + } dns_db_attach(fctx->cache, adbp); dns_db_transfernode(fctx->cache, &node, anodep); clone_results(fctx); @@ -4918,6 +4918,11 @@ fctx->attributes |= FCTX_ATTR_HAVEANSWER; if (event != NULL) { event->result = eresult; + if (adbp != NULL && *adbp != NULL) { + if (anodep != NULL && *anodep != NULL) + dns_db_detachnode(*adbp, anodep); + dns_db_detach(adbp); + } dns_db_attach(fctx->cache, adbp); dns_db_transfernode(fctx->cache, &node, anodep); clone_results(fctx); @@ -5667,13 +5672,15 @@ answer_response(fetchctx_t *fctx) { isc_result_t result; dns_message_t *message; - dns_name_t *name, *dname = NULL, *qname, tname; + dns_name_t *name, *dname = NULL, *qname, *dqname, tname; + dns_name_t *cname = NULL; dns_rdataset_t *rdataset; isc_boolean_t done, external, chaining, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; + isc_boolean_t have_answer, found_cname, found_dname, found_type; + isc_boolean_t wanted_chaining; unsigned int aflag; dns_rdatatype_t type; - dns_fixedname_t fdname, fqname; + dns_fixedname_t fdname, fqname, fqdname; dns_view_t *view; FCTXTRACE("answer_response"); @@ -5687,6 +5694,7 @@ done = ISC_FALSE; found_cname = ISC_FALSE; + found_dname = ISC_FALSE; found_type = ISC_FALSE; chaining = ISC_FALSE; have_answer = ISC_FALSE; @@ -5696,12 +5704,13 @@ aa = ISC_TRUE; else aa = ISC_FALSE; - qname = &fctx->name; + dqname = qname = &fctx->name; type = fctx->type; view = fctx->res->view; + dns_fixedname_init(&fqdname); result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (!done && result == ISC_R_SUCCESS) { - dns_namereln_t namereln; + dns_namereln_t namereln, dnamereln; int order; unsigned int nlabels; @@ -5709,6 +5718,8 @@ dns_message_currentname(message, DNS_SECTION_ANSWER, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); namereln = dns_name_fullcompare(qname, name, &order, &nlabels); + dnamereln = dns_name_fullcompare(dqname, name, &order, + &nlabels); if (namereln == dns_namereln_equal) { wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); @@ -5803,7 +5814,7 @@ } } else if (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == - dns_rdatatype_cname + dns_rdatatype_cname && !found_type) { /* * We're looking for something else, @@ -5833,11 +5844,18 @@ * a CNAME or DNAME). */ INSIST(!external); - if (aflag == - DNS_RDATASETATTR_ANSWER) { + if ((rdataset->type != + dns_rdatatype_cname) || + !found_dname || + (aflag == + DNS_RDATASETATTR_ANSWER)) + { have_answer = ISC_TRUE; + if (rdataset->type == + dns_rdatatype_cname) + cname = name; name->attributes |= - DNS_NAMEATTR_ANSWER; + DNS_NAMEATTR_ANSWER; } rdataset->attributes |= aflag; if (aa) @@ -5931,11 +5949,11 @@ return (DNS_R_FORMERR); } - if (namereln != dns_namereln_subdomain) { + if (dnamereln != dns_namereln_subdomain) { char qbuf[DNS_NAME_FORMATSIZE]; char obuf[DNS_NAME_FORMATSIZE]; - dns_name_format(qname, qbuf, + dns_name_format(dqname, qbuf, sizeof(qbuf)); dns_name_format(name, obuf, sizeof(obuf)); @@ -5950,7 +5968,7 @@ want_chaining = ISC_TRUE; POST(want_chaining); aflag = DNS_RDATASETATTR_ANSWER; - result = dname_target(rdataset, qname, + result = dname_target(rdataset, dqname, nlabels, &fdname); if (result == ISC_R_NOSPACE) { /* @@ -5967,10 +5985,13 @@ dname = dns_fixedname_name(&fdname); if (!is_answertarget_allowed(view, - qname, rdataset->type, - dname, &fctx->domain)) { + dqname, rdataset->type, + dname, &fctx->domain)) + { return (DNS_R_SERVFAIL); } + dqname = dns_fixedname_name(&fqdname); + dns_name_copy(dname, dqname, NULL); } else { /* * We've found a signature that @@ -5995,6 +6016,10 @@ INSIST(!external); if (aflag == DNS_RDATASETATTR_ANSWER) { have_answer = ISC_TRUE; + found_dname = ISC_TRUE; + if (cname != NULL) + cname->attributes &= + ~DNS_NAMEATTR_ANSWER; name->attributes |= DNS_NAMEATTR_ANSWER; }