Bug#773548: unblock: bind9/1:9.9.5.dfsg-7
Hi, Cyril Brulebois wrote: Non-linux porters may want to double check this new version isn't going to lead to regressions on their architecture(s) though, so letting them know through Cc (patch available below). Thanks for checking with us. Seems like only DNS resolver code was changed, I don't think d-i uses any part of that, and needs only unrelated library functions for ISC dhcpd. Still, with the updated libs d-i still completed successfully (a netboot install involving DNS resolution and using DHCP). This test-run was more than 24 hours after 1:9.9.5.dfsg-7 built on kfreebsd-amd64 so would have been using the new udebs. https://jenkins.debian.net/view/g-i-installation/job/g-i-installation_debian_sid_daily_kfreebsd/447/ Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773548: unblock: bind9/1:9.9.5.dfsg-7
Control: tag -1 confirmed
Jonathan Wiltshire j...@debian.org (2014-12-19):
Package: release.debian.org
Severity: normal
Tags: d-i
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package bind9
Fix for RC bug #772610, for some reason no unblock request from the maintainer
or uploader. I have not reviewed the attached debdiff; also needs a kibi-ack.
unblock bind9/1:9.9.5.dfsg-7
bind9 is only related to d-i on non-linux architectures (through netcfg
→ isc-dhcp → bind9), so no objection from me.
Non-linux porters may want to double check this new version isn't going
to lead to regressions on their architecture(s) though, so letting them
know through Cc (patch available below).
Mraw,
KiBi.
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500,
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u bind9-9.9.5.dfsg/bin/named/config.c
bind9-9.9.5.dfsg/bin/named/config.c
--- bind9-9.9.5.dfsg/bin/named/config.c
+++ bind9-9.9.5.dfsg/bin/named/config.c
@@ -162,6 +162,8 @@
dnssec-accept-expired no;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
+ max-recursion-depth 7;\n\
+ max-recursion-queries 50;\n\
zero-no-soa-ttl-cache no;\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
diff -u bind9-9.9.5.dfsg/bin/named/server.c
bind9-9.9.5.dfsg/bin/named/server.c
--- bind9-9.9.5.dfsg/bin/named/server.c
+++ bind9-9.9.5.dfsg/bin/named/server.c
@@ -3223,6 +3223,16 @@
cfg_obj_asuint32(obj),
max_clients_per_query);
+ obj = NULL;
+ result = ns_config_get(maps, max-recursion-depth, obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_resolver_setmaxdepth(view-resolver, cfg_obj_asuint32(obj));
+
+ obj = NULL;
+ result = ns_config_get(maps, max-recursion-queries, obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_resolver_setmaxqueries(view-resolver, cfg_obj_asuint32(obj));
+
#ifdef ALLOW_FILTER__ON_V4
obj = NULL;
result = ns_config_get(maps, filter--on-v4, obj);
diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
--- bind9-9.9.5.dfsg/debian/changelog
+++ bind9-9.9.5.dfsg/debian/changelog
@@ -1,3 +1,10 @@
+bind9 (1:9.9.5.dfsg-7) unstable; urgency=medium
+
+ * Fix CVE-2014-8500: limit recursion in order to avoid memory consuption
+issues that can lead to denial-of-service (closes: #772610).
+
+ -- Michael Gilbert mgilb...@debian.org Sun, 14 Dec 2014 05:05:48 +
+
bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium
* Include dlz_dlopen.h in libbind-dev (closes: #769117).
diff -u bind9-9.9.5.dfsg/lib/dns/resolver.c
bind9-9.9.5.dfsg/lib/dns/resolver.c
--- bind9-9.9.5.dfsg/lib/dns/resolver.c
+++ bind9-9.9.5.dfsg/lib/dns/resolver.c
@@ -21,6 +21,7 @@
#include config.h
+#include isc/counter.h
#include isc/log.h
#include isc/platform.h
#include isc/print.h
@@ -131,6 +132,16 @@
#define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the
whole query to live. */
#endif
+/* The default maximum number of recursions to follow before giving up. */
+#ifndef DEFAULT_RECURSION_DEPTH
+#define DEFAULT_RECURSION_DEPTH 7
+#endif
+
+/* The default maximum number of iterative queries to allow before giving
up. */
+#ifndef DEFAULT_MAX_QUERIES
+#define DEFAULT_MAX_QUERIES 50
+#endif
+
/*%
* Maximum EDNS0 input packet size.
*/
@@ -234,12 +245,13 @@
isc_sockaddrlist_t edns;
isc_sockaddrlist_t edns512;
isc_sockaddrlist_t bad_edns;
- dns_validator_t *validator;
+ dns_validator_t * validator;
ISC_LIST(dns_validator_t) validators;
dns_db_t * cache;
dns_adb_t * adb;
isc_boolean_t ns_ttl_ok;
isc_uint32_tns_ttl;
+ isc_counter_t * qc;
/*%
* The number of events we're waiting for.
@@ -307,6 +319,7 @@
isc_boolean_t timeout;
dns_adbaddrinfo_t *addrinfo;
isc_sockaddr_t *client;
+ unsigned intdepth;
};
#define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
@@ -418,6 +431,8 @@
isc_timer_t * spillattimer;
isc_boolean_t zero_no_soa_ttl;
unsigned intquery_timeout;
+ unsigned intmaxdepth;
+ unsigned int
Bug#773548: unblock: bind9/1:9.9.5.dfsg-7
Package: release.debian.org
Severity: normal
Tags: d-i
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package bind9
Fix for RC bug #772610, for some reason no unblock request from the maintainer
or uploader. I have not reviewed the attached debdiff; also needs a kibi-ack.
unblock bind9/1:9.9.5.dfsg-7
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500,
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u bind9-9.9.5.dfsg/bin/named/config.c bind9-9.9.5.dfsg/bin/named/config.c
--- bind9-9.9.5.dfsg/bin/named/config.c
+++ bind9-9.9.5.dfsg/bin/named/config.c
@@ -162,6 +162,8 @@
dnssec-accept-expired no;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
+ max-recursion-depth 7;\n\
+ max-recursion-queries 50;\n\
zero-no-soa-ttl-cache no;\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
diff -u bind9-9.9.5.dfsg/bin/named/server.c bind9-9.9.5.dfsg/bin/named/server.c
--- bind9-9.9.5.dfsg/bin/named/server.c
+++ bind9-9.9.5.dfsg/bin/named/server.c
@@ -3223,6 +3223,16 @@
cfg_obj_asuint32(obj),
max_clients_per_query);
+ obj = NULL;
+ result = ns_config_get(maps, max-recursion-depth, obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_resolver_setmaxdepth(view-resolver, cfg_obj_asuint32(obj));
+
+ obj = NULL;
+ result = ns_config_get(maps, max-recursion-queries, obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_resolver_setmaxqueries(view-resolver, cfg_obj_asuint32(obj));
+
#ifdef ALLOW_FILTER__ON_V4
obj = NULL;
result = ns_config_get(maps, filter--on-v4, obj);
diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
--- bind9-9.9.5.dfsg/debian/changelog
+++ bind9-9.9.5.dfsg/debian/changelog
@@ -1,3 +1,10 @@
+bind9 (1:9.9.5.dfsg-7) unstable; urgency=medium
+
+ * Fix CVE-2014-8500: limit recursion in order to avoid memory consuption
+issues that can lead to denial-of-service (closes: #772610).
+
+ -- Michael Gilbert mgilb...@debian.org Sun, 14 Dec 2014 05:05:48 +
+
bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium
* Include dlz_dlopen.h in libbind-dev (closes: #769117).
diff -u bind9-9.9.5.dfsg/lib/dns/resolver.c bind9-9.9.5.dfsg/lib/dns/resolver.c
--- bind9-9.9.5.dfsg/lib/dns/resolver.c
+++ bind9-9.9.5.dfsg/lib/dns/resolver.c
@@ -21,6 +21,7 @@
#include config.h
+#include isc/counter.h
#include isc/log.h
#include isc/platform.h
#include isc/print.h
@@ -131,6 +132,16 @@
#define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
#endif
+/* The default maximum number of recursions to follow before giving up. */
+#ifndef DEFAULT_RECURSION_DEPTH
+#define DEFAULT_RECURSION_DEPTH 7
+#endif
+
+/* The default maximum number of iterative queries to allow before giving up. */
+#ifndef DEFAULT_MAX_QUERIES
+#define DEFAULT_MAX_QUERIES 50
+#endif
+
/*%
* Maximum EDNS0 input packet size.
*/
@@ -234,12 +245,13 @@
isc_sockaddrlist_t edns;
isc_sockaddrlist_t edns512;
isc_sockaddrlist_t bad_edns;
- dns_validator_t *validator;
+ dns_validator_t * validator;
ISC_LIST(dns_validator_t) validators;
dns_db_t * cache;
dns_adb_t * adb;
isc_boolean_t ns_ttl_ok;
isc_uint32_t ns_ttl;
+ isc_counter_t * qc;
/*%
* The number of events we're waiting for.
@@ -307,6 +319,7 @@
isc_boolean_t timeout;
dns_adbaddrinfo_t *addrinfo;
isc_sockaddr_t *client;
+ unsigned int depth;
};
#define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
@@ -418,6 +431,8 @@
isc_timer_t * spillattimer;
isc_boolean_t zero_no_soa_ttl;
unsigned int query_timeout;
+ unsigned int maxdepth;
+ unsigned int maxqueries;
/* Locked by lock. */
unsigned int references;
@@ -1535,6 +1550,7 @@
if (result != ISC_R_SUCCESS)
goto cleanup_dispatch;
}
+
fctx-querysent++;
ISC_LIST_APPEND(fctx-queries, query, link);
@@ -2188,9 +2204,9 @@
*/
INSIST(!SHUTTINGDOWN(fctx));
fctx-attributes = ~FCTX_ATTR_ADDRWAIT;
- if (event-ev_type == DNS_EVENT_ADBMOREADDRESSES)
+ if (event-ev_type == DNS_EVENT_ADBMOREADDRESSES) {
want_try = ISC_TRUE;
- else {
+ } else {
fctx-findfail++;
if (fctx-pending == 0) {
/*
@@ -2219,7 +2235,7 @@
else if (want_done)
fctx_done(fctx, ISC_R_FAILURE, __LINE__);
else if (destroy) {
- fctx_destroy(fctx);
+ fctx_destroy(fctx);
if (bucket_empty)
empty_bucket(res);
}
@@ -2473,12 +2489,13 @@
* See what we know about this address.
*/
find = NULL;
- result = dns_adb_createfind(fctx-adb,
-res-buckets[fctx-bucketnum].task,
-fctx_finddone, fctx, name,
-fctx-name, fctx-type,
-options, now, NULL,
-res-view-dstport, find);
+
