Bug 16496

Summary: bind new security issue CVE-2015-5477
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, neoser10, shlomif, sysadmin-bugs, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/652790/
Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK
Source RPM: bind-9.10.2.P2-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-29 18:16:08 CEST 
Upstream has issued an advisory on July 28:
https://kb.isc.org/article/AA-0127

This is a critical, remotely exploitable denial of service vulnerability.

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated bind packages fix security vulnerability:

An error in the handling of TKEY queries can be exploited by an attacker for
use as a denial-of-service vector, as a constructed packet can use the defect
to trigger a REQUIRE assertion failure, causing BIND to exit (CVE-2015-5477).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477
https://kb.isc.org/article/AA-01272
https://kb.isc.org/article/AA-01279
https://kb.isc.org/article/AA-01280
========================

Updated packages in core/updates_testing:
========================
bind-9.9.7.P2-1.mga4
bind-sdb-9.9.7.P2-1.mga4
bind-utils-9.9.7.P2-1.mga4
bind-devel-9.9.7.P2-1.mga4
bind-doc-9.9.7.P2-1.mga4
bind-9.10.2.P3-1.mga5
bind-sdb-9.10.2.P3-1.mga5
bind-utils-9.10.2.P3-1.mga5
bind-devel-9.10.2.P3-1.mga5
bind-doc-9.10.2.P3-1.mga5

from SRPMS:
bind-9.9.7.P2-1.mga4.src.rpm
bind-9.10.2.P3-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-07-29 18:16:37 CEST 
Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Whiteboard: (none) => MGA4TOO has_procedure

Comment 2 Shlomi Fish 2015-07-29 18:38:16 CEST 
I'm going to test MGA5-64 - stay tuned.

CC: (none) => shlomif

Comment 3 Shlomi Fish 2015-07-29 18:46:15 CEST 
(In reply to Shlomi Fish from comment #2)
> I'm going to test MGA5-64 - stay tuned.

The test appears to have failed - before the update. I can start the "named" service fine and it runs on the :53 UDP and TCP ports, but I cannot resolve using it (Mageia Linux 5 x86-64 Acer Laptop).

Shell session below:

============================================

[shlomif@localhost ~]$ dig mageia.org

; <<>> DiG 9.10.2-P2 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54312
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       217.70.188.116

;; Query time: 80 msec
;; SERVER: 10.0.0.138#53(10.0.0.138)
;; WHEN: Wed Jul 29 19:43:14 IDT 2015
;; MSG SIZE  rcvd: 55

[shlomif@localhost ~]$ dig @127.0.0.1 mageia.org

; <<>> DiG 9.10.2-P2 <<>> @127.0.0.1 mageia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39401
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 29 19:43:25 IDT 2015
;; MSG SIZE  rcvd: 39

[shlomif@localhost ~]$
Comment 4 Shlomi Fish 2015-07-29 18:48:52 CEST 
Update - seems like an @localhost dig session for www.google.com is working:

===============

[shlomif@localhost ~]$ dig @127.0.0.1 www.google.com

; <<>> DiG 9.10.2-P2 <<>> @127.0.0.1 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39372
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         218     IN      A       216.58.210.68

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 29 19:47:34 IDT 2015
;; MSG SIZE  rcvd: 59
Comment 5 David Walser 2015-07-29 20:21:42 CEST 
Debian has issued an advisory for this on July 28:
https://www.debian.org/security/2015/dsa-3319

URL: (none) => http://lwn.net/Vulnerabilities/652790/

Dave Hodgins 2015-07-30 20:02:52 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK

Comment 6 Dave Hodgins 2015-07-30 20:04:23 CEST 
Shlomi try "dig mageia.org 127.0.0.1"
Comment 7 Shlomi Fish 2015-07-30 20:10:09 CEST 
(In reply to Dave Hodgins from comment #6)
> Shlomi try "dig mageia.org 127.0.0.1"

This is working fine:

[shlomif@localhost ~]$ dig mageia.org 127.0.0.1

; <<>> DiG 9.10.2-P2 <<>> mageia.org 127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64660
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       217.70.188.116

;; Query time: 97 msec
;; SERVER: 10.0.0.138#53(10.0.0.138)
;; WHEN: Thu Jul 30 21:09:08 IDT 2015
;; MSG SIZE  rcvd: 55

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31606
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;127.0.0.1.                     IN      A

;; AUTHORITY SECTION:
.                       6977    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2015073000 1800 900 604800 86400

;; Query time: 46 msec
;; SERVER: 10.0.0.138#53(10.0.0.138)
;; WHEN: Thu Jul 30 21:09:08 IDT 2015
;; MSG SIZE  rcvd: 113

Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK

Comment 8 Mauricio Andrés Bustamante Viveros 2015-07-30 20:34:38 CEST 
I will test mga5-32 after meeting....

CC: (none) => neoser10

Comment 9 Shlomi Fish 2015-07-31 12:45:01 CEST 
(In reply to Mauricio Andrés Bustamante Viveros from comment #8)
> I will test mga5-32 after meeting....

Well, since it took too long - I've done the MGA5-32-OK testing now and everything is fine.

Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK

Comment 10 Thomas Backlund 2015-07-31 12:58:30 CEST 
(In reply to Shlomi Fish from comment #7)
> (In reply to Dave Hodgins from comment #6)
> > Shlomi try "dig mageia.org 127.0.0.1"
> 
> This is working fine:
> 
> [shlomif@localhost ~]$ dig mageia.org 127.0.0.1
> 

This is not asking localhost about mageia.org

Instead you are actually passing 2 requuests:

First:

> ;; QUESTION SECTION:
> ;mageia.org.                    IN      A

> ;; ANSWER SECTION:
> mageia.org.             1800    IN      A       217.70.188.116


To server: 

> ;; SERVER: 10.0.0.138#53(10.0.0.138)


Second:

> ;; QUESTION SECTION:
> ;127.0.0.1.                     IN      A

> ;; AUTHORITY SECTION:
> .                       6977    IN      SOA     a.root-servers.net.
> nstld.verisign-grs.com. 2015073000 1800 900 604800 86400

(127.0.0.1 wont resolve to anything, and you need "dig -x" to resolve an ip)

to:

> ;; SERVER: 10.0.0.138#53(10.0.0.138)


If you are actually want to ask localhost you need the "@" to point to the server you want to ask...

meaning: 

dig mageia.org @127.0.0.1

CC: (none) => tmb

Comment 11 Shlomi Fish 2015-07-31 13:37:28 CEST 
(In reply to Thomas Backlund from comment #10)
> (In reply to Shlomi Fish from comment #7)
> > (In reply to Dave Hodgins from comment #6)
> > > Shlomi try "dig mageia.org 127.0.0.1"
> > 
> > This is working fine:
> > 
> > [shlomif@localhost ~]$ dig mageia.org 127.0.0.1
> > 
> 
> This is not asking localhost about mageia.org
> 
> Instead you are actually passing 2 requuests:
> 
> First:
> 
> > ;; QUESTION SECTION:
> > ;mageia.org.                    IN      A
> 
> > ;; ANSWER SECTION:
> > mageia.org.             1800    IN      A       217.70.188.116
> 
> 
> To server: 
> 
> > ;; SERVER: 10.0.0.138#53(10.0.0.138)
> 
> 
> Second:
> 
> > ;; QUESTION SECTION:
> > ;127.0.0.1.                     IN      A
> 
> > ;; AUTHORITY SECTION:
> > .                       6977    IN      SOA     a.root-servers.net.
> > nstld.verisign-grs.com. 2015073000 1800 900 604800 86400
> 
> (127.0.0.1 wont resolve to anything, and you need "dig -x" to resolve an ip)
> 
> to:
> 
> > ;; SERVER: 10.0.0.138#53(10.0.0.138)
> 
> 
> If you are actually want to ask localhost you need the "@" to point to the
> server you want to ask...
> 
> meaning: 
> 
> dig mageia.org @127.0.0.1

So what do we do? It doesn't work properly with this syntax.
Comment 12 Thomas Backlund 2015-07-31 13:53:08 CEST 
did you change any configs before or after the update ?

Both before and after the update the default setup works for me on mga5 x86_64

# dig mageia.org @127.0.0.1

; <<>> DiG 9.10.2-P3 <<>> mageia.org @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24561
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1588	IN	A	217.70.188.116

;; AUTHORITY SECTION:
mageia.org.		86188	IN	NS	ns1.mageia.org.
mageia.org.		86188	IN	NS	ns0.mageia.org.

;; ADDITIONAL SECTION:
ns0.mageia.org.		86188	IN	A	212.85.158.146
ns1.mageia.org.		86188	IN	A	95.142.164.207

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: fre jul 31 14:45:33 EEST 2015
;; MSG SIZE  rcvd: 123
Comment 13 claire robinson 2015-07-31 15:40:36 CEST 
The error in comment 3 is SERVFAIL, did you remember to start the service?
Comment 14 Shlomi Fish 2015-07-31 19:16:30 CEST 
(In reply to Thomas Backlund from comment #12)
> did you change any configs before or after the update ?
> 

No, I have not touched anything.



> Both before and after the update the default setup works for me on mga5
> x86_64
> 
> # dig mageia.org @127.0.0.1
Comment 15 Shlomi Fish 2015-07-31 19:17:05 CEST 
(In reply to claire robinson from comment #13)
> The error in comment 3 is SERVFAIL, did you remember to start the service?

Yes , I did - I ran "service named start" as root.
Dave Hodgins 2015-07-31 20:58:59 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2015-08-01 00:47:09 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0298.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED