Bug 16695

Summary: bind new security issues CVE-2015-5722 and CVE-2015-5986
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/656533/
Whiteboard: MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK
Source RPM: bind-9.10.2.P3-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-03 16:22:20 CEST 
Upstream has issued advisories on September 2:
https://kb.isc.org/article/AA-01287
https://kb.isc.org/article/AA-01291

These are critical, remotely exploitable denial of service vulnerabilities.

Advisory:
========================

Updated bind packages fix security vulnerability:

Parsing a malformed DNSSEC key can cause a validating resolver to exit due to
a failed assertion in buffer.c.  It is possible for a remote attacker to
deliberately trigger this condition, for example by using a query which
requires a response from a zone containing a deliberately malformed key
(CVE-2015-5722).

An incorrect boundary check in openpgpkey_61.c can cause named to terminate
due to a REQUIRE assertion failure.  This defect can be deliberately exploited
by an attacker who can provide a maliciously constructed response in answer to
a query (CVE-2015-5986).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986
https://kb.isc.org/article/AA-01287
https://kb.isc.org/article/AA-01291
https://kb.isc.org/article/AA-01300
https://kb.isc.org/article/AA-01301
========================

Updated packages in core/updates_testing:
========================
bind-9.9.7.P3-1.mga4
bind-sdb-9.9.7.P3-1.mga4
bind-utils-9.9.7.P3-1.mga4
bind-devel-9.9.7.P3-1.mga4
bind-doc-9.9.7.P3-1.mga4
bind-9.10.2.P4-1.mga5
bind-sdb-9.10.2.P4-1.mga5
bind-utils-9.10.2.P4-1.mga5
bind-devel-9.10.2.P4-1.mga5
bind-doc-9.10.2.P4-1.mga5

from SRPMS:
bind-9.9.7.P3-1.mga4.src.rpm
bind-9.10.2.P4-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-09-03 16:22:42 CEST 
Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Whiteboard: (none) => MGA4TOO has_procedure

Comment 2 David Walser 2015-09-03 18:04:17 CEST 
CVE-2015-5722:
http://lwn.net/Vulnerabilities/656533/

CVE-2015-5986:
http://lwn.net/Vulnerabilities/656535/

URL: (none) => http://lwn.net/Vulnerabilities/656533/

Comment 3 Len Lawrence 2015-09-05 20:18:41 CEST 
Looking at this for mga5 x86_64.
Installed bind-9.10.2.P3-1.mga5.x86_64
Ran the test described in the link from comment 1 and generated similar result.

Installed bind-9.10.2.P4-1.mga5.x86_64 which brought in
bind-utils-9.10.2.P4-1.mga5.x86_64
Installed:
bind-sdb-9.10.2.P4-1.mga5
bind-devel-9.10.2.P4-1.mga5

As root: service named restart

[lcl@vega ~/test]$ dig @localhost mageia.org

; <<>> DiG 9.10.2-P4 <<>> @localhost mageia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1800	IN	A	217.70.188.116

;; AUTHORITY SECTION:
mageia.org.		86400	IN	NS	ns1.mageia.org.
mageia.org.		86400	IN	NS	ns0.mageia.org.

;; ADDITIONAL SECTION:
ns0.mageia.org.		86400	IN	A	212.85.158.146
ns1.mageia.org.		86400	IN	A	95.142.164.207

;; Query time: 140 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep 05 19:16:26 BST 2015
;; MSG SIZE  rcvd: 123

Virtually the same output as before.

CC: (none) => tarazed25

Len Lawrence 2015-09-05 20:19:49 CEST

Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-64-OK

Comment 4 Lewis Smith 2015-09-07 09:24:35 CEST 
Testing MGA4 x64

BEFORE: Installed:
 bind-sdb-9.9.7.P2-1.mga4
 bind-doc-9.9.7.P2-1.mga4
 bind-utils-9.9.7.P2-1.mga4
 bind-9.9.7.P2-1.mga4
Ran the test as per the link in Comment 1:

 # systemctl start named.service
 # dig @localhost mageia.org
; <<>> DiG 9.9.7-P2 <<>> @localhost mageia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 63420
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;mageia.org.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Llu Med 07 09:08:09 CEST 2015
;; MSG SIZE  rcvd: 39

AFTER: updated to:
 bind-sdb-9.9.7.P3-1.mga4
 bind-utils-9.9.7.P3-1.mga4
 bind-doc-9.9.7.P3-1.mga4
 bind-9.9.7.P3-1.mga4

 # systemctl restart named.service
 # dig @localhost mageia.org
Output identical to previously (ecept id and WHEN). Update deemed OK.

CC: (none) => lewyssmith
Whiteboard: MGA4TOO has_procedure MGA5-64-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK

Comment 5 claire robinson 2015-09-07 16:43:01 CEST 
Validating. Advisory uploaded.

Please push to 4 & 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-09-08 09:21:51 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0341.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED