Bug 22066

Summary: ldns new memory corruption security issues (CVE-2017-1000231 and CVE-2017-1000232)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: guillomovitch, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Source RPM: ldns-1.7.0-1.mga7.src.rpm CVE:
Status comment:
Attachments: Test file for CVE-2017-1000231
Test file for CVE-2017-1000232

Description David Walser 2017-11-22 19:22:12 CET 
Fedora has issued an advisory on November 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2N4OBCITVKFL772TSPJOE7JT5ZMKQJE/

It sounds likely that one of the two issues also affects older versions.
Comment 1 David Walser 2017-11-22 23:15:46 CET 
Apparently these two new issues have CVEs.

Ubuntu has issued an advisory for this today (November 22):
https://usn.ubuntu.com/usn/usn-3491-1/

The 2014 CVE we already fixed before.

Whiteboard: (none) => MGA6TOO, MGA5TOO
Summary: ldns new memory corruption security issues => ldns new memory corruption security issues (CVE-2017-1000231 and CVE-2017-1000232)
Severity: normal => major

Comment 2 David Walser 2017-11-22 23:51:28 CET 
Fixed in Cauldron in ldns-1.7.0-2.mga7 by Guillaume.

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 3 Guillaume Rousse 2017-12-28 19:12:14 CET 
I just submitted fixed package ldns-1.6.17-8.1.mga6 to update_testing for mageia6. Mageia5 is out of scope for this package.
Comment 4 David Walser 2017-12-28 19:23:25 CET 
Thanks Guillaume!

Advisory:
========================

Updated ldns packages fix security vulnerabilities:

Stephan Zeisberg discovered that ldns incorrectly handled memory when
processing data. A remote attacker could use this issue to cause ldns to crash,
resulting in a denial of service, or possibly execute arbitrary code
(CVE-2017-1000231, CVE-2017-1000232).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000232
https://usn.ubuntu.com/usn/usn-3491-1/
========================

Updated packages in core/updates_testing:
========================
ldns-utils-1.6.17-5.1.mga5
libldns1-1.6.17-5.1.mga5
libldns-devel-1.6.17-5.1.mga5
python-ldns-1.6.17-5.1.mga5
ldns-utils-1.6.17-8.1.mga6
libldns1-1.6.17-8.1.mga6
libldns-devel-1.6.17-8.1.mga6
python-ldns-1.6.17-8.1.mga6

from SRPMS:
ldns-1.6.17-5.1.mga5.src.rpm
ldns-1.6.17-8.1.mga6.src.rpm

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 5 Lewis Smith 2017-12-29 14:25:21 CET 
Testing M5/64

Did not have it already installed, so did so directly from UpdatesTesting:
 ldns-utils-1.6.17-5.1.mga5
 lib64ldns1-1.6.17-5.1.mga5
 python-ldns-1.6.17-5.1.mga5
It offers many programs:
drill ldns-compare-zones ldns-chaos ldnsd ldns-dane ldns-dpa ldns-gen-zone ldns-key2ds ldns-keyfetcher ldns-keygen ldns-mx ldns-notify ldns-nsec3-hash ldns-read-zone ldns-resolver ldns-revoke ldns-rrsig ldns-signzone ldns-test-edns ldns-testns ldns-update ldns-verify-zone ldns-version ldns-walk ldns-zcat ldns-zsplit

There are man pages, at least for: drill, ldnsd, ldns-mx, ldns-keygen.

Ah: here is a PoC for CVE-2017-1000231:
 https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256
for which I will attach the test file:
 https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=392
...
 $ ldns-read-zone Desktop/ldns_crash 
Syntax error, could not parse the RR at 8718
Alas, this should be tried *before* the update - somebody else, please try that - it should crash.

And another PoC for CVE-2017-1000232:
 https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257
for which again I will attach the test file:
 https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=394
...
 $ ldns-read-zone Desktop/ldns_crash2
Syntax error, could not parse the RR's rdata at 0
Again, before the update, this should have crashed. Somebody else please try it.
-------------------------------------------------
Test procedure (Claire again to the rescue):
 https://bugs.mageia.org/show_bug.cgi?id=13324#c3

 $ ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net         [took forever]
Kexample.net.+007+57368
 $ ls -l Kexample*
-rw-rw-r-- 1 lewis lewis  70 Rha  29 13:57 Kexample.net.+007+57368.ds
-rw-rw-r-- 1 lewis lewis 242 Rha  29 13:57 Kexample.net.+007+57368.key
-rw------- 1 lewis lewis 943 Rha  29 13:57 Kexample.net.+007+57368.private

 $ ldns-mx mageia.org
mageia.org.	1800	IN	MX	10 sucuk.mageia.org.
mageia.org.	1800	IN	MX	20 krampouezh.mageia.org.

 $ drill mageia.org @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22105
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; mageia.org.	IN	A

;; ANSWER SECTION:
mageia.org.	491	IN	A	163.172.148.228

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 43 msec
;; SERVER: 8.8.8.8
;; WHEN: Fri Dec 29 14:01:29 2017
;; MSG SIZE  rcvd: 44

All these results accord with the reference test. With the PoC files not crashing, this update arrants OK.

Keywords: (none) => advisory, has_procedure
CC: (none) => lewyssmith
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 6 Lewis Smith 2017-12-29 14:28:21 CET 
Created attachment 9863 [details]
Test file for CVE-2017-1000231

Before the update,
 $ ldns-read-zone ldns_crash
should crash.
Comment 7 Lewis Smith 2017-12-29 14:32:06 CET 
Created attachment 9864 [details]
Test file for CVE-2017-1000232

Before the update,
 $ ldns-read-zone ldns_crash2
should crash.
Comment 8 Lewis Smith 2017-12-31 21:53:23 CET 
Testing M6/64

Installed from normal repos:
 ldns-utils-1.6.17-8.mga6
 lib64ldns1-1.6.17-8.mga6
 python-ldns-1.6.17-8.mga6

BEFORE update, tried the two PoCs:

 $ ldns-read-zone ldns_crash
*** Error in `ldns-read-zone': double free or corruption (!prev): 0x0000000000f5d280 ***
======= Backtrace: =========
...
Aborted (core dumped)       [great]

 $ ldns-read-zone ldns_crash2
*** Error in `ldns-read-zone': double free or corruption (fasttop): 0x00000000023f1350 ***
======= Backtrace: =========
...
Aborted (core dumped)       [great again]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AFTER update to:
- ldns-utils-1.6.17-8.1.mga6.x86_64
- lib64ldns1-1.6.17-8.1.mga6.x86_64
- python-ldns-1.6.17-8.1.mga6.x86_64

The PoCs again - both conclusive improvements:

 $ ldns-read-zone ldns_crash
Syntax error, could not parse the RR at 8718

 $ ldns-read-zone ldns_crash2
Syntax error, could not parse the RR's rdata at 0

Claire's tests again, see C5:

 $ ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net
Kexample.net.+007+12713
[This happened instantaneously, c.f. C5]
 $ ls -l Kexample*
-rw-rw-r-- 1 lewis lewis  70 Rha  31 21:45 Kexample.net.+007+12713.ds
-rw-rw-r-- 1 lewis lewis 242 Rha  31 21:45 Kexample.net.+007+12713.key
-rw------- 1 lewis lewis 943 Rha  31 21:45 Kexample.net.+007+12713.private

 $ ldns-mx mageia.org
mageia.org.	1800	IN	MX	10 sucuk.mageia.org.
mageia.org.	1800	IN	MX	20 krampouezh.mageia.org.

 $ ldns-mx mageia.org
mageia.org.	1800	IN	MX	10 sucuk.mageia.org.
mageia.org.	1800	IN	MX	20 krampouezh.mageia.org.
[lewis@localhost ~]$ 
[lewis@localhost ~]$ drill mageia.org @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41494
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; mageia.org.	IN	A

;; ANSWER SECTION:
mageia.org.	676	IN	A	163.172.148.228

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 39 msec
;; SERVER: 8.8.8.8
;; WHEN: Sun Dec 31 21:49:19 2017
;; MSG SIZE  rcvd: 44

all of which accord to the model. Update x64 OK, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-01-01 02:18:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0003.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED