Fedora has issued an advisory on November 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H2N4OBCITVKFL772TSPJOE7JT5ZMKQJE/ It sounds likely that one of the two issues also affects older versions.
Apparently these two new issues have CVEs. Ubuntu has issued an advisory for this today (November 22): https://usn.ubuntu.com/usn/usn-3491-1/ The 2014 CVE we already fixed before.
Whiteboard: (none) => MGA6TOO, MGA5TOOSummary: ldns new memory corruption security issues => ldns new memory corruption security issues (CVE-2017-1000231 and CVE-2017-1000232)Severity: normal => major
Fixed in Cauldron in ldns-1.7.0-2.mga7 by Guillaume.
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
I just submitted fixed package ldns-1.6.17-8.1.mga6 to update_testing for mageia6. Mageia5 is out of scope for this package.
Thanks Guillaume! Advisory: ======================== Updated ldns packages fix security vulnerabilities: Stephan Zeisberg discovered that ldns incorrectly handled memory when processing data. A remote attacker could use this issue to cause ldns to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2017-1000231, CVE-2017-1000232). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000232 https://usn.ubuntu.com/usn/usn-3491-1/ ======================== Updated packages in core/updates_testing: ======================== ldns-utils-1.6.17-5.1.mga5 libldns1-1.6.17-5.1.mga5 libldns-devel-1.6.17-5.1.mga5 python-ldns-1.6.17-5.1.mga5 ldns-utils-1.6.17-8.1.mga6 libldns1-1.6.17-8.1.mga6 libldns-devel-1.6.17-8.1.mga6 python-ldns-1.6.17-8.1.mga6 from SRPMS: ldns-1.6.17-5.1.mga5.src.rpm ldns-1.6.17-8.1.mga6.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
Testing M5/64 Did not have it already installed, so did so directly from UpdatesTesting: ldns-utils-1.6.17-5.1.mga5 lib64ldns1-1.6.17-5.1.mga5 python-ldns-1.6.17-5.1.mga5 It offers many programs: drill ldns-compare-zones ldns-chaos ldnsd ldns-dane ldns-dpa ldns-gen-zone ldns-key2ds ldns-keyfetcher ldns-keygen ldns-mx ldns-notify ldns-nsec3-hash ldns-read-zone ldns-resolver ldns-revoke ldns-rrsig ldns-signzone ldns-test-edns ldns-testns ldns-update ldns-verify-zone ldns-version ldns-walk ldns-zcat ldns-zsplit There are man pages, at least for: drill, ldnsd, ldns-mx, ldns-keygen. Ah: here is a PoC for CVE-2017-1000231: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256 for which I will attach the test file: https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=392 ... $ ldns-read-zone Desktop/ldns_crash Syntax error, could not parse the RR at 8718 Alas, this should be tried *before* the update - somebody else, please try that - it should crash. And another PoC for CVE-2017-1000232: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257 for which again I will attach the test file: https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=394 ... $ ldns-read-zone Desktop/ldns_crash2 Syntax error, could not parse the RR's rdata at 0 Again, before the update, this should have crashed. Somebody else please try it. ------------------------------------------------- Test procedure (Claire again to the rescue): https://bugs.mageia.org/show_bug.cgi?id=13324#c3 $ ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net [took forever] Kexample.net.+007+57368 $ ls -l Kexample* -rw-rw-r-- 1 lewis lewis 70 Rha 29 13:57 Kexample.net.+007+57368.ds -rw-rw-r-- 1 lewis lewis 242 Rha 29 13:57 Kexample.net.+007+57368.key -rw------- 1 lewis lewis 943 Rha 29 13:57 Kexample.net.+007+57368.private $ ldns-mx mageia.org mageia.org. 1800 IN MX 10 sucuk.mageia.org. mageia.org. 1800 IN MX 20 krampouezh.mageia.org. $ drill mageia.org @8.8.8.8 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22105 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; mageia.org. IN A ;; ANSWER SECTION: mageia.org. 491 IN A 163.172.148.228 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 43 msec ;; SERVER: 8.8.8.8 ;; WHEN: Fri Dec 29 14:01:29 2017 ;; MSG SIZE rcvd: 44 All these results accord with the reference test. With the PoC files not crashing, this update arrants OK.
Keywords: (none) => advisory, has_procedureCC: (none) => lewyssmithWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Created attachment 9863 [details] Test file for CVE-2017-1000231 Before the update, $ ldns-read-zone ldns_crash should crash.
Created attachment 9864 [details] Test file for CVE-2017-1000232 Before the update, $ ldns-read-zone ldns_crash2 should crash.
Testing M6/64 Installed from normal repos: ldns-utils-1.6.17-8.mga6 lib64ldns1-1.6.17-8.mga6 python-ldns-1.6.17-8.mga6 BEFORE update, tried the two PoCs: $ ldns-read-zone ldns_crash *** Error in `ldns-read-zone': double free or corruption (!prev): 0x0000000000f5d280 *** ======= Backtrace: ========= ... Aborted (core dumped) [great] $ ldns-read-zone ldns_crash2 *** Error in `ldns-read-zone': double free or corruption (fasttop): 0x00000000023f1350 *** ======= Backtrace: ========= ... Aborted (core dumped) [great again] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AFTER update to: - ldns-utils-1.6.17-8.1.mga6.x86_64 - lib64ldns1-1.6.17-8.1.mga6.x86_64 - python-ldns-1.6.17-8.1.mga6.x86_64 The PoCs again - both conclusive improvements: $ ldns-read-zone ldns_crash Syntax error, could not parse the RR at 8718 $ ldns-read-zone ldns_crash2 Syntax error, could not parse the RR's rdata at 0 Claire's tests again, see C5: $ ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net Kexample.net.+007+12713 [This happened instantaneously, c.f. C5] $ ls -l Kexample* -rw-rw-r-- 1 lewis lewis 70 Rha 31 21:45 Kexample.net.+007+12713.ds -rw-rw-r-- 1 lewis lewis 242 Rha 31 21:45 Kexample.net.+007+12713.key -rw------- 1 lewis lewis 943 Rha 31 21:45 Kexample.net.+007+12713.private $ ldns-mx mageia.org mageia.org. 1800 IN MX 10 sucuk.mageia.org. mageia.org. 1800 IN MX 20 krampouezh.mageia.org. $ ldns-mx mageia.org mageia.org. 1800 IN MX 10 sucuk.mageia.org. mageia.org. 1800 IN MX 20 krampouezh.mageia.org. [lewis@localhost ~]$ [lewis@localhost ~]$ drill mageia.org @8.8.8.8 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41494 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; mageia.org. IN A ;; ANSWER SECTION: mageia.org. 676 IN A 163.172.148.228 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 39 msec ;; SERVER: 8.8.8.8 ;; WHEN: Sun Dec 31 21:49:19 2017 ;; MSG SIZE rcvd: 44 all of which accord to the model. Update x64 OK, validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0003.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED