Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

bind9: CVE-2016-2848: A packet with malformed options can trigger an assertion failure

Related Vulnerabilities: CVE-2016-2848   CVE-2015-5477   CVE-2016-2776   CVE-2015-5477  

Source

Debian Bug report logs - #839051
bind9: CVE-2016-2848: A packet with malformed options can trigger an assertion failure

version graph

Package: bind9; Maintainer for bind9 is Debian DNS Team <team+dns@tracker.debian.org>; Source for bind9 is src:bind9 (PTS, buildd, popcon).

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Wed, 28 Sep 2016 07:15:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream, wheezy

Found in versions bind9/1:9.8.4.dfsg.P1-6, bind9/1:9.8.4.dfsg.P1-6+nmu2+deb7u10

Fixed in versions bind9/1:9.9.3.dfsg.P2-1, 1:9.8.4.dfsg.P1-6+nmu2+deb7u12

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#839051; Package bind9. (Wed, 28 Sep 2016 07:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 28 Sep 2016 07:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: bind9: Unfixed crasher bug in wheezy LTS
Date: Wed, 28 Sep 2016 09:11:12 +0200
[Message part 1 (text/plain, inline)]
Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u10
Tags: security wheezy
Severity: grave

The wheezy LTS version of bind9 has an additional crasher bug.  It may
be due to an incomplete backport of the fix for CVE-2015-5477.  I'm
attaching the reproducer.

Upstream BIND without the fix for CVE-2016-2776 is *not* affected by
this issue, so it is something else.

[bind9.pl (text/x-perl, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#839051; Package bind9. (Tue, 04 Oct 2016 17:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Thorsten Alteholz <debian@alteholz.de>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Tue, 04 Oct 2016 17:57:06 GMT) (full text, mbox, link).

Message #10 received at 839051@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: debian-lts@lists.debian.org, 839051@bugs.debian.org
Subject: Re: wheezy-specific bind9 issue
Date: Tue, 4 Oct 2016 19:52:30 +0200 (CEST)
Hi Florian,

On Wed, 28 Sep 2016, Florian Weimer wrote:

> While trying to write a reproducer for CVE-2016-2776, I discovered
> that the 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 version in wheezy would crash,
> while unpatched jessie and upstream would not:
>
>  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839051>
>
> This might be due to an incomplete fix for CVE-2015-5477.  If the
> entire fix is missing, you can probably reuse the CVE ID.  If not,
> please let us know, and we'll assign a new ID once you have a patch.

according to [1] the fix for CVE-2015-5477 is just one line, which is 
applied correctly in 9.8.4.dfsg.P1-6+nmu2+deb7u6.
Also 9.8.4.dfsg.P1-6+nmu2+deb7u2 crashes as well with your script, so this 
seems to be a different problem.

  Thorsten

[1] https://kb.isc.org/getAttach/118/AA-01272/cve-2015-5477.patch.txt

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#839051; Package bind9. (Thu, 06 Oct 2016 11:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to "Shaun Bugler - Hetzner (Pty) Ltd" <sb@hetzner.co.za>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 06 Oct 2016 11:09:06 GMT) (full text, mbox, link).

Message #15 received at 839051@bugs.debian.org (full text, mbox, reply):

From: "Shaun Bugler - Hetzner (Pty) Ltd" <sb@hetzner.co.za>
To: debian-lts@lists.debian.org
Cc: 839051@bugs.debian.org
Subject: Re: wheezy-specific bind9 issue
Date: Thu, 6 Oct 2016 12:24:36 +0200
On 04/10/2016 19:52, Thorsten Alteholz wrote:
> Hi Florian,
>
> On Wed, 28 Sep 2016, Florian Weimer wrote:
>
>> While trying to write a reproducer for CVE-2016-2776, I discovered
>> that the 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 version in wheezy would crash,
>> while unpatched jessie and upstream would not:
>>
>>  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839051>
>>
>> This might be due to an incomplete fix for CVE-2015-5477.  If the
>> entire fix is missing, you can probably reuse the CVE ID.  If not,
>> please let us know, and we'll assign a new ID once you have a patch.
>
> according to [1] the fix for CVE-2015-5477 is just one line, which is 
> applied correctly in 9.8.4.dfsg.P1-6+nmu2+deb7u6.
> Also 9.8.4.dfsg.P1-6+nmu2+deb7u2 crashes as well with your script, so 
> this seems to be a different problem.
>
>   Thorsten
>
> [1] https://kb.isc.org/getAttach/118/AA-01272/cve-2015-5477.patch.txt
>
>
I think we are dealing with a different problem here, as Thorsten says 
the patch for CVE-2015-5477 seems to be applied correctly in code, yet
9.8.4.dfsg.P1-6+nmu2+deb7u11 is still affected:
http://pastebin.com/2hV7vdzg

The version in jessie ,9.9.5.dfsg-9+deb8u7, is unaffected.

Shaun

Changed Bug title to 'bind9: A packet with malformed options can trigger an assertion failure' from 'bind9: Unfixed crasher bug in wheezy LTS'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Oct 2016 18:24:02 GMT) (full text, mbox, link).

Marked as found in versions bind9/1:9.8.4.dfsg.P1-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Oct 2016 18:24:03 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Oct 2016 18:24:03 GMT) (full text, mbox, link).

Marked as fixed in versions bind9/1:9.9.3.dfsg.P2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Oct 2016 18:24:04 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Oct 2016 18:24:04 GMT) (full text, mbox, link).

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. (Thu, 20 Oct 2016 18:24:05 GMT) (full text, mbox, link).

Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#839051. (Thu, 20 Oct 2016 18:24:10 GMT) (full text, mbox, link).

Message #30 received at 839051-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 839051-submitter@bugs.debian.org
Subject: retitle 839051 to bind9: A packet with malformed options can trigger an assertion failure ...
Date: Thu, 20 Oct 2016 20:21:14 +0200
retitle 839051 bind9: A packet with malformed options can trigger an assertion failure
found 839051 1:9.8.4.dfsg.P1-6
tags 839051 + upstream fixed-upstream
close 839051 1:9.9.3.dfsg.P2-1
thanks

Marked as fixed in versions 1:9.8.4.dfsg.P1-6+nmu2+deb7u12. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Oct 2016 18:30:02 GMT) (full text, mbox, link).

Changed Bug title to 'bind9: CVE-2016-2848: A packet with malformed options can trigger an assertion failure' from 'bind9: A packet with malformed options can trigger an assertion failure'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Oct 2016 18:30:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 Jun 2017 07:27:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:08:45 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started