Debian Bug report logs -
#839051
bind9: CVE-2016-2848: A packet with malformed options can trigger an assertion failure
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 28 Sep 2016 07:15:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream, wheezy
Found in versions bind9/1:9.8.4.dfsg.P1-6, bind9/1:9.8.4.dfsg.P1-6+nmu2+deb7u10
Fixed in versions bind9/1:9.9.3.dfsg.P2-1, 1:9.8.4.dfsg.P1-6+nmu2+deb7u12
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#839051
; Package bind9
.
(Wed, 28 Sep 2016 07:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>
:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>
.
(Wed, 28 Sep 2016 07:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u10
Tags: security wheezy
Severity: grave
The wheezy LTS version of bind9 has an additional crasher bug. It may
be due to an incomplete backport of the fix for CVE-2015-5477. I'm
attaching the reproducer.
Upstream BIND without the fix for CVE-2016-2776 is *not* affected by
this issue, so it is something else.
[bind9.pl (text/x-perl, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#839051
; Package bind9
.
(Tue, 04 Oct 2016 17:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thorsten Alteholz <debian@alteholz.de>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Tue, 04 Oct 2016 17:57:06 GMT) (full text, mbox, link).
Message #10 received at 839051@bugs.debian.org (full text, mbox, reply):
Hi Florian,
On Wed, 28 Sep 2016, Florian Weimer wrote:
> While trying to write a reproducer for CVE-2016-2776, I discovered
> that the 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 version in wheezy would crash,
> while unpatched jessie and upstream would not:
>
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839051>
>
> This might be due to an incomplete fix for CVE-2015-5477. If the
> entire fix is missing, you can probably reuse the CVE ID. If not,
> please let us know, and we'll assign a new ID once you have a patch.
according to [1] the fix for CVE-2015-5477 is just one line, which is
applied correctly in 9.8.4.dfsg.P1-6+nmu2+deb7u6.
Also 9.8.4.dfsg.P1-6+nmu2+deb7u2 crashes as well with your script, so this
seems to be a different problem.
Thorsten
[1] https://kb.isc.org/getAttach/118/AA-01272/cve-2015-5477.patch.txt
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#839051
; Package bind9
.
(Thu, 06 Oct 2016 11:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Shaun Bugler - Hetzner (Pty) Ltd" <sb@hetzner.co.za>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Thu, 06 Oct 2016 11:09:06 GMT) (full text, mbox, link).
Message #15 received at 839051@bugs.debian.org (full text, mbox, reply):
On 04/10/2016 19:52, Thorsten Alteholz wrote:
> Hi Florian,
>
> On Wed, 28 Sep 2016, Florian Weimer wrote:
>
>> While trying to write a reproducer for CVE-2016-2776, I discovered
>> that the 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 version in wheezy would crash,
>> while unpatched jessie and upstream would not:
>>
>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839051>
>>
>> This might be due to an incomplete fix for CVE-2015-5477. If the
>> entire fix is missing, you can probably reuse the CVE ID. If not,
>> please let us know, and we'll assign a new ID once you have a patch.
>
> according to [1] the fix for CVE-2015-5477 is just one line, which is
> applied correctly in 9.8.4.dfsg.P1-6+nmu2+deb7u6.
> Also 9.8.4.dfsg.P1-6+nmu2+deb7u2 crashes as well with your script, so
> this seems to be a different problem.
>
> Thorsten
>
> [1] https://kb.isc.org/getAttach/118/AA-01272/cve-2015-5477.patch.txt
>
>
I think we are dealing with a different problem here, as Thorsten says
the patch for CVE-2015-5477 seems to be applied correctly in code, yet
9.8.4.dfsg.P1-6+nmu2+deb7u11 is still affected:
http://pastebin.com/2hV7vdzg
The version in jessie ,9.9.5.dfsg-9+deb8u7, is unaffected.
Shaun
Changed Bug title to 'bind9: A packet with malformed options can trigger an assertion failure' from 'bind9: Unfixed crasher bug in wheezy LTS'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Oct 2016 18:24:02 GMT) (full text, mbox, link).
Marked as found in versions bind9/1:9.8.4.dfsg.P1-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Oct 2016 18:24:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Oct 2016 18:24:03 GMT) (full text, mbox, link).
Marked as fixed in versions bind9/1:9.9.3.dfsg.P2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Oct 2016 18:24:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Oct 2016 18:24:04 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>
:
Bug acknowledged by developer.
(Thu, 20 Oct 2016 18:24:05 GMT) (full text, mbox, link).
Message sent on
to Florian Weimer <fw@deneb.enyo.de>
:
Bug#839051.
(Thu, 20 Oct 2016 18:24:10 GMT) (full text, mbox, link).
Message #30 received at 839051-submitter@bugs.debian.org (full text, mbox, reply):
retitle 839051 bind9: A packet with malformed options can trigger an assertion failure
found 839051 1:9.8.4.dfsg.P1-6
tags 839051 + upstream fixed-upstream
close 839051 1:9.9.3.dfsg.P2-1
thanks
Marked as fixed in versions 1:9.8.4.dfsg.P1-6+nmu2+deb7u12.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Oct 2016 18:30:02 GMT) (full text, mbox, link).
Changed Bug title to 'bind9: CVE-2016-2848: A packet with malformed options can trigger an assertion failure' from 'bind9: A packet with malformed options can trigger an assertion failure'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Oct 2016 18:30:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 21 Jun 2017 07:27:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:08:45 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.