bind9: CVE-2018-5735: assertion failure in validator.c:1858

Debian Bug report logs - #889285
bind9: CVE-2018-5735: assertion failure in validator.c:1858

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vladislav Kurz <vladislav.kurz@webstep.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858

Date: Sat, 03 Feb 2018 11:12:30 +0100

Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
Severity: grave
Tags: security
Justification: renders package unusable

Dear Maintainer,

This is a followup to archived bug #860225.

Although
https://security-tracker.debian.org/tracker/CVE-2017-3139 states that
debian is not affected by CVE-2017-3139, I observed this behavior on
debian wheezy:

Feb  3 08:38:07 server named[16906]: validator.c:1858: INSIST(rdataset->type == ((dns_rdatatype_t)dns_rdatatype_dnskey)) failed, back trace
Feb  3 08:38:07 server named[16906]: #0 0x7f9b66798e19 in ??
Feb  3 08:38:07 server named[16906]: #1 0x7f9b650d5f3a in ??
Feb  3 08:38:07 server named[16906]: #2 0x7f9b66094e57 in ??
Feb  3 08:38:07 server named[16906]: #3 0x7f9b6609b599 in ??
Feb  3 08:38:07 server named[16906]: #4 0x7f9b650f4dfd in ??
Feb  3 08:38:07 server named[16906]: #5 0x7f9b64aa8b50 in ??
Feb  3 08:38:07 server named[16906]: #6 0x7f9b64492fbd in ??
Feb  3 08:38:07 server named[16906]: exiting (due to assertion failure)

Ondrej Zary reported this on Sat, 02 Sep 2017 in bug #860225 but it
was closed and archived without answer. May I ask why?

I had a look in the relevant bug report at redhat, but they do not
provide much details https://bugzilla.redhat.com/show_bug.cgi?id=1447743
So I'm not 100% sure it is the same bug.


*** Please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these lines ***


-- System Information:
Debian Release: 7.11
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-5-686-pae (SMP w/1 CPU core)
Locale: LANG=sk_SK, LC_CTYPE=sk_SK (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages bind9 depends on:
ii  adduser                3.113+nmu3
ii  bind9utils             1:9.8.4.dfsg.P1-6+nmu2+deb7u19
ii  debconf [debconf-2.0]  1.5.49
ii  libbind9-80            1:9.8.4.dfsg.P1-6+nmu2+deb7u19
ii  libc6                  2.13-38+deb7u12
ii  libcap2                1:2.22-1.2
ii  libdns88               1:9.8.4.dfsg.P1-6+nmu2+deb7u19
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u9
ii  libisc84               1:9.8.4.dfsg.P1-6+nmu2+deb7u19
ii  libisccc80             1:9.8.4.dfsg.P1-6+nmu2+deb7u19
ii  libisccfg82            1:9.8.4.dfsg.P1-6+nmu2+deb7u19
ii  liblwres80             1:9.8.4.dfsg.P1-6+nmu2+deb7u19
ii  libssl1.0.0            1.0.1t-1+deb7u3
ii  libxml2                2.8.0+dfsg1-7+wheezy12
ii  lsb-base               4.1+Debian8+deb7u1
ii  net-tools              1.60-24.2
ii  netbase                5.0

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.8.4.dfsg.P1-6+nmu2+deb7u19
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";

/etc/bind/named.conf.options changed:
options {
	directory "/var/cache/bind";
	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.
	// forwarders {
	// 	0.0.0.0;
	// };
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { none; };
	listen-on { 127.0.0.1; };
	dnssec-enable yes;
	dnssec-validation auto;
	dnssec-lookaside auto;
};


-- debconf information:
  bind9/different-configuration-file:
  bind9/run-resolvconf: true
  bind9/start-as-user: bind

Message #10 received at 889285@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Vladislav Kurz <vladislav.kurz@webstep.net>, 889285@bugs.debian.org

Subject: Re: [Pkg-dns-devel] Bug#889285: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858

Date: Sat, 3 Feb 2018 11:24:41 +0100

Control: tags -1 +wheezy

You should probably contact the Debian LTS team as it affects wheezy that’s maintained by LTS Team.

Ondrej
--
Ondřej Surý <ondrej@sury.org>

> On 3 Feb 2018, at 11:12, Vladislav Kurz <vladislav.kurz@webstep.net> wrote:
> 
> Package: bind9
> Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> Severity: grave
> Tags: security
> Justification: renders package unusable
> 
> Dear Maintainer,
> 
> This is a followup to archived bug #860225.
> 
> Although
> https://security-tracker.debian.org/tracker/CVE-2017-3139 states that
> debian is not affected by CVE-2017-3139, I observed this behavior on
> debian wheezy:
> 
> Feb  3 08:38:07 server named[16906]: validator.c:1858: INSIST(rdataset->type == ((dns_rdatatype_t)dns_rdatatype_dnskey)) failed, back trace
> Feb  3 08:38:07 server named[16906]: #0 0x7f9b66798e19 in ??
> Feb  3 08:38:07 server named[16906]: #1 0x7f9b650d5f3a in ??
> Feb  3 08:38:07 server named[16906]: #2 0x7f9b66094e57 in ??
> Feb  3 08:38:07 server named[16906]: #3 0x7f9b6609b599 in ??
> Feb  3 08:38:07 server named[16906]: #4 0x7f9b650f4dfd in ??
> Feb  3 08:38:07 server named[16906]: #5 0x7f9b64aa8b50 in ??
> Feb  3 08:38:07 server named[16906]: #6 0x7f9b64492fbd in ??
> Feb  3 08:38:07 server named[16906]: exiting (due to assertion failure)
> 
> Ondrej Zary reported this on Sat, 02 Sep 2017 in bug #860225 but it
> was closed and archived without answer. May I ask why?
> 
> I had a look in the relevant bug report at redhat, but they do not
> provide much details https://bugzilla.redhat.com/show_bug.cgi?id=1447743
> So I'm not 100% sure it is the same bug.
> 
> 
> *** Please consider answering these questions, where appropriate ***
> 
>   * What led up to the situation?
>   * What exactly did you do (or not do) that was effective (or
>     ineffective)?
>   * What was the outcome of this action?
>   * What outcome did you expect instead?
> 
> *** End of the template - remove these lines ***
> 
> 
> -- System Information:
> Debian Release: 7.11
>  APT prefers oldoldstable
>  APT policy: (500, 'oldoldstable')
> Architecture: i386 (i686)
> 
> Kernel: Linux 3.2.0-5-686-pae (SMP w/1 CPU core)
> Locale: LANG=sk_SK, LC_CTYPE=sk_SK (charmap=ISO-8859-2)
> Shell: /bin/sh linked to /bin/bash
> 
> Versions of packages bind9 depends on:
> ii  adduser                3.113+nmu3
> ii  bind9utils             1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii  debconf [debconf-2.0]  1.5.49
> ii  libbind9-80            1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii  libc6                  2.13-38+deb7u12
> ii  libcap2                1:2.22-1.2
> ii  libdns88               1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u9
> ii  libisc84               1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii  libisccc80             1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii  libisccfg82            1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii  liblwres80             1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii  libssl1.0.0            1.0.1t-1+deb7u3
> ii  libxml2                2.8.0+dfsg1-7+wheezy12
> ii  lsb-base               4.1+Debian8+deb7u1
> ii  net-tools              1.60-24.2
> ii  netbase                5.0
> 
> bind9 recommends no packages.
> 
> Versions of packages bind9 suggests:
> pn  bind9-doc   <none>
> ii  dnsutils    1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> pn  resolvconf  <none>
> pn  ufw         <none>
> 
> -- Configuration Files:
> /etc/bind/named.conf.local changed:
> //
> // Do any local configuration here
> //
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> include "/etc/bind/zones.rfc1918";
> 
> /etc/bind/named.conf.options changed:
> options {
>    directory "/var/cache/bind";
>    // If there is a firewall between you and nameservers you want
>    // to talk to, you may need to fix the firewall to allow multiple
>    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>    // If your ISP provided one or more IP addresses for stable 
>    // nameservers, you probably want to use them as forwarders.  
>    // Uncomment the following block, and insert the addresses replacing 
>    // the all-0's placeholder.
>    // forwarders {
>    //    0.0.0.0;
>    // };
>    auth-nxdomain no;    # conform to RFC1035
>    listen-on-v6 { none; };
>    listen-on { 127.0.0.1; };
>    dnssec-enable yes;
>    dnssec-validation auto;
>    dnssec-lookaside auto;
> };
> 
> 
> -- debconf information:
>  bind9/different-configuration-file:
>  bind9/run-resolvconf: true
>  bind9/start-as-user: bind
> 
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel@lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel

Message #17 received at 889285@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@debian.org>

To: debian-lts@lists.debian.org, 889285@bugs.debian.org

Subject: Re: bind9: CVE-2017-3139 affects debian too

Date: Sat, 3 Feb 2018 08:53:26 -0500

On Sat, Feb 03, 2018 at 02:37:14PM +0100, Vladislav Kurz wrote:
> Hello LTS team,
> 
> please have a look at
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889285
> 
> I think it is the same bug as CVE-2017-3139 which was considered to affect
> only RedHat, but it seems to affect debian wheezy too.
> 
> Please check if it is possible to apply the same fixes as RedHat did.
> Or at leas update the bind package in wheezy-backports to match the version
> and security fixes from debian jesssie.
> 
I am taking a look at this now.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Message #22 received at 889285@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Vladislav Kurz <vladislav.kurz@webstep.net>, 889285@bugs.debian.org

Cc: Roberto C. Sánchez <roberto@debian.org>

Subject: Re: Bug#889285: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858

Date: Sat, 3 Feb 2018 17:17:01 +0100

Control: retitle -1 bind9: assertion failure in validator.c:1858

Hi

On Sat, Feb 03, 2018 at 11:12:30AM +0100, Vladislav Kurz wrote:
> This is a followup to archived bug #860225.
> 
> Although
> https://security-tracker.debian.org/tracker/CVE-2017-3139 states that
> debian is not affected by CVE-2017-3139, I observed this behavior on
> debian wheezy:
> 
> Feb  3 08:38:07 server named[16906]: validator.c:1858: INSIST(rdataset->type == ((dns_rdatatype_t)dns_rdatatype_dnskey)) failed, back trace
> Feb  3 08:38:07 server named[16906]: #0 0x7f9b66798e19 in ??
> Feb  3 08:38:07 server named[16906]: #1 0x7f9b650d5f3a in ??
> Feb  3 08:38:07 server named[16906]: #2 0x7f9b66094e57 in ??
> Feb  3 08:38:07 server named[16906]: #3 0x7f9b6609b599 in ??
> Feb  3 08:38:07 server named[16906]: #4 0x7f9b650f4dfd in ??
> Feb  3 08:38:07 server named[16906]: #5 0x7f9b64aa8b50 in ??
> Feb  3 08:38:07 server named[16906]: #6 0x7f9b64492fbd in ??
> Feb  3 08:38:07 server named[16906]: exiting (due to assertion failure)
> 
> Ondrej Zary reported this on Sat, 02 Sep 2017 in bug #860225 but it
> was closed and archived without answer. May I ask why?

The bug was about CVE-2017-3137, it's never a good idea to mix up
things ;-). Anyway thanks that you took action and filled a new bug
for this issue you are experiencing.

JTR, since Red Hat does not provide much details on the CVE-2017-3139
we cannot say Debian is affected as well by this very same CVE. Since
it's not clear, what CVE-2017-3139 is in detail, I have removed the
CVE in the subject of this bug.

What seem clear is that apparently a fix in Debian wheezy's bind9
version causes the regression you notices. Thus I suggest the LTS team
to try to find the defective patch introducing the issue and then
issue just a regression update (without referencing CVE-2017-3139. If
its on the other hand clear that Debian wheezy used the very same
patch for a previous issue, and CVE-2017-3139 applies as well for
Debian wheezy, then obviously it's fine to use the CVE).

Regards,
Salvatore

Message #29 received at 889285@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@debian.org>

To: debian-lts@lists.debian.org, 889285@bugs.debian.org

Cc: Vladislav Kurz <vladislav.kurz@webstep.net>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#889285: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858

Date: Wed, 7 Feb 2018 23:21:39 -0500

[Message part 1 (text/plain, inline)]

On Sat, Feb 03, 2018 at 05:17:01PM +0100, Salvatore Bonaccorso wrote:
> 
> The bug was about CVE-2017-3137, it's never a good idea to mix up
> things ;-).

This is true.  However, it appears that Ondrej Zary's comment to #860225
on 2017-09-02 is in fact related to CVE-2017-3139.  Since one of the
bind9 maintainers was the one to raise the issue of CVE-2017-3139 in
that same bug, I don't see a related follow-up report from a user to be
problematic.

> Anyway thanks that you took action and filled a new bug
> for this issue you are experiencing.
> 
> JTR, since Red Hat does not provide much details on the CVE-2017-3139
> we cannot say Debian is affected as well by this very same CVE. Since
> it's not clear, what CVE-2017-3139 is in detail, I have removed the
> CVE in the subject of this bug.
> 
It is true that there is information provided by RedHat regarding the
details of the vulnerability.  The RHSA mentioned in #860225 is also
linked from this RedHat BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=1447743

However, there are no useful details there either.  I did some digging
and located the bind9 source RPM references in RHSA-2017:1202 and its
immediate predecessor.  By comparing the packages, I was able to
identify the specific patch that was associated with that RHSA.  I have
attached the patch to this email.  The name of the patch refers to
another RedHat BZ entry:

https://bugzilla.redhat.com/show_bug.cgi?id=1447407

That one is not accessible to the public, so we have no way of knowing
the details there.  Additionally, the related upstream RT tickets are
also not public.

Note that the attached patch appears to be based on commit
07dbb507d2913fc35c7edbe3692a976e3248a911 from upstream's git repository:

https://source.isc.org/git/bind9.git

The upstream changes appear to include a hunk in resolver.c which does
not appear in the RedHat patch.  That chunk would also not apply to the
wheezy version of bind9.

> What seem clear is that apparently a fix in Debian wheezy's bind9
> version causes the regression you notices. Thus I suggest the LTS team
> to try to find the defective patch introducing the issue and then
> issue just a regression update (without referencing CVE-2017-3139. If
> its on the other hand clear that Debian wheezy used the very same
> patch for a previous issue, and CVE-2017-3139 applies as well for
> Debian wheezy, then obviously it's fine to use the CVE).
> 
I examined the changes made from 9.8.4.dfsg.P1-6+nmu2+deb7u15 to
9.8.4.dfsg.P1-6+nmu2+deb7u16, which included fixes for CVE-2017-3136,
CVE-2017-3137, and CVE-2017-3138.  After examining the changes and
comparing them to the related upstream commits, I am convinced that the
fix for CVE-2017-3137 in 9.8.4.dfsg.P1-6+nmu2+deb7u16 is correct and
complete.  I would consider my examination thorough, but not exhaustive
owing to the large volume of change and some departures that are clearly
a result of the upsteam changes being backported to the bind9 in wheezy.
I am further convinced that the problem reported by Ondrej Zary in
#860225 and by Vladislav Kurz are both identical occurrences of
CVE-2017-3139.

In order to confirm the latter hypothesis, I built the current wheezy
version of bind9 and ran the dnssec test.  The test passed.  I then
stripped the changes to validator.c from the attached patch and applied
the remainder to the current wheezy version of bind9, built, and ran the
dnssec test again.  This time the test failed.  This seems to indicate
that the version of bind9 in wheezy is vulnerable to CVE-2017-3139.  I
then applied the remaining validator.c changes, rebuilt, and ran the
dnssec test again.  This time the test passed.

Based on these findings, I conclude that wheezy bind9 is vulnerable to
CVE-2017-3139.  I propose to do the following:

- Mark CVE-2017-3139 as affecting wheezy in the security tracker
- Prepare and upload a version 9.8.4.dfsg.P1-6+nmu2+deb7u20 upload that
  incorporates the CVE-2017-3139 patch from RedHat (and which closes
  this bug, #889285)
- Release a DLA per the normal procedure

I am now in the process of preparing the package for upload, but I will
wait a couple of days to allow for any objections and/or suggestions.

Regards,

-Roberto

-- 
Roberto C. Sánchez

[bind99-rh4447407.patch (text/x-diff, attachment)]

Message #42 received at 889285-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 889285-submitter@bugs.debian.org

Subject: closing 889285

Date: Fri, 16 Feb 2018 23:07:37 +0100

close 889285 1:9.8.4.dfsg.P1-6+nmu2+deb7u20
thanks

Message #47 received at 889285-quiet@bugs.debian.org (full text, mbox, reply):

From: Vladislav Kurz <vladislav.kurz@webstep.net>

To: Salvatore Bonaccorso <carnil@debian.org>,889285-quiet@bugs.debian.org,control@bugs.debian.org

Cc: 889285-submitter@bugs.debian.org

Subject: Re: Bug#889285: closing 889285

Date: Sat, 17 Feb 2018 00:41:10 +0100

Why are you closing this bug? The fix is not yet available in package repositories... 
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

16. února 2018 23:07:37 SEČ, Salvatore Bonaccorso <carnil@debian.org> napsal:
>close 889285 1:9.8.4.dfsg.P1-6+nmu2+deb7u20
>thanks

Message #55 received at 889285@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Vladislav Kurz <vladislav.kurz@webstep.net>

Cc: 889285@bugs.debian.org

Subject: Re: Bug#889285: closing 889285

Date: Sat, 17 Feb 2018 08:36:35 +0100

Hi Vladislav,

On Sat, Feb 17, 2018 at 12:41:10AM +0100, Vladislav Kurz wrote:
> Why are you closing this bug? The fix is not yet available in package repositories... 

Are you sure it's not available?

The announce is

https://lists.debian.org/debian-lts-announce/2018/02/msg00020.html
(the version used in the announce misses the epoch)

The version I used for fixing the bug is the one Robert has uploaded.

root@wheezy-amd64:~# apt-cache policy bind9
bind9:
  Installed: (none)
  Candidate: 1:9.8.4.dfsg.P1-6+nmu2+deb7u20
  Version table:
     1:9.8.4.dfsg.P1-6+nmu2+deb7u20 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
     1:9.8.4.dfsg.P1-6+nmu2+deb7u10 0
        500 http://httpredir.debian.org/debian/ wheezy/main amd64 Packages
root@wheezy-amd64:~#

It should be available on all security mirrors already.

Hope this helps,

Regards,
Salvatore

Message #60 received at 889285@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Vladislav Kurz <vladislav.kurz@webstep.net>

Cc: 889285@bugs.debian.org

Subject: Re: Bug#889285: closing 889285

Date: Sat, 17 Feb 2018 09:37:40 +0100

Hi Vladislav,

On Sat, Feb 17, 2018 at 09:26:54AM +0100, Vladislav Kurz wrote:
> Hello Salvatore, 
> 
> I'm sorry. I missed the announcement, as it was filtered into
> another folder of my mailbox... I was confused by the brevity of the
> previous email, which said just that the bug was closed, without
> further details.

Don't worry. I was confused about the statement that the package was
not available so I did need/wanted to double-check.

Btw, if you wonder: We queried about the issue ISC, and as you might
have noticed I got a new CVE id assigned.

Regards,
Salvatore

Message #65 received at 889285@bugs.debian.org (full text, mbox, reply):

From: Vladislav Kurz <vladislav.kurz@webstep.net>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 889285@bugs.debian.org

Subject: Re: Bug#889285: closing 889285

Date: Sat, 17 Feb 2018 09:26:54 +0100

Hello Salvatore, 

I'm sorry. I missed the announcement, as it was filtered into another folder of my mailbox... I was confused by the brevity of the previous email, which said just that the bug was closed, without further details.

I should not answer emails on Friday night... Sorry once more
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Send a report that this bug log contains spam.