Re: [SECURITY] [DLA 2955-1] bind9 security update

Andreas Schulz Sat, 19 Mar 2022 08:15:16 -0700

On Sat, Mar 19, 2022 at 12:04:32AM +0100, Markus Koschany wrote:
> -------------------------------------------------------------------------
> Debian LTS Advisory DLA-2955-1                debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                      Markus Koschany
> March 18, 2022                                https://wiki.debian.org/LTS
> -------------------------------------------------------------------------
> 
> Package        : bind9
> Version        : 1:9.10.3.dfsg.P4-12.3+deb9u11
> CVE ID         : CVE-2021-25220
> 
> It was found that bind9, an internet domain name server, was vulnerable to
> cache poisoning. When using forwarders, bogus NS records supplied by, or via,
> those forwarders may be cached and used by named if it needs to recurse for 
> any
> reason, causing it to obtain and pass on potentially incorrect answers.
> 
> For Debian 9 stretch, this problem has been fixed in version
> 1:9.10.3.dfsg.P4-12.3+deb9u11.


Hi,

today we start updating bind9 on stretch with the latest security update. After 
update
the bind9 starts and crashed after a few seconds with:

../../../lib/dns/name.c:2487: REQUIRE((((dest) != ((void *)0)) && (((const 
isc__magic_t *)(dest))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | 
('n')))))) failed, back trace

I stripped down configuration to
options {
  forward only;
    forwarders {
        x.x.x.x;
    };
};

I used several ip-address for forwarding, always the same error.

Starting in debug mode - some lines before and after:

19-Mar-2022 11:17:09.791 client 127.0.0.1#40316: UDP request
19-Mar-2022 11:17:09.791 client 127.0.0.1#40316: using view '_default'
19-Mar-2022 11:17:09.791 client 127.0.0.1#40316: request is not signed
19-Mar-2022 11:17:09.791 client 127.0.0.1#40316: recursion available
19-Mar-2022 11:17:09.791 client 127.0.0.1#40316: query
19-Mar-2022 11:17:09.791 client 127.0.0.1#40316 (.): query (cache) './NS/IN' 
approved
19-Mar-2022 11:17:09.791 client 127.0.0.1#40316 (.): replace
19-Mar-2022 11:17:09.791 clientmgr @0x7fbe2ed63458: get client
19-Mar-2022 11:17:09.791 clientmgr @0x7fbe2ed63458: create new
19-Mar-2022 11:17:09.791 clientmgr @0x7fbe2ed63458: clientmctx
19-Mar-2022 11:17:09.791 client @0x7fbe2004cfa0: create
19-Mar-2022 11:17:09.792 fetch: ./NS
19-Mar-2022 11:17:09.792 client @0x7fbe2004cfa0: udprecv
19-Mar-2022 11:17:09.792 ../../../lib/dns/name.c:2487: REQUIRE((((dest) != 
((void *)0)) && (((const isc__magic_t *)(dest))->magic == ((('D') << 24 | ('N') 
<< 16 | ('S') << 8 | ('n')))))) failed, back trace
19-Mar-2022 11:17:09.792 #0 0x558b9ace0d80 in ??
19-Mar-2022 11:17:09.792 #1 0x7fbe2cef39aa in ??
19-Mar-2022 11:17:09.792 #2 0x7fbe2e5ddf36 in ??
19-Mar-2022 11:17:09.792 #3 0x7fbe2e65ff64 in ??
19-Mar-2022 11:17:09.792 #4 0x7fbe2e6622a4 in ??
19-Mar-2022 11:17:09.792 #5 0x7fbe2e662b84 in ??
19-Mar-2022 11:17:09.792 #6 0x7fbe2cf17a23 in ??
19-Mar-2022 11:17:09.792 #7 0x7fbe2c8be4a4 in ??
19-Mar-2022 11:17:09.792 #8 0x7fbe2bd0fd0f in ??
19-Mar-2022 11:17:09.792 exiting (due to assertion failure)

After reinstalling version deb9u6 everything works as before. Because name.c is 
not in patchfile debian/patches/CVE-2021-25220.patch I assume regression error?

I checked it with stretch-backports - no error found. So I assume it's 
stretch-related?

Anything I can provide more?

-- System Information:
Debian Release: 9.13
  APT prefers oldoldstable
  APT policy: (990, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-18-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bind9 depends on:
ii  adduser                3.115
ii  bind9utils             1:9.10.3.dfsg.P4-12.3+deb9u11
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.56~bpo9+1
ii  libbind9-140           1:9.10.3.dfsg.P4-12.3+deb9u11
ii  libc6                  2.24-11+deb9u4
ii  libcap2                1:2.25-1
ii  libcomerr2             1.43.4-2+deb9u2
ii  libdns162              1:9.10.3.dfsg.P4-12.3+deb9u11
ii  libgeoip1              1.6.9-4
ii  libgssapi-krb5-2       1.15-1+deb9u3
ii  libirs141              1:9.10.3.dfsg.P4-12.3+deb9u11
ii  libisc160              1:9.10.3.dfsg.P4-12.3+deb9u11
ii  libisccc140            1:9.10.3.dfsg.P4-12.3+deb9u11
ii  libisccfg140           1:9.10.3.dfsg.P4-12.3+deb9u11
ii  libk5crypto3           1.15-1+deb9u3
ii  libkrb5-3              1.15-1+deb9u3
ii  liblwres141            1:9.10.3.dfsg.P4-12.3+deb9u11
ii  libssl1.0.2            1.0.2u-1~deb9u7
ii  libxml2                2.9.4+dfsg1-2.2+deb9u5
ii  lsb-base               9.20161125
ii  net-tools              1.60+git20161116.90da8a0-1
ii  netbase                5.4

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.10.3.dfsg.P4-12.3+deb9u11
pn  resolvconf  <none>
pn  ufw         <none>

-- debconf information:
  bind9/different-configuration-file:
  bind9/start-as-user: bind
  bind9/run-resolvconf: false

regards,

-- 
Andreas Schulz
----------------------------------------
"Gott gib mir die Kraft, die Dinge zu ändern, die ich ändern kann. 
Gib mir die Gelassenheit, die Dinge zu belassen, die ich nicht ändern kann. 
Und gib mir die Weisheit, beides voneinander zu unterscheiden."
(Reinhard Erös' Lebensmotto)

Re: [SECURITY] [DLA 2955-1] bind9 security update

Reply via email to