ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2018-08-22T08:43:00Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3909.11.3 -> NOERROR / 9.12.X -> SERVFAIL2018-08-22T08:43:00ZGhost User9.11.3 -> NOERROR / 9.12.X -> SERVFAIL### Summary
SERVFAIL for some domains - for example:<br/>
<br/>
www.eclipse.org<br/>
www.redcross.ca<br/>
<br/>
after upgrading from 9.11.3 -> 9.12.0 / 9.12.1.-P2<br/>
<br/>
### Steps to reproduce<br/>
[same config in tests]<br/>
9.1...### Summary
SERVFAIL for some domains - for example:<br/>
<br/>
www.eclipse.org<br/>
www.redcross.ca<br/>
<br/>
after upgrading from 9.11.3 -> 9.12.0 / 9.12.1.-P2<br/>
<br/>
### Steps to reproduce<br/>
[same config in tests]<br/>
9.11.3 -> resolves / NOERROR<br/>
9.12.X -> does not resolve at all / SERVFAIL<br/>
<br/>
Reading through the release notes I cannot spot<br/>
anything worth trying.<br/>
<br/>
Logs (with trace 99) + configfiles + console output + dumpdb:<br/>
<br/>
https://www.undermydesk.org/servfail/working-9-11-3/<br/>
https://www.undermydesk.org/servfail/servfail-9-12-0/<br/>
<br/>https://gitlab.isc.org/isc-projects/bind9/-/issues/392Trust anchor telemetry queries are not sent for locally served zones2023-03-16T11:03:02ZMichał KępieńTrust anchor telemetry queries are not sent for locally served zonesCalling `dns_resolver_createfetch()` [with NULL `domain` and `nameservers` arguments](https://gitlab.isc.org/isc-projects/bind9/blob/4f6ef2f3e5bacd74da2cf2e4f8e51f3d7682b9a1/bin/named/server.c#L6598) will not cause upstream queries to be...Calling `dns_resolver_createfetch()` [with NULL `domain` and `nameservers` arguments](https://gitlab.isc.org/isc-projects/bind9/blob/4f6ef2f3e5bacd74da2cf2e4f8e51f3d7682b9a1/bin/named/server.c#L6598) will not cause upstream queries to be sent for a TAT query for a zone which is configured locally since the response will be determined just by consulting local data.
This issue is of particular importance for root zone mirroring.
Sparked by [a tweet from Marco Davids](https://twitter.com/marcodavids/status/1012816801074380802).BIND-9.13.3Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/393Fix a Net::DNS version quirk in the "resolver" system test2018-07-10T13:09:34ZMichał KępieńFix a Net::DNS version quirk in the "resolver" system test`new Net::DNS::Packet()->data()` only returns a DNS packet with an empty QUESTION section in `Net::DNS` 0.68+ (see changes introduced in upstream revision 968). In older versions, the same method inserted a `./ANY` RR into the QUESTION ...`new Net::DNS::Packet()->data()` only returns a DNS packet with an empty QUESTION section in `Net::DNS` 0.68+ (see changes introduced in upstream revision 968). In older versions, the same method inserted a `./ANY` RR into the QUESTION section if the latter was empty:
```sh
$ PERL5LIB=/path/to/Net-DNS/0.67/lib perl -MNet::DNS -e 'print(unpack("H*", new Net::DNS::Packet()->data()) . "\n") for (1..3);'
a027010000010000000000000000ff00ff
3d68010000010000000000000000ff00ff
a740010000010000000000000000ff00ff
$ PERL5LIB=/path/to/Net-DNS/0.68/lib perl -MNet::DNS -e 'print(unpack("H*", new Net::DNS::Packet()->data()) . "\n") for (1..3);'
01be01000000000000000000
85a101000000000000000000
2c1e01000000000000000000
```
Since the latest `Net::DNS` version available with stock RHEL/CentOS 6 packages is 0.65 and we officially support that operating system, `bin/tests/system/resolver/ans8/ans.pl` should be tweaked to ensure it returns consistent responses across all `Net::DNS` versions.BIND-9.13.3Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/394BIND 9.9.13 Release2018-07-11T06:24:01ZOndřej SurýBIND 9.9.13 Release1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view...1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_release_notes_are_cor)
4. [x] [Ensure the metainformation is correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_metainformation_is_co)
3. [x] Make sure the tests are passing
4. [x] Create a tag (name `vX_Y_Z[-alphatag]`, content `BIND X.Y.Z[-alphatag]`, signed with a developer's GPG key): `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND X.Y.Z" vX.Y.Z`
5. [x] Push the changes and tag
6. [x] [Create the tarball](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Create_the_tar_ball_using_a_util)
7. [x] [Create the Windows zips](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Creating_Windows_zips)
7. [x] Have QA sanity check the tarball and zips
9. [x] Request the signature on the tarballs
10. [x] Make tarballs and signatures available to download
10. [x] Communication
1. [ ] Edit the release https://gitlab.isc.org/isc-projects/bind9/tags and the NEWS snippet + links to the tarballs
2. [x] Update the website(?), public release notes(?)
3. [x] Write release e-mail to bind9-announce
4. [x] Post short note to Twitter
5. [x] Update http://en.wikipedia.org/wiki/BIND
11. [ ] Update DEB and RPM packagesBIND-9.9.13Evan HuntEvan Hunt2018-07-10https://gitlab.isc.org/isc-projects/bind9/-/issues/395BIND 9.10.8 Release2018-07-11T06:24:12ZOndřej SurýBIND 9.10.8 Release1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view...1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_release_notes_are_cor)
4. [x] [Ensure the metainformation is correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_metainformation_is_co)
3. [x] Make sure the tests are passing
4. [x] Create a tag (name `vX_Y_Z[-alphatag]`, content `BIND X.Y.Z[-alphatag]`, signed with a developer's GPG key): `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND X.Y.Z" vX.Y.Z`
5. [x] Push the changes and tag
6. [x] [Create the tarball](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Create_the_tar_ball_using_a_util)
7. [x] [Create the Windows zips](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Creating_Windows_zips)
7. [x] Have QA sanity check the tarball and zips
9. [x] Request the signature on the tarballs
10. [x] Make tarballs and signatures available to download
10. [x] Communication
1. [ ] Edit the release https://gitlab.isc.org/isc-projects/bind9/tags and the NEWS snippet + links to the tarballs
2. [x] Update the website(?), public release notes(?)
3. [x] Write release e-mail to bind9-announce
4. [x] Post short note to Twitter
5. [x] Update http://en.wikipedia.org/wiki/BIND
11. [ ] Update DEB and RPM packagesBIND-9.10.8Evan HuntEvan Hunt2018-07-10https://gitlab.isc.org/isc-projects/bind9/-/issues/396BIND 9.11.4 Release2018-07-11T06:24:30ZOndřej SurýBIND 9.11.4 Release1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view...1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_release_notes_are_cor)
4. [x] [Ensure the metainformation is correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_metainformation_is_co)
3. [x] Make sure the tests are passing
4. [x] Create a tag (name `vX_Y_Z[-alphatag]`, content `BIND X.Y.Z[-alphatag]`, signed with a developer's GPG key): `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND X.Y.Z" vX.Y.Z`
5. [x] Push the changes and tag
6. [x] [Create the tarball](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Create_the_tar_ball_using_a_util)
7. [x] [Create the Windows zips](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Creating_Windows_zips)
7. [x] Have QA sanity check the tarball and zips
9. [x] Request the signature on the tarballs
10. [x] Make tarballs and signatures available to download
10. [x] Communication
1. [ ] Edit the release https://gitlab.isc.org/isc-projects/bind9/tags and the NEWS snippet + links to the tarballs
2. [x] Update the website(?), public release notes(?)
3. [x] Write release e-mail to bind9-announce
4. [x] Post short note to Twitter
5. [x] Update http://en.wikipedia.org/wiki/BIND
11. [ ] Update DEB and RPM packagesBIND-9.11.4Evan HuntEvan Hunt2018-07-10https://gitlab.isc.org/isc-projects/bind9/-/issues/397BIND 9.12.2 Release2018-07-11T06:24:48ZOndřej SurýBIND 9.12.2 Release1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view...1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_release_notes_are_cor)
4. [x] [Ensure the metainformation is correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_metainformation_is_co)
3. [x] Make sure the tests are passing
4. [x] Create a tag (name `vX_Y_Z[-alphatag]`, content `BIND X.Y.Z[-alphatag]`, signed with a developer's GPG key): `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND X.Y.Z" vX.Y.Z`
5. [x] Push the changes and tag
6. [x] [Create the tarball](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Create_the_tar_ball_using_a_util)
7. [x] [Create the Windows zips](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Creating_Windows_zips)
7. [x] Have QA sanity check the tarball and zips
9. [x] Request the signature on the tarballs
10. [x] Make tarballs and signatures available to download
10. [x] Communication
1. [ ] Edit the release https://gitlab.isc.org/isc-projects/bind9/tags and the NEWS snippet + links to the tarballs
2. [x] Update the website(?), public release notes(?)
3. [x] Write release e-mail to bind9-announce
4. [x] Post short note to Twitter
5. [x] Update http://en.wikipedia.org/wiki/BIND
11. [ ] Update DEB and RPM packagesBIND-9.12.2Evan HuntEvan Hunt2018-07-10https://gitlab.isc.org/isc-projects/bind9/-/issues/398BIND 9.13.2 Release2018-07-17T20:29:24ZOndřej SurýBIND 9.13.2 Release1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view...1. [x] Prepare the sources for tarball generation
1. [x] Change software version and library versions in `configure.in`
2. [x] Update CHANGES
3. [x] [Ensure the release notes are correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_release_notes_are_cor)
4. [x] [Ensure the metainformation is correct for this release](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Ensure_the_metainformation_is_co)
3. [x] Make sure the tests are passing
4. [x] Create a tag (name `vX_Y_Z[-alphatag]`, content `BIND X.Y.Z[-alphatag]`, signed with a developer's GPG key): `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND X.Y.Z" vX.Y.Z`
5. [x] Push the changes and tag
6. [x] [Create the tarball](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Create_the_tar_ball_using_a_util)
7. [x] [Create the Windows zips](https://wiki.isc.org/bin/view/Main/BindReleaseProcedures#Creating_Windows_zips)
7. [x] Have QA sanity check the tarball and zips
9. [x] Request the signature on the tarballs
10. [x] Make tarballs and signatures available to download
10. [x] Communication
1. [ ] Edit the release https://gitlab.isc.org/isc-projects/bind9/tags and the NEWS snippet + links to the tarballs
2. [x] Update the website(?), public release notes(?)
3. [x] Write release e-mail to bind9-announce
4. [x] Post short note to Twitter
5. [ ] Update http://en.wikipedia.org/wiki/BIND
11. [ ] Update DEB and RPM packagesBIND-9.13.2Evan HuntEvan Hunt2018-07-10https://gitlab.isc.org/isc-projects/bind9/-/issues/399Do not use Net::DNS::Nameserver in the "serve-stale" system test2023-03-16T11:03:02ZMichał KępieńDo not use Net::DNS::Nameserver in the "serve-stale" system testReturning `undef` from a `Net::DNS::Nameserver` `ReplyHandler` only prevents sending a response in `Net::DNS` 0.67+ (see changes introduced in upstream revision 921). In older versions, a response is sent anyway, causing the "serve-stal...Returning `undef` from a `Net::DNS::Nameserver` `ReplyHandler` only prevents sending a response in `Net::DNS` 0.67+ (see changes introduced in upstream revision 921). In older versions, a response is sent anyway, causing the "serve-stale" system test to fail as it takes advantage of the newer behavior:
```sh
$ PORT=5300 PERL5LIB=/path/to/Net-DNS/0.66/lib perl bin/tests/system/serve-stale/ans2/ans.pl > /dev/null 2>&1 &
$ dig @10.53.0.2 -p 5300 disable txt +short
"0"
$ dig @10.53.0.2 -p 5300 ns.example +short
$ kill $!
$ PORT=5300 PERL5LIB=/path/to/Net-DNS/0.67/lib perl bin/tests/system/serve-stale/ans2/ans.pl > /dev/null 2>&1 &
$ dig @10.53.0.2 -p 5300 disable txt +short
"0"
$ dig @10.53.0.2 -p 5300 ns.example +short
; <<>> DiG 9.13.2 <<>> @10.53.0.2 -p 5300 ns.example +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
```
Since the latest `Net::DNS` version available with stock RHEL/CentOS 6 packages is 0.65 and we officially support that operating system, `bin/tests/system/serve-stale/ans2/ans.pl` should be reworked not to use `Net::DNS::Nameserver` to ensure it behaves consistently across all `Net::DNS` versions.BIND-9.13.3Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/kea/-/issues/8Kea should print out info about opened ctrl socket2022-10-27T12:44:25ZMarcin SiodelskiKea should print out info about opened ctrl socketKea should print out information about control socket __acceptor__ being opened.
This should be printed on info level.
For the original ticket see https://kea.isc.org/ticket/5598Kea should print out information about control socket __acceptor__ being opened.
This should be printed on info level.
For the original ticket see https://kea.isc.org/ticket/5598Kea1.5-beta1Marcin SiodelskiMarcin Siodelski2018-07-12https://gitlab.isc.org/isc-projects/bind9/-/issues/400Possible NULL Pointer Dereference (CWE-476) found in 'pkcs11-keygen.c'2018-07-09T19:19:28ZGhost UserPossible NULL Pointer Dereference (CWE-476) found in 'pkcs11-keygen.c'<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
(Summarize the bug encountered concisely.)
### Steps to reproduce
(How one can reproduce the issue - this is very important.)
### What is the current *bug* behavior?
(What actually happens.)
### What is the expected *correct* behavior?
(What you should see instead.)
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
### Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise.)
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)https://gitlab.isc.org/isc-projects/bind9/-/issues/401NULL Pointer de-reference found in BIND 9.12.1-P22018-07-10T21:33:18ZGhost UserNULL Pointer de-reference found in BIND 9.12.1-P2<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
In reviewing source code in BIND-9.12.1-P2, in directory 'bin/pkcs11',
file 'pkcs11-keygen.c', while allocating space for parameter attributes,
no check is made to see if calls to malloc() actually succeed (that is,
return != NULL), which could lead to a de-reference and segmentation fault.
### Steps to reproduce
N/A - Problem exists in source code
### What is the current *bug* behavior?
Calls to malloc() are not tested for NULL before actually
assigning values.
### What is the expected *correct* behavior?
Code patch now checks for NULL after a call to malloc() is
made.
### Relevant configuration files
N/A
### Relevant logs and/or screenshots
N/A
### Possible fixes
Patch file is below and attached to this report:
--- pkcs11-keygen.c.orig 2018-07-08 14:59:26.888555710 -0700
+++ pkcs11-keygen.c 2018-07-08 15:02:44.140876562 -0700
@@ -657,8 +657,14 @@
}
/* Allocate space for parameter attributes */
- for (i = 0; i < param_attrcnt; i++)
+ for (i = 0; i < param_attrcnt; i++) {
param_template[i].pValue = malloc(param_template[i].ulValueLen);
+ if (param_template[i].pvalue == NULL) {
+ fprintf(stderr, "Unable to allocate memory for param_template[]\");
+ error = 1;
+ goto exit_params;
+ } /* end if malloc sanity check */
+ } /* end for i < param_attrcnt */
rv = pkcs_C_GetAttributeValue(hSession, domainparams,
dsa_param_template, DSA_PARAM_ATTRS);
[pkcs11-keygen.c.patch](/uploads/b7f6207389f537b833d333225441b7ad/pkcs11-keygen.c.patch)https://gitlab.isc.org/isc-projects/bind9/-/issues/402Memory Leak found in file 'fuzz.c' in BIND-9.12.1-P22018-07-10T04:32:33ZGhost UserMemory Leak found in file 'fuzz.c' in BIND-9.12.1-P2<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
In reviewing source code in BIND-9.12.1-P2, in directory '/bin/named',
file 'fuzz.c', in function 'static void *fuzz_thread_resolver', it would appear
that variable 'rbuf' is never freed prior to the function returning cleanly
(i.e. - buf is released by free, but rbuf is not).
### Steps to reproduce
N/A
### What is the current *bug* behavior?
With current code, a memory leak develops over time in file 'fuzz.c'
### What is the expected *correct* behavior?
the memory allocated for rbuf should be released before the function
returns.
### Relevant configuration files
N/A
### Relevant logs and/or screenshots
N/A
### Possible fixes
Patch file is attached to this bug report and is listed below:
--- fuzz.c.orig 2018-07-09 20:32:05.765895918 -0700
+++ fuzz.c 2018-07-09 20:33:48.868144488 -0700
@@ -574,6 +574,7 @@
}
free(buf);
+ free(rbuf);
close(sockfd);
close(listenfd);
named_server_flushonshutdown(named_g_server, ISC_FALSE);
[fuzz.c.patch](/uploads/5cdad34051577e64d55423f0fd6df048/fuzz.c.patch)https://gitlab.isc.org/isc-projects/bind9/-/issues/403Missing Sanity Check for call to next_token() in file 'dig.c'2018-07-11T18:51:33ZGhost UserMissing Sanity Check for call to next_token() in file 'dig.c'<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
Bill Parker (wp02855@gmail.com)
### Summary
In BIND 9.12.1-P2, in directory 'bin/dig', file 'dig.c', in function
'plus_option' at approximately line 1002, there is a call to next_token()
which is not checked for a return value of NULL, which could result in a
possible dereference.
### Steps to reproduce
N/A
### What is the current *bug* behavior?
Code does not sanity check call(s) to next_token()...
### What is the expected *correct* behavior?
Add test to code to check for return value of NULL.
### Relevant configuration files
N/A
### Relevant logs and/or screenshots
N/A
### Possible fixes
Code Listed Below and Attached to this Issue report:
Add test to code to check for return value of NULL.
--- dig.c.orig 2018-07-10 19:32:16.266716156 -0700
+++ dig.c 2018-07-10 19:35:42.855335607 -0700
@@ -1003,6 +1003,11 @@
goto exit_or_usage;
}
code = next_token(&value, ":");
+ if (code == NULL) {
+ warn("ednsopt not "
+ "specified");
+ goto exit_of_usage;
+ }
save_opt(lookup, code, value);
break;
default:
[dig.c.patch](/uploads/52b167c55c58afa8f8c64f51282ce1af/dig.c.patch)https://gitlab.isc.org/isc-projects/bind9/-/issues/404Add Centos 7 to CI2018-07-13T10:25:53ZMark AndrewsAdd Centos 7 to CIMichał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/405Potential assertion in isc-bind-9.12.22018-11-08T18:29:21ZOndřej SurýPotential assertion in isc-bind-9.12.2A new issue reported by Robert Święcki <robert@swiecki.net> to security-officer:
With some fuzzing of ISC-BIND-9.12.2 with honggfuzz setup (from here https://github.com/google/honggfuzz/tree/master/examples/bind) I', able to hit some as...A new issue reported by Robert Święcki <robert@swiecki.net> to security-officer:
With some fuzzing of ISC-BIND-9.12.2 with honggfuzz setup (from here https://github.com/google/honggfuzz/tree/master/examples/bind) I', able to hit some asserion which ends-up with SIGABRT.
```
dispatch.c:2464: INSIST(disp->tcpbuffers == 0) failed.
#0 0x00007ffff6caf6a0 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6caf6a0 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cb0cf7 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x000000000052d2ae in assertion_failed (file=0xde92a0 <.str> "resolver.c", line=7033, type=isc_assertiontype_require,
cond=0xded340 <.str.213> "(__builtin_expect(!!((query) != ((void*)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(query))->magic == ((('Q') << 24 | ('!') << 16 | ('!') << 8 | ('!')))), 1))") at ./main.c:252
#3 0x0000000000bb9c97 in isc_assertion_failed (file=0x2 <error: Cannot access memory at address 0x2>, line=-446762384, type=isc_assertiontype_require, cond=0x7ffff6caf6a0 <raise+272> "H\213\214$\b\001") at assertions.c:51
#4 0x00000000009aa838 in resquery_response (task=0x7fffe3d253b8, event=0x7fffe37dff08) at resolver.c:7033
#5 0x0000000000c46658 in dispatch (manager=<optimized out>) at task.c:1139
#6 0x0000000000c4135d in run (uap=0x2) at task.c:1311
#7 0x00007ffff77a351a in start_thread (arg=0x7fffe55f0700) at pthread_create.c:465
#8 0x00007ffff6d703ef in clone () from /lib/x86_64-linux-gnu/libc.so.6
```
Have you seen it before?
If not, I'll try to gather some more info on it, and send you the details, though I'm attaching my config, so you can check it for obvious problems.
[named.conf](/uploads/032f4988bd3aba2d2f53bc62e6367a88/named.conf)
And the report from honggfuzz, which is not particularly more informative:
```
=====================================================================
TIME: 2018-07-11.14:26:50
=====================================================================
FUZZER ARGS:
mutationsPerRun : 6
externalCmd : NULL
fuzzStdin : FALSE
timeout : 10 (sec)
ignoreAddr : (nil)
ASLimit : 0 (MiB)
RSSLimit : 0 (MiB)
DATALimit : 0 (MiB)
targetPid : 0
targetCmd :
wordlistFile : NULL
dynFileMethod:
fuzzTarget : /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named -A client:1:1:1:1:1:1 -f -c /usr/local/google/home/swiecki/fuzz/bind/dist/etc/named.conf
ORIG_FNAME: IN.req-response//8b6e4a1f05567f57d1a8dd3cbb50fc9f.00000127.honggfuzz.cov
FUZZ_FNAME: ./SIGABRT.PC.7ffff6caf6a0.STACK.cfb0c006c.CODE.-6.ADDR.(nil).INSTR.mov____0x108(%rsp),%rcx.fuzz
PID: 47832
SIGNAL: SIGABRT (6)
FAULT ADDRESS: (nil)
INSTRUCTION: mov____0x108(%rsp),%rcx
STACK HASH: 0000000cfb0c006c
STACK:
<0x00007ffff6cb0cf7> [[UNKNOWN]():0 at /lib/x86_64-linux-gnu/libc-2.26.so]
<0x0000000000bb9ca1> [isc_assertion_failed():52 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x00000000006c9550> [dispatch_free():2465 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x00000000006c8658> [destroy_disp():549 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x0000000000c46658> [dispatch():1142 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x0000000000c4135d> [run():1320 at /usr/local/google/home/swiecki/fuzz/bind/bind-9.12.2/bin/named/named]
<0x00007ffff77a351a> [[UNKNOWN]():0 at /lib/x86_64-linux-gnu/libpthread-2.26.so]
<0x00007ffff6d703ef> [[UNKNOWN]():0 at /lib/x86_64-linux-gnu/libc-2.26.so]
=====================================================================
```https://gitlab.isc.org/isc-projects/bind9/-/issues/406dns_acl_isinsecure does not handle geoip elements.2018-08-01T23:30:24ZMark Andrewsdns_acl_isinsecure does not handle geoip elements.Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/407round robin fails with two record RRSET in 9.12.1-P2 on rDNS2021-10-04T13:00:31ZGhost Userround robin fails with two record RRSET in 9.12.1-P2 on rDNS### Summary
An RRSET with two A records fails to properly round-robin for recursive servers running 9.12.1-P2. It works fine on the authoritative servers, and it works on the rDNS server if there are three or more records.
### Steps ...### Summary
An RRSET with two A records fails to properly round-robin for recursive servers running 9.12.1-P2. It works fine on the authoritative servers, and it works on the rDNS server if there are three or more records.
### Steps to reproduce
dig roundrobin.ucsc.edu @adns2.ucsc.edu
In theory, your rDNS server running 9.12.1-P2 will not show proper round-robin behavior on that query. Our rDNS servers are also authoritative for ucsc.edu, but the same behavior manifests when I query something for which our rDNS is not authoritative:
dig www.yale.edu.cdn.cloudflare.net
so I believe this issue should be easily seen by anyone running 9.12.1-P2 for rDNS.
### What is the current *bug* behavior?
The pair of records are always returned in the same order.
### What is the expected *correct* behavior?
Records returned round robin.
### Relevant configuration files
I am going to poke in only a few config lines on the theory that the general config is probably not relevant. I'm happy to flogged if I get that wrong and will provide full details if needed.
<pre>rrset-order { order cyclic; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
response-policy { .... }</pre>https://gitlab.isc.org/isc-projects/bind9/-/issues/408Visual Studio Remote Code Execution Vulnerability2018-07-11T23:21:26ZThomas JachVisual Studio Remote Code Execution VulnerabilitySee https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 for further details.See https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 for further details.https://gitlab.isc.org/isc-projects/bind9/-/issues/410Missing Sanity Check for call to next_token() in file 'mdig.c' for BIND 9.12....2018-08-01T23:17:02ZGhost UserMissing Sanity Check for call to next_token() in file 'mdig.c' for BIND 9.12.1-P2<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
In BIND 9.12.1-P2, in directory 'bin/tools', file 'mdig.c', in function
'plus_option' at approximately line 1277, there is a call to next_token()
which is not checked for a return value of NULL, which could result in a
possible dereference.
### Steps to reproduce
N/A
### What is the current *bug* behavior?
Code does not sanity check call(s) to next_token()...
### What is the expected *correct* behavior?
Add test to code to check for return value of NULL.
### Relevant configuration files
N/A
### Relevant logs and/or screenshots
N/A
### Possible fixes
Code Listed Below and Attached to this Issue report:
Add test to code to check for return value of NULL.
--- mdig.c.orig 2018-07-11 18:08:00.258246995 -0700
+++ mdig.c 2018-07-11 18:09:38.580418181 -0700
@@ -1278,6 +1278,10 @@
"code point "
"specified");
code = next_token(&value, ":");
+ if (code == NULL)
+ fatal("ednsopt no "
+ "code point "
+ "specified");
save_opt(query, code, value);
break;
default:[mdig.c.patch](/uploads/46e7b964e290ab56d863c6ff845a939a/mdig.c.patch)