Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 573
    • Issues 573
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 109
    • Merge requests 109
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #1241
Closed
Open
Issue created Sep 21, 2019 by Ghost User@ghost

[CVE-2019-6476] bind 9.14 crashes at specific response from forwarders

Summary

When bind 9.14 receives an obviously invalid response from a configured forwarders, it crashes.

DNS format error from 213.133.99.99#53 resolving 74.141.6.213.in-addr.arpa/PTR for client 127.0.0.1#49745: non-improving referral
resolver.c:4932: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
#0 0x55b887adf590 in ??
#1 0x7fce15ae853a in ??
#2 0x7fce1648fddb in ??
#3 0x7fce1649181c in ??
#4 0x7fce164967d5 in ??
#5 0x7fce1649a341 in ??
#6 0x7fce1649b066 in ??
#7 0x7fce1649cb50 in ??
#8 0x7fce15b05b29 in ??
#9 0x7fce1507a118 in ??
#10 0x7fce147819df in ??
exiting (due to assertion failure)

BIND version used

BIND 9.14.4 (Stable Release) <id:ab4c496>
running on Linux x86_64 4.19.72-gentoo #1 SMP Mon Sep 16 19:54:42 CEST 2019
built by make with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.14.4' '--htmldir=/usr/share/doc/bind-9.14.4/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-dnstap' '--disable-fixed-rrset' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gssapi' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--without-libxml2' '--with-zlib' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe -march=native -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -L/usr/lib64' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'
compiled by GCC 7.3.0
compiled with OpenSSL version: OpenSSL 1.0.2t  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.0.2t  10 Sep 2019
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

Steps to reproduce

  • configure a forwarding name server (in my case the name server from my ISP hetzner.de)
options {
        forwarders {
                213.133.98.97;
                213.133.99.99;
                213.133.100.100;
        }
}
  • dig @localhost 74.141.6.213.in-addr.arpa PTR

What is the current bug behavior?

The server crashes.

What is the expected correct behavior?

It should not crash.

Relevant configuration files

see above.

Relevant logs and/or screenshots

see above.

Possible fixes

unknown.

When using an older version of bind (9.12.3 e.g.) or another forwarder (8.8.8.8 e.g.), the bug does not occure.

Incident tracking page

https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwarders

Edited Sep 25, 2019 by Michał Kępień
Assignee
Assign to
Time tracking