(In reply to comment #11)
> I've reproduced this bug with the stock RHEL4 bind (bind-9.2.4-30.el4_7.2).
>
> I've adapted ISC's patch for this issue to bind-9.2.4, and produced both a
> source
> package and binary packages that fix it (under the same conditions, the patched
> named no longer aborts), and placed it all (patch, spec file, source RPM, and
> binary RPMs) here: http://www.durval.com.br/RPMS/el4/bind
>
> The direct URL for the patch is
> http://www.durval.com.br/RPMS/el4/bind/bind-9.2.4-CVE-2009-0696.patch;
> please feel free to use it as appropriate.
>
> Best Regards,
> --
> Durval Menezes <durval AT tmp DOT com DOT br>
Solaris Designer reproduce the bug also without using dynamic update
quote
On Wed, Jul 29, 2009 at 05:15:09PM +0400, Solar Designer wrote:
> Confirmed on 9.3.5-P2 (removing the "$packet->sign_tsig(...)" line from
> the exploit as above) with whatever patches we happened to have until
> this latest fix.
It gets worse: I was also able to crash named from an IP address
explicitly denied in "allow-query". I did verify that non-malicious
queries from that IP address were indeed correctly denied.
It appears that BIND does too much processing too early in the code.
(In reply to comment #11) 2.4-30. el4_7.2) . www.durval. com.br/ RPMS/el4/ bind www.durval. com.br/ RPMS/el4/ bind/bind- 9.2.4-CVE- 2009-0696. patch;
> I've reproduced this bug with the stock RHEL4 bind (bind-9.
>
> I've adapted ISC's patch for this issue to bind-9.2.4, and produced both a
> source
> package and binary packages that fix it (under the same conditions, the patched
> named no longer aborts), and placed it all (patch, spec file, source RPM, and
> binary RPMs) here: http://
>
> The direct URL for the patch is
> http://
> please feel free to use it as appropriate.
>
> Best Regards,
> --
> Durval Menezes <durval AT tmp DOT com DOT br>
Solaris Designer reproduce the bug also without using dynamic update
quote
On Wed, Jul 29, 2009 at 05:15:09PM +0400, Solar Designer wrote: >sign_tsig( ...)" line from
> Confirmed on 9.3.5-P2 (removing the "$packet-
> the exploit as above) with whatever patches we happened to have until
> this latest fix.
It gets worse: I was also able to crash named from an IP address
explicitly denied in "allow-query". I did verify that non-malicious
queries from that IP address were indeed correctly denied.
It appears that BIND does too much processing too early in the code.
Alexander
quote
Found on oss-security mailing list