* Assertion failure in ISC BIND SIG query processing (CVE-2006-4095)
- Recursive servers
Queries for SIG records will trigger an assertion failure if more
than one RRset is returned. However exposure can be minimized by
restricting which sources can ask for recursion.
- Authoritative servers
If a nameserver is serving a RFC 2535 DNSSEC zone and is queried
for the SIG records where there are multiple RRsets, then the
named program will trigger an assertion failure when it tries
to construct the response.
* INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096)
It is possible to trigger an INSIST failure by sending enough
recursive queries such that the response to the query arrives after
all the clients waiting for the response have left the recursion
queue. However exposure can be minimized by restricting which sources
can ask for recursion.
ok'ed christos@
- sprintf() can return negative value on error, so p += sprintf(p, blah)
is unsafe
- signed/unsigned mixup
- wrong assumption: sizeof(time_t) <= sizeof(int)
- need to init errno to 0 before strtoul()
then checking that against ULONG_MAX. Instead use a "unsigned long"
as the temporary variable. Then check against UINT32_MAX before
assigning back to the original variable.
Make sure that each va_start has one and only one matching va_end,
especially in error cases.
If the va_list is used multiple times, do multiple va_starts/va_ends.
If a function gets va_list as argument, don't let it use va_end (since
it's the callers responsibility).
Improved by comments from enami and christos -- thanks!
Heimdal/krb4/KAME changes already fed back, rest to follow.
Inspired by, but not not based on, OpenBSD.
revision 1.3
date: 1999/02/22 02:37:27; author: mrg; state: Exp; lines: +19 -1
if we are chrooting, write a symlink for the pid file so that ndc, etc,
continue to work as normal. this allows named to run in a chroot jail
with zero loss of functionality.
- resolve conflicts (there are many conflicts with $NetBSD$ tags -
dunno why they happen).
- type pedant (couple of typecasts).
correct yacc-generated file handling. remove bin/named/ns_parser.h,
use the header yacc generates at compilation time.
dig/host/whatever assumes that it is using BIND8 code. mixing BIND4 in
libc with BIND8 code will result in very strange behavior, or program panics.
it is not necessary for dig/host/whatever to obey /etc/nsswitch.conf, actually
dig(1) is explicit about it.
now dist/bind is almost clean BIND822p5, with the following exception:
- /etc/irs.conf will never be visited when running BIND8 toolchain,
to make it less complex. the search order for BIND8 toolchain is
defined in dist/bind/lib/irs/gen.c:default_map_rules().
and usr.sbin/bind compiles them in BSD make framework, with no tricks at all.
christos