oss-sec mailing list archives
Re: [BIND] CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
From: Solar Designer <solar () openwall com>
Date: Wed, 29 Jul 2015 07:26:31 +0300
On Tue, Jul 28, 2015 at 11:52:53PM -0400, Michael McNally wrote:
A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.
As an attack surface reduction measure for a subset of builds/users, would it make sense to exclude the corresponding code and functionality from --without-openssl builds (which effectively lack DNSSEC support anyway, and often deliberately so)? If so, I wish this had been done by now, thereby mitigating this bug for those builds and users, but perhaps it still makes sense to do so now (upstream?) in case there are more bugs "like this" in code that is DNSSEC-related yet doesn't directly depend on OpenSSL (hence, isn't excluded in --without-openssl builds yet). Security aside, this would also reduce the (binary) code size. Alexander
Current thread:
- [BIND] CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure Michael McNally (Jul 28)
- Re: [BIND] CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure Solar Designer (Jul 28)