[Pkg-dns-devel] Bug#889285: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858

Salvatore Bonaccorso carnil at debian.org
Sat Feb 3 16:17:01 UTC 2018 

Control: retitle -1 bind9: assertion failure in validator.c:1858

Hi

On Sat, Feb 03, 2018 at 11:12:30AM +0100, Vladislav Kurz wrote:
> This is a followup to archived bug #860225.
> 
> Although
> https://security-tracker.debian.org/tracker/CVE-2017-3139 states that
> debian is not affected by CVE-2017-3139, I observed this behavior on
> debian wheezy:
> 
> Feb  3 08:38:07 server named[16906]: validator.c:1858: INSIST(rdataset->type == ((dns_rdatatype_t)dns_rdatatype_dnskey)) failed, back trace
> Feb  3 08:38:07 server named[16906]: #0 0x7f9b66798e19 in ??
> Feb  3 08:38:07 server named[16906]: #1 0x7f9b650d5f3a in ??
> Feb  3 08:38:07 server named[16906]: #2 0x7f9b66094e57 in ??
> Feb  3 08:38:07 server named[16906]: #3 0x7f9b6609b599 in ??
> Feb  3 08:38:07 server named[16906]: #4 0x7f9b650f4dfd in ??
> Feb  3 08:38:07 server named[16906]: #5 0x7f9b64aa8b50 in ??
> Feb  3 08:38:07 server named[16906]: #6 0x7f9b64492fbd in ??
> Feb  3 08:38:07 server named[16906]: exiting (due to assertion failure)
> 
> Ondrej Zary reported this on Sat, 02 Sep 2017 in bug #860225 but it
> was closed and archived without answer. May I ask why?

The bug was about CVE-2017-3137, it's never a good idea to mix up
things ;-). Anyway thanks that you took action and filled a new bug
for this issue you are experiencing.

JTR, since Red Hat does not provide much details on the CVE-2017-3139
we cannot say Debian is affected as well by this very same CVE. Since
it's not clear, what CVE-2017-3139 is in detail, I have removed the
CVE in the subject of this bug.

What seem clear is that apparently a fix in Debian wheezy's bind9
version causes the regression you notices. Thus I suggest the LTS team
to try to find the defective patch introducing the issue and then
issue just a regression update (without referencing CVE-2017-3139. If
its on the other hand clear that Debian wheezy used the very same
patch for a previous issue, and CVE-2017-3139 applies as well for
Debian wheezy, then obviously it's fine to use the CVE).

Regards,
Salvatore

More information about the pkg-dns-devel mailing list