[v9_10_5_patch] quote service registry paths

4532.	[security]	The BIND installer on Windows used an unquoted
                        service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]

(cherry picked from commit 967a3b9419a3c12b8c0870c86d1ee3840bcbbad7)
(cherry picked from commit c28e44f3f8bc46c6bf1c15cc06af0c42fcd7e924)
(cherry picked from commit 91dfaf39a9a9852929294bdc2cc5260563adf32d)

diff --git a/CHANGES b/CHANGES
index 8e2dd2c7ee0d25b3d0d4880f2e48639f68958214..66b9a2eec4d02509a284588fb010b350a41f91eb 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4532.  [security]      The BIND installer on Windows used an unquoted
+                        service path, which can enable privilege escalation.
+                       (CVE-2017-3141) [RT #45229]
+
 4531.  [security]      Some RPZ configurations could go into an infinite
                        query loop when encountering responses with TTL=0.
                        (CVE-2017-3140) [RT #45181]

diff --git a/README b/README
index 8b7f8ec450f4a53c42906349e83ccb3d4d662999..e74caf130d0f40664237551236ff3fc28b67f8c9 100644 (file)
--- a/README
+++ b/README
@@ -53,8 +53,8 @@ BIND 9
 
 BIND 9.10.5-P1
 
-        This version contains a fix for the security flaw
-        disclosed in CVE-2017-3140.
+        This version contains a fix for the security flaws
+        disclosed in CVE-2017-3140 and CVE-2017-3141.
 
 BIND 9.10.5
        

diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index e9668fbcfeeaef1fe7a246e89a93138be38f565a..9b75250b474c4c75ef89ddf1a913f9bca22f5058 100644 (file)
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -59,6 +59,7 @@
 #include "DirBrowse.h"
 #include <winsvc.h>
 #include <shlobj.h>
+#include <shlwapi.h>
 #include <named/ntservice.h>
 #include <isc/bind_registry.h>
 #include <isc/ntgroups.h>
@@ -623,8 +624,16 @@ void CBINDInstallDlg::OnInstall() {
                                        (LPBYTE)(LPCTSTR)buf, buf.GetLength());
 
                        buf.Format("%s\\BINDInstall.exe", m_binDir);
+
+                       CStringA installLocA(buf);
+                       const char *str = (const char *) installLocA;
+                       char pathBuffer[2 * MAX_PATH];
+                       strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+                       pathBuffer[sizeof(pathBuffer) - 1] = 0;
+                       PathQuoteSpaces(pathBuffer);
+
                        RegSetValueEx(hKey, "UninstallString", 0, REG_SZ,
-                                       (LPBYTE)(LPCTSTR)buf, buf.GetLength());
+                                     (LPBYTE)(LPCTSTR)pathBuffer, strlen(pathBuffer));
                        RegCloseKey(hKey);
                }
 
@@ -1019,10 +1028,17 @@ CBINDInstallDlg::RegisterService() {
        CString namedLoc;
        namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
 
+       CStringA namedLocA(namedLoc);
+       const char *str = (const char *) namedLocA;
+       char pathBuffer[2 * MAX_PATH];
+       strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+       pathBuffer[sizeof(pathBuffer) - 1] = 0;
+       PathQuoteSpaces(pathBuffer);
+
        SetCurrent(IDS_CREATE_SERVICE);
        hService = CreateService(hSCManager, BIND_SERVICE_NAME,
                BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart,
-               SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, StartName,
+               SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL, StartName,
                m_accountPassword);
 
        if (!hService && GetLastError() != ERROR_SERVICE_EXISTS)
@@ -1061,6 +1077,13 @@ CBINDInstallDlg::UpdateService(CString StartName) {
        CString namedLoc;
        namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
 
+       CStringA namedLocA(namedLoc);
+       const char *str = (const char *) namedLocA;
+       char pathBuffer[2 * MAX_PATH];
+       strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+       pathBuffer[sizeof(pathBuffer) - 1] = 0;
+       PathQuoteSpaces(pathBuffer);
+
        SetCurrent(IDS_OPEN_SERVICE);
        hService = OpenService(hSCManager, BIND_SERVICE_NAME,
                               SERVICE_CHANGE_CONFIG);
@@ -1072,7 +1095,7 @@ CBINDInstallDlg::UpdateService(CString StartName) {
                return;
        } else {
                if (ChangeServiceConfig(hService, dwServiceType, dwStart,
-                       SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL,
+                       SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL,
                        StartName, m_accountPassword, BIND_DISPLAY_NAME)
                        != TRUE) {
                        DWORD err = GetLastError();

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index f5dc8f1f841759fd1f492ec1b97206e5a9ac7c3c..c9b304edd843ffc0bb480a989e8107a358aeb017 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -24,8 +24,8 @@
       This document summarizes changes since BIND 9.10.5:
     </para>
     <para>
-      BIND 9.10.5-P1 addresses the security issue described in
-      CVE-2017-3140.
+      BIND 9.10.5-P1 addresses the security issues described in
+      CVE-2017-3140 and CVE-2017-3141.
     </para>
   </section>
 
@@ -71,6 +71,13 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+       <para>
+         The BIND installer on Windows used an unquoted service path,
+         which can enable privilege escalation. This flaw is disclosed
+         in CVE-2017-3141. [RT #45229]
+       </para>
+      </listitem>
       <listitem>
        <para>
          With certain RPZ configurations, a response with TTL 0