From: Evan Hunt <each@isc.org>
Date: Wed, 4 Feb 2015 02:26:14 +0000 (-0800)
Subject: [v9_9] avoid crash due to managed-key rollover
X-Git-Tag: v9.9.7rc2~21
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c6e7641aa73c856d1cdb622247689c6a7a571fb1;p=thirdparty%2Fbind9.git

[v9_9] avoid crash due to managed-key rollover

4053.	[security]	Revoking a managed trust anchor and supplying
			an untrusted replacement could cause named
			to crash with an assertion failure.
			(CVE-2015-1349) [RT #38344]
---

diff --git a/CHANGES b/CHANGES
index 0ecea87b6a8..0c9f394e448 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4053.	[security]	Revoking a managed trust anchor and supplying
+			an untrusted replacement could cause named
+			to crash with an assertion failure.
+			(CVE-2015-1349) [RT #38344]
+
 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 
 4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 8dde8958aa2..fd844907f69 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -38,6 +38,25 @@
   <sect2 id="relnotes_security">
     <title>Security Fixes</title>
     <itemizedlist>
+      <listitem>
+	<para>
+	  On servers configured to perform DNSSEC validation using
+	  managed trust anchors (i.e., keys configured explicitly
+	  via <command>managed-keys</command>, or implicitly 
+	  via <command>dnssec-validation auto;</command> or
+	  <command>dnssec-lookaside auto;</command>), revoking
+	  a trust anchor and sending a new untrusted replacement
+	  could cause <command>named</command> to crash with an
+	  assertion failure. This could occur in the event of a
+	  botched key rollover, or potentially as a result of a
+	  deliberate attack if the attacker was in position to
+	  monitor the victim's DNS traffic.
+	</para>
+	<para>
+	  This flaw was discovered by Jan-Piet Mens, and is
+	  disclosed in CVE-2015-1349. [RT #38344]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  A flaw in delegation handling could be exploited to put
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1b99c6bc0f9..edefe8bcb00 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -8534,6 +8534,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					     namebuf, tag);
 				trustkey = ISC_TRUE;
 			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
 		}
 
 		/* Delete old version */
@@ -8582,7 +8588,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			trust_key(zone, keyname, &dnskey, mctx);
 		}
 
-		if (!deletekey) {
+		if (secure && !deletekey) {
 			INSIST(newkey || updatekey);
 			set_refreshkeytimer(zone, &keydata, now);
 		}