Comment 11 for bug 406122

(In reply to comment #11)
> I've reproduced this bug with the stock RHEL4 bind (bind-9.2.4-30.el4_7.2).
>
> I've adapted ISC's patch for this issue to bind-9.2.4, and produced both a
> source
> package and binary packages that fix it (under the same conditions, the patched
> named no longer aborts), and placed it all (patch, spec file, source RPM, and
> binary RPMs) here: http://www.durval.com.br/RPMS/el4/bind
>
> The direct URL for the patch is
> http://www.durval.com.br/RPMS/el4/bind/bind-9.2.4-CVE-2009-0696.patch;
> please feel free to use it as appropriate.
>
> Best Regards,
> --
> Durval Menezes <durval AT tmp DOT com DOT br>

Solaris Designer reproduce the bug also without using dynamic update

quote

On Wed, Jul 29, 2009 at 05:15:09PM +0400, Solar Designer wrote:
> Confirmed on 9.3.5-P2 (removing the "$packet->sign_tsig(...)" line from
> the exploit as above) with whatever patches we happened to have until
> this latest fix.

It gets worse: I was also able to crash named from an IP address
explicitly denied in "allow-query". I did verify that non-malicious
queries from that IP address were indeed correctly denied.

It appears that BIND does too much processing too early in the code.

Alexander

quote

Found on oss-security mailing list