Operational Notification -- Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, & 9.9.0

Michael McNally mcnally at isc.org
Mon Apr 30 19:26:56 UTC 2012 

Operational Notification -- Segmentation Fault in resolver.c
Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, & 9.9.0

Summary:

   ISC has discovered a race condition in the resolver code that
   can cause a recursive nameserver running BIND 9.6-ESV-R6, 9.7.5,
   9.8.2, or 9.9.0 to crash with a segmentation fault. Authoritative-only
   servers are not affected, but recursive-only or recursive-authoritative
   hybrid servers are at risk of crashing because of this bug.

Posting date: 30 April 2012

Program Impacted: BIND

Versions affected: 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0.

Description:

   ISC is issuing an operational notification for users running ISC
   BIND 9.6-ESV-R6, 9.7.5, 9.8.2 or 9.9.0.

   A race condition has been discovered in resolver.c that can
   result in a recursive nameserver running one of these versions
   to crash with a segmentation fault.

   This defect is not considered a security issue, as no known
   method for deliberately triggering it exists. It depends on a
   matter of random timing between multiple threads executing the
   resolver code. However, the nature of the bug is such that the
   probability of encountering the crash condition eventually
   increases in proportion to the number of queries being resolved
   as well as the number of queries being resolved simultaneously.
   Consequently, busy recursing nameservers and nameservers with
   more threads processing simultaneously are at higher risk of
   encountering this bug.

   This defect was introduced accidentally in change #3241 which
   appeared for the first time in the specified release versions.
   Prior release versions (9.6-ESV-R5-P1, 9.7.4-P1, and 9.8.1-P1
   and any earlier versions) are not affected by this bug.

   ISC is preparing replacement release versions with a delivery
   target of mid-May 2012 and a source code patch is currently
   available in the ISC Knowledge Base article:
   https://kb.isc.org/article/AA-00664

Solution:

   Authoritative-only servers do not need to address this issue.

   If you have not upgraded yet to the affected versions, postpone
   updating until they are replaced by 9.6-ESV-R7, 9.7.6, 9.8.3,
   or 9.9.1, which are to be released in mid-May 2012 and which
   will include a fix for this issue along with several minor bug
   fixes.

   If you have already upgraded a recursive server to one of the
   affected versions, you have the option of reverting to a prior
   release version, waiting for the May release of superseding
   packages including the fix, or applying the source code patch
   from ISC and rebuilding BIND.

   The source code patch can be found as an attachment to the ISC
   Knowledge Base article https://kb.isc.org/article/AA-00664

- Do you have Questions? Questions regarding this advisory should
  go to support at isc.org.

- Additional information on our Operational Notifications is here:
  https://www.isc.org/software/notifications, and Phased Disclosure
  Process is here: https://www.isc.org/security-vulnerability-disclosure-policy

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be inferred. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use of, or reliance on, this notice or materials referred to in
   this notice is at your own risk. ISC may change this notice at
   any time.

More information about the bind-users mailing list