Caldera Systems Security Advisory: BIND buffer overflow

Date: Mon, 29 Jan 2001 13:23:08 -0700
From: Caldera Support Info sup-info@LOCUTUS4.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: CSSA-2001-008.0 BIND buffer overflow

                   Caldera Systems, Inc.  Security Advisory

Subject:                BIND buffer overflow
Advisory number:        CSSA-2001-008.0
Issue date:             2001 January, 29
Cross reference:

1. Problem Description

Several security problems have been discovered in the most
recent versions of BINDv8 (8.2.2p7). One of them is a buffer
overflow that can potentially exploited to execute arbitrary code
with the privilege of the bind user.

If you do not run the BIND named server, you are not affected by
this problem.

2. Vulnerable Versions

   System                       Package

   OpenLinux 2.3                All packages previous to
                                bind-8.2.3

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder       bind-8.2.3

   OpenLinux eDesktop 2.4       All packages previous to
                                bind-8.2.3

3. Solution

Workaround

none

The proper solution is to upgrade to the latest packages.

As a matter of caution, we also suggest that you run the name
server process under a non-root user ID. In case of future security
holes in bind, this makes sure that remote attackers do not
immediately obtain root access.

Be warned however that when running the name server process
under a non-root uid it loses the ability to automatically re-bind
itself when you change the address of a network interface, or
create a new one. If you do that, you need to manually restart
named in this case.

On eDesktop 2.4, named already runs under the “bind” account by
default; this is not the case on OpenLinux 2.3 and eServer 2.3.1,
however.

Here’s what to do:

   a.   Create a new user and group named `bind'.
        Pick an unused user and group ID (on a normal OpenLinux
        installation, uid and gid 19 should be available).
        Run the following commands as super user, replacing
         and  by the user and group IDs you selected:

        # groupadd -g <gid> bind
        # useradd -u <uid> -g <gid> -d / -s /bin/false bind

   b.   Change the ownership of /var/named to bind.bind:

        # chown -R bind.bind /var/named

   c.   Edit /etc/sysconfig/daemons/named. Replace the line

                OPTIONS=""

        with

                OPTIONS="-u bind"

        This makes sure that the name server process relinquishes
        root privilege after initialization.

   d.   Stop and restart your name server:

        # /etc/rc.d/init.d/named stop
        # /etc/rc.d/init.d/named start

        Note that simply issuing /etc/rc.d/init.d/named restart
        will not be enough!

4. OpenLinux 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

4.2 Verification

01f9c6b514ab5aa70c3fe200c0c97243 RPMS/bind-8.2.3-1.i386.rpm
89ed56545ee05e8adf81775b2754afd0 RPMS/bind-doc-8.2.3-1.i386.rpm
41b9707056286325f4da4f45c0547b27
RPMS/bind-utils-8.2.3-1.i386.rpm
9ae6f304f9dd7a63aa291ed143fa4035 SRPMS/bind-8.2.3-1.src.rpm

4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

          rpm -Fhv bind-*i386.rpm
          /etc/rc.d/init.d/named stop
          /etc/rc.d/init.d/named start

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

f454346c9bf531d6e9aa014d2be93e99 RPMS/bind-8.2.3-1.i386.rpm
33a4e0f2ff622ea60e920c189b48af00 RPMS/bind-doc-8.2.3-1.i386.rpm
a786125567471a7bd42544e104977d15
RPMS/bind-utils-8.2.3-1.i386.rpm
9ae6f304f9dd7a63aa291ed143fa4035 SRPMS/bind-8.2.3-1.src.rpm

5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

          rpm -Fvh bind-*i386.rpm
          /etc/rc.d/init.d/named stop
          /etc/rc.d/init.d/named start

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

acd707632ae0e33432b5d37862265517 RPMS/bind-8.2.3-1.i386.rpm
679d55e150b0bc8de0828db076e8594b RPMS/bind-doc-8.2.3-1.i386.rpm
a2b1b9764e884f4b1ed2b77e222a6755
RPMS/bind-utils-8.2.3-1.i386.rpm
9ae6f304f9dd7a63aa291ed143fa4035 SRPMS/bind-8.2.3-1.src.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

          rpm -Fvh bind-*i386.rpm
          /etc/rc.d/init.d/named stop
          /etc/rc.d/init.d/named start

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

Additional information on this bug can be found at

http://www.cert.org/advisories/CA-2001-02.html

This security fix closes Caldera’s internal Problem Report
8942.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.