[master] avoid crash due to managed-key rollover

4053. [security] Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344]
2026-06-08 20:42:06 -04:00 · 2015-02-03 18:25:28 -08:00 · 2015-02-03 18:25:28 -08:00 · 801fb8b894
commit 801fb8b894
parent 9c716f839c
3 changed files with 31 additions and 1 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+4053.	[security]	Revoking a managed trust anchor and supplying
+			an untrusted replacement could cause named
+			to crash with an assertion failure.
+			(CVE-2015-1349) [RT #38344]
+
 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]

 4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -38,6 +38,25 @@
  <sect2 id="relnotes_security">
    <title>Security Fixes</title>
    <itemizedlist>
+      <listitem>
+	<para>
+	  On servers configured to perform DNSSEC validation using
+	  managed trust anchors (i.e., keys configured explicitly
+	  via <command>managed-keys</command>, or implicitly 
+	  via <command>dnssec-validation auto;</command> or
+	  <command>dnssec-lookaside auto;</command>), revoking
+	  a trust anchor and sending a new untrusted replacement
+	  could cause <command>named</command> to crash with an
+	  assertion failure. This could occur in the event of a
+	  botched key rollover, or potentially as a result of a
+	  deliberate attack if the attacker was in position to
+	  monitor the victim's DNS traffic.
+	</para>
+	<para>
+	  This flaw was discovered by Jan-Piet Mens, and is
+	  disclosed in CVE-2015-1349. [RT #38344]
+	</para>
+      </listitem>
      <listitem>
 	<para>
 	  A flaw in delegation handling could be exploited to put
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -9006,6 +9006,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					     namebuf, tag);
 				trustkey = ISC_TRUE;
 			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
 		}

 		/* Delete old version */
@ -9054,7 +9060,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			trust_key(zone, keyname, &dnskey, mctx);
 		}

-		if (!deletekey) {
+		if (secure && !deletekey) {
 			INSIST(newkey || updatekey);
 			set_refreshkeytimer(zone, &keydata, now);
 		}