From 801fb8b894c75fc1e3fa0284e096ade6dcdc1110 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 3 Feb 2015 18:25:28 -0800
Subject: [PATCH] [master] avoid crash due to managed-key rollover

4053.	[security]	Revoking a managed trust anchor and supplying
			an untrusted replacement could cause named
			to crash with an assertion failure.
			(CVE-2015-1349) [RT #38344]
---
 CHANGES           |  5 +++++
 doc/arm/notes.xml | 19 +++++++++++++++++++
 lib/dns/zone.c    |  8 +++++++-
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index d476ed1c6d..897347729f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4053.	[security]	Revoking a managed trust anchor and supplying
+			an untrusted replacement could cause named
+			to crash with an assertion failure.
+			(CVE-2015-1349) [RT #38344]
+
 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 
 4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 0ff522c5c3..00853e4b78 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -38,6 +38,25 @@
   <sect2 id="relnotes_security">
     <title>Security Fixes</title>
     <itemizedlist>
+      <listitem>
+	<para>
+	  On servers configured to perform DNSSEC validation using
+	  managed trust anchors (i.e., keys configured explicitly
+	  via <command>managed-keys</command>, or implicitly 
+	  via <command>dnssec-validation auto;</command> or
+	  <command>dnssec-lookaside auto;</command>), revoking
+	  a trust anchor and sending a new untrusted replacement
+	  could cause <command>named</command> to crash with an
+	  assertion failure. This could occur in the event of a
+	  botched key rollover, or potentially as a result of a
+	  deliberate attack if the attacker was in position to
+	  monitor the victim's DNS traffic.
+	</para>
+	<para>
+	  This flaw was discovered by Jan-Piet Mens, and is
+	  disclosed in CVE-2015-1349. [RT #38344]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  A flaw in delegation handling could be exploited to put
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index d7c7444ed3..1bc8608ed6 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9006,6 +9006,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					     namebuf, tag);
 				trustkey = ISC_TRUE;
 			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
 		}
 
 		/* Delete old version */
@@ -9054,7 +9060,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			trust_key(zone, keyname, &dnskey, mctx);
 		}
 
-		if (!deletekey) {
+		if (secure && !deletekey) {
 			INSIST(newkey || updatekey);
 			set_refreshkeytimer(zone, &keydata, now);
 		}