4508. [security] Named incorrectly tried to cache TKEY records which

could trigger a assertion failure when there was a class mismatch. (CVE-2016-9131) [RT #43522] (cherry picked from commit 2c1c4b99a1)
2026-06-12 22:00:00 -04:00 · 2016-12-29 11:07:40 +11:00 · 2016-12-29 11:07:40 +11:00 · d372472f60
commit d372472f60
parent c38b1c7115
4 changed files with 36 additions and 1 deletions
--- a/4
+++ b/4
@ -70,6 +70,10 @@
 4509.	[test]		Make the rrl system test more reliable on slower
 			machines by using mdig instead of dig. [RT #43280]

+4508.	[security]	Named incorrectly tried to cache TKEY records which
+			could trigger a assertion failure when there was
+			a class mismatch. (CVE-2016-9131) [RT #43522]
+
 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 			address, which is insecure' [RT #43432]

--- a/7
+++ b/7
@ -51,7 +51,12 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes

-BIND 9.9.9
+BIND 9.9.10
+	
+	BIND 9.9.10 is a maintenance release and addresses the security
+	flaws disclosed in CVE-2016-6170, CVE-2016-8864 and CVE-2016-9131.
+
+BIND 9.9.91

 	BIND 9.9.9 is a maintenance release and addresses bugs found
 	in BIND 9.9.8 and earlier, as well as the security flaws
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -74,6 +74,13 @@
 	 CVE-2016-2775. [RT #42694]
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  Named incorrectly tried to cache TKEY records which could
+	  trigger a assertion failure when there was a class mismatch.
+	  This flaw is disclosed in CVE-2016-9131.  [RT #43522]
+	</para>
+      </listitem>
    </itemizedlist>
  </section>

--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -6524,6 +6524,19 @@ answer_response(fetchctx_t *fctx) {
 					log_formerr(fctx, "NSEC3 in answer");
 					return (DNS_R_FORMERR);
 				}
+				if (rdataset->type == dns_rdatatype_tkey) {
+					/*
+					 * TKEY is not a valid record in a
+					 * response to any query we can make.
+					 */
+					log_formerr(fctx, "TKEY in answer");
+					return (DNS_R_FORMERR);
+				}
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}

 				/*
 				 * Apply filters, if given, on answers to reject
@ -6710,6 +6723,12 @@ answer_response(fetchctx_t *fctx) {
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link))
 			{
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}
+
 				/*
 				 * Only pass DNAME or RRSIG(DNAME).
 				 */