diff --git a/CHANGES b/CHANGES
index 99d0488bc2..c3096b134b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4532. [security] The BIND installer on Windows used an unquoted
+ service path, which can enable privilege escalation.
+ (CVE-2017-3141) [RT #45229]
+
4531. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
diff --git a/README b/README
index ad97f0c334..d1715a5de4 100644
--- a/README
+++ b/README
@@ -231,8 +231,8 @@ CVE-2017-3137, and CVE-2017-3138.
BIND 9.9.11
-BIND 9.9.11 is a maintenance release, and addresses the security flaw
-disclosed in CVE-2017-3140.
+BIND 9.9.11 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2017-3140 and CVE-2017-3141.
Building BIND
diff --git a/README.md b/README.md
index e5168a854d..026e749e78 100644
--- a/README.md
+++ b/README.md
@@ -248,8 +248,8 @@ CVE-2017-3135, CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138.
#### BIND 9.9.11
-BIND 9.9.11 is a maintenance release, and addresses the security flaw
-disclosed in CVE-2017-3140.
+BIND 9.9.11 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2017-3140 and CVE-2017-3141.
### Building BIND
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 6ca5f15556..e14feab377 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -59,6 +59,7 @@
#include "DirBrowse.h"
#include
#include
+#include
#include
#include
#include
@@ -615,8 +616,16 @@ void CBINDInstallDlg::OnInstall() {
(LPBYTE)(LPCTSTR)buf, buf.GetLength());
buf.Format("%s\\BINDInstall.exe", m_binDir);
+
+ CStringA installLocA(buf);
+ const char *str = (const char *) installLocA;
+ char pathBuffer[2 * MAX_PATH];
+ strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+ pathBuffer[sizeof(pathBuffer) - 1] = 0;
+ PathQuoteSpaces(pathBuffer);
+
RegSetValueEx(hKey, "UninstallString", 0, REG_SZ,
- (LPBYTE)(LPCTSTR)buf, buf.GetLength());
+ (LPBYTE)(LPCTSTR)pathBuffer, strlen(pathBuffer));
RegCloseKey(hKey);
}
@@ -1011,10 +1020,17 @@ CBINDInstallDlg::RegisterService() {
CString namedLoc;
namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
+ CStringA namedLocA(namedLoc);
+ const char *str = (const char *) namedLocA;
+ char pathBuffer[2 * MAX_PATH];
+ strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+ pathBuffer[sizeof(pathBuffer) - 1] = 0;
+ PathQuoteSpaces(pathBuffer);
+
SetCurrent(IDS_CREATE_SERVICE);
hService = CreateService(hSCManager, BIND_SERVICE_NAME,
BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart,
- SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, StartName,
+ SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL, StartName,
m_accountPassword);
if (!hService && GetLastError() != ERROR_SERVICE_EXISTS)
@@ -1053,6 +1069,13 @@ CBINDInstallDlg::UpdateService(CString StartName) {
CString namedLoc;
namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
+ CStringA namedLocA(namedLoc);
+ const char *str = (const char *) namedLocA;
+ char pathBuffer[2 * MAX_PATH];
+ strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+ pathBuffer[sizeof(pathBuffer) - 1] = 0;
+ PathQuoteSpaces(pathBuffer);
+
SetCurrent(IDS_OPEN_SERVICE);
hService = OpenService(hSCManager, BIND_SERVICE_NAME,
SERVICE_CHANGE_CONFIG);
@@ -1064,7 +1087,7 @@ CBINDInstallDlg::UpdateService(CString StartName) {
return;
} else {
if (ChangeServiceConfig(hService, dwServiceType, dwStart,
- SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL,
+ SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL,
StartName, m_accountPassword, BIND_DISPLAY_NAME)
!= TRUE) {
DWORD err = GetLastError();
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index c6f225dcd8..a9adbb0f68 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -71,6 +71,13 @@
Security Fixes
+
+
+ The BIND installer on Windows used an unquoted service path,
+ which can enable privilege escalation. This flaw is disclosed
+ in CVE-2017-3141. [RT #45229]
+
+
With certain RPZ configurations, a response with TTL 0