diff --git a/CHANGES b/CHANGES
index 3ebd640426..8823b91b4e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4532. [security] The BIND installer on Windows used an unquoted
+ service path, which can enable privilege escalation.
+ (CVE-2017-3141) [RT #45229]
+
4531. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
diff --git a/README b/README
index 82eb15e370..e0bec15bb8 100644
--- a/README
+++ b/README
@@ -263,8 +263,8 @@ CVE-2017-3137, and CVE-2017-3138.
BIND 9.10.6
-BIND 9.10.6 is a maintenance release, and addresses the security flaw
-disclosed in CVE-2017-3140.
+BIND 9.10.6 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2017-3140 and CVE-2017-3141.
Building BIND
diff --git a/README.md b/README.md
index 06a342aa9c..c8b567c775 100644
--- a/README.md
+++ b/README.md
@@ -277,8 +277,8 @@ CVE-2017-3137, and CVE-2017-3138.
#### BIND 9.10.6
-BIND 9.10.6 is a maintenance release, and addresses the security flaw
-disclosed in CVE-2017-3140.
+BIND 9.10.6 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2017-3140 and CVE-2017-3141.
### Building BIND
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index e9668fbcfe..9b75250b47 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -59,6 +59,7 @@
#include "DirBrowse.h"
#include
#include
+#include
#include
#include
#include
@@ -623,8 +624,16 @@ void CBINDInstallDlg::OnInstall() {
(LPBYTE)(LPCTSTR)buf, buf.GetLength());
buf.Format("%s\\BINDInstall.exe", m_binDir);
+
+ CStringA installLocA(buf);
+ const char *str = (const char *) installLocA;
+ char pathBuffer[2 * MAX_PATH];
+ strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+ pathBuffer[sizeof(pathBuffer) - 1] = 0;
+ PathQuoteSpaces(pathBuffer);
+
RegSetValueEx(hKey, "UninstallString", 0, REG_SZ,
- (LPBYTE)(LPCTSTR)buf, buf.GetLength());
+ (LPBYTE)(LPCTSTR)pathBuffer, strlen(pathBuffer));
RegCloseKey(hKey);
}
@@ -1019,10 +1028,17 @@ CBINDInstallDlg::RegisterService() {
CString namedLoc;
namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
+ CStringA namedLocA(namedLoc);
+ const char *str = (const char *) namedLocA;
+ char pathBuffer[2 * MAX_PATH];
+ strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+ pathBuffer[sizeof(pathBuffer) - 1] = 0;
+ PathQuoteSpaces(pathBuffer);
+
SetCurrent(IDS_CREATE_SERVICE);
hService = CreateService(hSCManager, BIND_SERVICE_NAME,
BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart,
- SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, StartName,
+ SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL, StartName,
m_accountPassword);
if (!hService && GetLastError() != ERROR_SERVICE_EXISTS)
@@ -1061,6 +1077,13 @@ CBINDInstallDlg::UpdateService(CString StartName) {
CString namedLoc;
namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
+ CStringA namedLocA(namedLoc);
+ const char *str = (const char *) namedLocA;
+ char pathBuffer[2 * MAX_PATH];
+ strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+ pathBuffer[sizeof(pathBuffer) - 1] = 0;
+ PathQuoteSpaces(pathBuffer);
+
SetCurrent(IDS_OPEN_SERVICE);
hService = OpenService(hSCManager, BIND_SERVICE_NAME,
SERVICE_CHANGE_CONFIG);
@@ -1072,7 +1095,7 @@ CBINDInstallDlg::UpdateService(CString StartName) {
return;
} else {
if (ChangeServiceConfig(hService, dwServiceType, dwStart,
- SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL,
+ SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL,
StartName, m_accountPassword, BIND_DISPLAY_NAME)
!= TRUE) {
DWORD err = GetLastError();
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 14fe88d407..bd1f603341 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -69,6 +69,13 @@
Security Fixes
+
+
+ The BIND installer on Windows used an unquoted service path,
+ which can enable privilege escalation. This flaw is disclosed
+ in CVE-2017-3141. [RT #45229]
+
+
With certain RPZ configurations, a response with TTL 0