bind: CVE-2016-9444

Fixes assertion failure while handling an unusually-formed DS record response Reference: https://kb.isc.org/article/AA-01441 Upstream patch (CVE-2016-9444.patch): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=04c7ee66b1eda851737cc7582a2a88193a0b4118 This patch (0001-fix-back-port-issue.patch) is needed to fix undefined reference to `DO_ERROR' in CVE-2016-9444.patch: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=6bed6ea11b1880e0a078bd02c1d31d21f0540583 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-13 12:22:21 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-09-18 13:54:22 +0200
commit: 89da7b077d37beea5b759ad35bba6366aa696245 (patch)
tree: d03e7256e58101f358fde7a729021a5929ec3201
parent: 0aea3a20062923f5c39c947e31ac9f87b9b351ce (diff)
download: meta-el-common-89da7b077d37beea5b759ad35bba6366aa696245.tar.gz
3 files changed, 220 insertions, 0 deletions
diff --git a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch b/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch
new file mode 100644
index 0000000..a874469
--- /dev/null
+++ b/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch
@@ -0,0 +1,29 @@
+From 6bed6ea11b1880e0a078bd02c1d31d21f0540583 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 29 Dec 2016 10:48:46 +1100
+Subject: [PATCH] fix back port issue
+This patch is needed for CVE-2016-9444 fix.
+Upstream-Status: Backport [backport from v9_10_6_patch: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=6bed6ea11b1880e0a078bd02c1d31d21f0540583]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/dns/message.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index fe8e5d0..5b8166a 100644
+--- a/lib/dns/message.c
+++ b/lib/dns/message.c
+@@ -1639,7 +1639,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+            ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
+            !preserve_order &&
+            !auth_signed(section)) 
+-               DO_ERROR(DNS_R_FORMERR);
+               DO_FORMERR;
+ 
+        if (seen_problem)
+                return (DNS_R_RECOVERABLE);
+-- 
+1.9.1
diff --git a/recipes-connectivity/bind/bind/CVE-2016-9444.patch b/recipes-connectivity/bind/bind/CVE-2016-9444.patch
new file mode 100644
index 0000000..2c1e125
--- /dev/null
+++ b/recipes-connectivity/bind/bind/CVE-2016-9444.patch
@@ -0,0 +1,186 @@
+From 254d55749ccb1129e7d021a51d0c3b7d3da26ee1 Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Tue, 12 Sep 2017 14:13:28 +0200
+Subject: [PATCH] CVE-2016-9444
+An unusually-formed DS record response could cause an assertion failure
+CVE: CVE-2016-9444
+Upstream-Status: Backport [backport from remotes/origin/v9_10_6_patch
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=04c7ee66b1eda851737cc7582a2a88193a0b4118]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGES            |  4 +++
+ lib/dns/message.c  | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++---
+ lib/dns/resolver.c | 21 ++++++---------
+ 3 files changed, 85 insertions(+), 16 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index 97d2e60..5760ca5 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,7 @@
+4517.  [security]      Named could mishandle authority sections that were
+                       missing RRSIGs triggering an assertion failure.
+                       (CVE-2016-9444) [RT # 43632]
+
+ 4504.  [security]      Allow the maximum number of records in a zone to
+                        be specified.  This provides a control for issues
+                        raised in CVE-2016-6170. [RT #42143]
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 0dd4c77..2e37dac 100644
+--- a/lib/dns/message.c
+++ b/lib/dns/message.c
+@@ -1171,6 +1171,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
+        return (ISC_FALSE);
+ }
+ 
+/*
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
+ * covering RRSIGs.
+ */
+static isc_boolean_t
+auth_signed(dns_namelist_t *section) {
+       dns_name_t *name;
+
+       for (name = ISC_LIST_HEAD(*section);
+            name != NULL;
+            name = ISC_LIST_NEXT(name, link))
+       {
+               int auth_dnssec = 0, auth_rrsig = 0;
+               dns_rdataset_t *rds;
+
+               for (rds = ISC_LIST_HEAD(name->list);
+                    rds != NULL;
+                    rds = ISC_LIST_NEXT(rds, link))
+               {
+                       switch (rds->type) {
+                       case dns_rdatatype_ds:
+                               auth_dnssec |= 0x1;
+                               break;
+                       case dns_rdatatype_nsec:
+                               auth_dnssec |= 0x2;
+                               break;
+                       case dns_rdatatype_nsec3:
+                               auth_dnssec |= 0x4;
+                               break;
+                       case dns_rdatatype_rrsig:
+                               break;
+                       default:
+                               continue;
+                       }
+
+                       switch (rds->covers) {
+                       case dns_rdatatype_ds:
+                               auth_rrsig |= 0x1;
+                               break;
+                       case dns_rdatatype_nsec:
+                               auth_rrsig |= 0x2;
+                               break;
+                       case dns_rdatatype_nsec3:
+                               auth_rrsig |= 0x4;
+                               break;
+                       default:
+                               break;
+                       }
+               }
+
+               if (auth_dnssec != auth_rrsig)
+                       return (ISC_FALSE);
+       }
+
+       return (ISC_TRUE);
+}
+
+ static isc_result_t
+ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+           dns_section_t sectionid, unsigned int options)
+@@ -1196,12 +1253,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+        best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
+        seen_problem = ISC_FALSE;
+ 
+       section = &msg->sections[sectionid];
+
+        for (count = 0; count < msg->counts[sectionid]; count++) {
+                int recstart = source->current;
+                isc_boolean_t skip_name_search, skip_type_search;
+ 
+-               section = &msg->sections[sectionid];
+-
+                skip_name_search = ISC_FALSE;
+                skip_type_search = ISC_FALSE;
+                free_rdataset = ISC_FALSE;
+@@ -1364,7 +1421,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+                        goto cleanup;
+                rdata->rdclass = rdclass;
+                issigzero = ISC_FALSE;
+-               if (rdtype == dns_rdatatype_rrsig  &&
+               if (rdtype == dns_rdatatype_rrsig &&
+                    rdata->flags == 0) {
+                        covers = dns_rdata_covers(rdata);
+                        if (covers == 0)
+@@ -1575,6 +1632,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+                INSIST(free_rdataset == ISC_FALSE);
+        }
+ 
+       /*
+        * If any of DS, NSEC or NSEC3 appeared in the
+        * authority section of a query response without
+        * a covering RRSIG, FORMERR
+        */
+       if (sectionid == DNS_SECTION_AUTHORITY &&
+           msg->opcode == dns_opcode_query &&
+           ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
+           ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
+           !preserve_order &&
+           !auth_signed(section)) 
+               DO_ERROR(DNS_R_FORMERR);
+
+        if (seen_problem)
+                return (DNS_R_RECOVERABLE);
+        return (ISC_R_SUCCESS);
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index b8fa6b3..017b4ba 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -5435,16 +5435,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                                              rdataset->type,
+                                                              &noqname);
+                                        if (tresult == ISC_R_SUCCESS &&
+-                                           noqname != NULL) {
+-                                               tresult =
+-                                                    dns_rdataset_addnoqname(
+                                           noqname != NULL)
+                                               (void) dns_rdataset_addnoqname(
+                                                            rdataset, noqname);
+-                                               RUNTIME_CHECK(tresult ==
+-                                                             ISC_R_SUCCESS);
+-                                       }
+                                }
+-                               if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
+-                                               options = DNS_DBADD_PREFETCH;
+                               if ((fctx->options &
+                                    DNS_FETCHOPT_PREFETCH) != 0)
+                                       options = DNS_DBADD_PREFETCH;
+                                addedrdataset = ardataset;
+                                result = dns_db_addrdataset(fctx->cache, node,
+                                                            NULL, now, rdataset,
+@@ -5584,11 +5581,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                tresult = findnoqname(fctx, name,
+                                                      rdataset->type, &noqname);
+                                if (tresult == ISC_R_SUCCESS &&
+-                                   noqname != NULL) {
+-                                       tresult = dns_rdataset_addnoqname(
+-                                                           rdataset, noqname);
+-                                       RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+-                               }
+                                   noqname != NULL)
+                                       (void) dns_rdataset_addnoqname(
+                                                      rdataset, noqname);
+                        }
+ 
+                        /*
+-- 
+1.9.1
diff --git a/recipes-connectivity/bind/bind_%.bbappend b/recipes-connectivity/bind/bind_%.bbappend
new file mode 100644
index 0000000..2e8ba00
--- /dev/null
+++ b/recipes-connectivity/bind/bind_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://CVE-2016-9444.patch \
+            file://0001-fix-back-port-issue.patch \
+           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-13 12:22:21 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-09-18 13:54:22 +0200
commit	89da7b077d37beea5b759ad35bba6366aa696245 (patch)
tree	d03e7256e58101f358fde7a729021a5929ec3201
parent	0aea3a20062923f5c39c947e31ac9f87b9b351ce (diff)
download	meta-el-common-89da7b077d37beea5b759ad35bba6366aa696245.tar.gz

diff --git a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch b/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch new file mode 100644 index 0000000..a874469 --- /dev/null +++ b/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch
@@ -0,0 +1,29 @@
	1	From 6bed6ea11b1880e0a078bd02c1d31d21f0540583 Mon Sep 17 00:00:00 2001
	2	From: Mark Andrews <marka@isc.org>
	3	Date: Thu, 29 Dec 2016 10:48:46 +1100
	4	Subject: [PATCH] fix back port issue
	5
	6	This patch is needed for CVE-2016-9444 fix.
	7	Upstream-Status: Backport [backport from v9_10_6_patch: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=6bed6ea11b1880e0a078bd02c1d31d21f0540583]
	8
	9	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	10	---
	11	lib/dns/message.c \| 2 +-
	12	1 file changed, 1 insertion(+), 1 deletion(-)
	13
	14	diff --git a/lib/dns/message.c b/lib/dns/message.c
	15	index fe8e5d0..5b8166a 100644
	16	--- a/lib/dns/message.c
	17	+++ b/lib/dns/message.c
	18	@@ -1639,7 +1639,7 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
	19	((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
	20	!preserve_order &&
	21	!auth_signed(section))
	22	- DO_ERROR(DNS_R_FORMERR);
	23	+ DO_FORMERR;
	24
	25	if (seen_problem)
	26	return (DNS_R_RECOVERABLE);
	27	--
	28	1.9.1
	29


diff --git a/recipes-connectivity/bind/bind/CVE-2016-9444.patch b/recipes-connectivity/bind/bind/CVE-2016-9444.patch new file mode 100644 index 0000000..2c1e125 --- /dev/null +++ b/recipes-connectivity/bind/bind/CVE-2016-9444.patch
@@ -0,0 +1,186 @@
	1	From 254d55749ccb1129e7d021a51d0c3b7d3da26ee1 Mon Sep 17 00:00:00 2001
	2	From: Sona Sarmadi <sona.sarmadi@enea.com>
	3	Date: Tue, 12 Sep 2017 14:13:28 +0200
	4	Subject: [PATCH] CVE-2016-9444
	5
	6	An unusually-formed DS record response could cause an assertion failure
	7
	8	CVE: CVE-2016-9444
	9	Upstream-Status: Backport [backport from remotes/origin/v9_10_6_patch
	10	https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=04c7ee66b1eda851737cc7582a2a88193a0b4118]
	11
	12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	13	---
	14	CHANGES \| 4 +++
	15	lib/dns/message.c \| 76 +++++++++++++++++++++++++++++++++++++++++++++++++++---
	16	lib/dns/resolver.c \| 21 ++++++---------
	17	3 files changed, 85 insertions(+), 16 deletions(-)
	18
	19	diff --git a/CHANGES b/CHANGES
	20	index 97d2e60..5760ca5 100644
	21	--- a/CHANGES
	22	+++ b/CHANGES
	23	@@ -1,3 +1,7 @@
	24	+4517. [security] Named could mishandle authority sections that were
	25	+ missing RRSIGs triggering an assertion failure.
	26	+ (CVE-2016-9444) [RT # 43632]
	27	+
	28	4504. [security] Allow the maximum number of records in a zone to
	29	be specified. This provides a control for issues
	30	raised in CVE-2016-6170. [RT #42143]
	31	diff --git a/lib/dns/message.c b/lib/dns/message.c
	32	index 0dd4c77..2e37dac 100644
	33	--- a/lib/dns/message.c
	34	+++ b/lib/dns/message.c
	35	@@ -1171,6 +1171,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
	36	return (ISC_FALSE);
	37	}
	38
	39	+/*
	40	+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
	41	+ * covering RRSIGs.
	42	+ */
	43	+static isc_boolean_t
	44	+auth_signed(dns_namelist_t *section) {
	45	+ dns_name_t *name;
	46	+
	47	+ for (name = ISC_LIST_HEAD(*section);
	48	+ name != NULL;
	49	+ name = ISC_LIST_NEXT(name, link))
	50	+ {
	51	+ int auth_dnssec = 0, auth_rrsig = 0;
	52	+ dns_rdataset_t *rds;
	53	+
	54	+ for (rds = ISC_LIST_HEAD(name->list);
	55	+ rds != NULL;
	56	+ rds = ISC_LIST_NEXT(rds, link))
	57	+ {
	58	+ switch (rds->type) {
	59	+ case dns_rdatatype_ds:
	60	+ auth_dnssec \|= 0x1;
	61	+ break;
	62	+ case dns_rdatatype_nsec:
	63	+ auth_dnssec \|= 0x2;
	64	+ break;
	65	+ case dns_rdatatype_nsec3:
	66	+ auth_dnssec \|= 0x4;
	67	+ break;
	68	+ case dns_rdatatype_rrsig:
	69	+ break;
	70	+ default:
	71	+ continue;
	72	+ }
	73	+
	74	+ switch (rds->covers) {
	75	+ case dns_rdatatype_ds:
	76	+ auth_rrsig \|= 0x1;
	77	+ break;
	78	+ case dns_rdatatype_nsec:
	79	+ auth_rrsig \|= 0x2;
	80	+ break;
	81	+ case dns_rdatatype_nsec3:
	82	+ auth_rrsig \|= 0x4;
	83	+ break;
	84	+ default:
	85	+ break;
	86	+ }
	87	+ }
	88	+
	89	+ if (auth_dnssec != auth_rrsig)
	90	+ return (ISC_FALSE);
	91	+ }
	92	+
	93	+ return (ISC_TRUE);
	94	+}
	95	+
	96	static isc_result_t
	97	getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
	98	dns_section_t sectionid, unsigned int options)
	99	@@ -1196,12 +1253,12 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
	100	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
	101	seen_problem = ISC_FALSE;
	102
	103	+ section = &msg->sections[sectionid];
	104	+
	105	for (count = 0; count < msg->counts[sectionid]; count++) {
	106	int recstart = source->current;
	107	isc_boolean_t skip_name_search, skip_type_search;
	108
	109	- section = &msg->sections[sectionid];
	110	-
	111	skip_name_search = ISC_FALSE;
	112	skip_type_search = ISC_FALSE;
	113	free_rdataset = ISC_FALSE;
	114	@@ -1364,7 +1421,7 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
	115	goto cleanup;
	116	rdata->rdclass = rdclass;
	117	issigzero = ISC_FALSE;
	118	- if (rdtype == dns_rdatatype_rrsig &&
	119	+ if (rdtype == dns_rdatatype_rrsig &&
	120	rdata->flags == 0) {
	121	covers = dns_rdata_covers(rdata);
	122	if (covers == 0)
	123	@@ -1575,6 +1632,19 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
	124	INSIST(free_rdataset == ISC_FALSE);
	125	}
	126
	127	+ /*
	128	+ * If any of DS, NSEC or NSEC3 appeared in the
	129	+ * authority section of a query response without
	130	+ * a covering RRSIG, FORMERR
	131	+ */
	132	+ if (sectionid == DNS_SECTION_AUTHORITY &&
	133	+ msg->opcode == dns_opcode_query &&
	134	+ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
	135	+ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
	136	+ !preserve_order &&
	137	+ !auth_signed(section))
	138	+ DO_ERROR(DNS_R_FORMERR);
	139	+
	140	if (seen_problem)
	141	return (DNS_R_RECOVERABLE);
	142	return (ISC_R_SUCCESS);
	143	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
	144	index b8fa6b3..017b4ba 100644
	145	--- a/lib/dns/resolver.c
	146	+++ b/lib/dns/resolver.c
	147	@@ -5435,16 +5435,13 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
	148	rdataset->type,
	149	&noqname);
	150	if (tresult == ISC_R_SUCCESS &&
	151	- noqname != NULL) {
	152	- tresult =
	153	- dns_rdataset_addnoqname(
	154	+ noqname != NULL)
	155	+ (void) dns_rdataset_addnoqname(
	156	rdataset, noqname);
	157	- RUNTIME_CHECK(tresult ==
	158	- ISC_R_SUCCESS);
	159	- }
	160	}
	161	- if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
	162	- options = DNS_DBADD_PREFETCH;
	163	+ if ((fctx->options &
	164	+ DNS_FETCHOPT_PREFETCH) != 0)
	165	+ options = DNS_DBADD_PREFETCH;
	166	addedrdataset = ardataset;
	167	result = dns_db_addrdataset(fctx->cache, node,
	168	NULL, now, rdataset,
	169	@@ -5584,11 +5581,9 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
	170	tresult = findnoqname(fctx, name,
	171	rdataset->type, &noqname);
	172	if (tresult == ISC_R_SUCCESS &&
	173	- noqname != NULL) {
	174	- tresult = dns_rdataset_addnoqname(
	175	- rdataset, noqname);
	176	- RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
	177	- }
	178	+ noqname != NULL)
	179	+ (void) dns_rdataset_addnoqname(
	180	+ rdataset, noqname);
	181	}
	182
	183	/*
	184	--
	185	1.9.1
	186


diff --git a/recipes-connectivity/bind/bind_%.bbappend b/recipes-connectivity/bind/bind_%.bbappend new file mode 100644 index 0000000..2e8ba00 --- /dev/null +++ b/recipes-connectivity/bind/bind_%.bbappend
@@ -0,0 +1,5 @@
	1	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	2
	3	SRC_URI += "file://CVE-2016-9444.patch \
	4	file://0001-fix-back-port-issue.patch \
	5	"