diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-04-07 12:27:27 +0200 |
|---|---|---|
| committer | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-04-08 12:32:32 +0200 |
| commit | 71129828ff4cfda3d66aa9378be3c5a53f2beb8b (patch) | |
| tree | 7a71ee4e6376fd06a3678251c8f3f6e5d7617f9a | |
| parent | 4ddc912615a690b7f612517ac5a5b345c9f89f8e (diff) | |
| download | poky-daisy-enea.tar.gz | |
bind: CVE-2016-1285 CVE-2016-1286daisy-enea
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure
[YOCTO #9400]
External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
References to the Upstream commits and Security Advisories:
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=31e4657cf246e41d4c5c890315cb6cf89a0db25a
CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7
CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=ce3cd91caee698cb144e1350c6c78292c6be6339
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
5 files changed, 572 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch new file mode 100644 index 0000000000..638ac2377f --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch | |||
| @@ -0,0 +1,141 @@ | |||
| 1 | From 31e4657cf246e41d4c5c890315cb6cf89a0db25a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mark Andrews <marka@isc.org> | ||
| 3 | Date: Thu, 18 Feb 2016 12:11:27 +1100 | ||
| 4 | Subject: [PATCH] 4318. [security] Malformed control messages can | ||
| 5 | trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666] | ||
| 6 | |||
| 7 | (cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) | ||
| 8 | |||
| 9 | CVE: CVE-2016-1285 | ||
| 10 | Upstream-Status: Backport | ||
| 11 | |||
| 12 | [Skipped CHANGES and doc/arm/notes.xml changes.] | ||
| 13 | |||
| 14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 15 | --- | ||
| 16 | CHANGES | 3 +++ | ||
| 17 | bin/named/control.c | 2 +- | ||
| 18 | bin/named/controlconf.c | 2 +- | ||
| 19 | bin/rndc/rndc.c | 8 ++++---- | ||
| 20 | doc/arm/notes.xml | 8 ++++++++ | ||
| 21 | lib/isccc/cc.c | 14 +++++++------- | ||
| 22 | 6 files changed, 24 insertions(+), 13 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/bin/named/control.c b/bin/named/control.c | ||
| 25 | index 01fbe35..b1b744f 100644 | ||
| 26 | --- a/bin/named/control.c | ||
| 27 | +++ b/bin/named/control.c | ||
| 28 | @@ -89,7 +89,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { | ||
| 29 | #endif | ||
| 30 | |||
| 31 | data = isccc_alist_lookup(message, "_data"); | ||
| 32 | - if (data == NULL) { | ||
| 33 | + if (!isccc_alist_alistp(data)) { | ||
| 34 | /* | ||
| 35 | * No data section. | ||
| 36 | */ | ||
| 37 | diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c | ||
| 38 | index 95feaf5..31bdc48 100644 | ||
| 39 | --- a/bin/named/controlconf.c | ||
| 40 | +++ b/bin/named/controlconf.c | ||
| 41 | @@ -397,7 +397,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { | ||
| 42 | * Limit exposure to replay attacks. | ||
| 43 | */ | ||
| 44 | _ctrl = isccc_alist_lookup(request, "_ctrl"); | ||
| 45 | - if (_ctrl == NULL) { | ||
| 46 | + if (!isccc_alist_alistp(_ctrl)) { | ||
| 47 | log_invalid(&conn->ccmsg, ISC_R_FAILURE); | ||
| 48 | goto cleanup_request; | ||
| 49 | } | ||
| 50 | diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c | ||
| 51 | index c7d8fe1..ba3ac3a 100644 | ||
| 52 | --- a/bin/rndc/rndc.c | ||
| 53 | +++ b/bin/rndc/rndc.c | ||
| 54 | @@ -249,8 +249,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { | ||
| 55 | DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); | ||
| 56 | |||
| 57 | data = isccc_alist_lookup(response, "_data"); | ||
| 58 | - if (data == NULL) | ||
| 59 | - fatal("no data section in response"); | ||
| 60 | + if (!isccc_alist_alistp(data)) | ||
| 61 | + fatal("bad or missing data section in response"); | ||
| 62 | result = isccc_cc_lookupstring(data, "err", &errormsg); | ||
| 63 | if (result == ISC_R_SUCCESS) { | ||
| 64 | failed = ISC_TRUE; | ||
| 65 | @@ -313,8 +313,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { | ||
| 66 | DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); | ||
| 67 | |||
| 68 | _ctrl = isccc_alist_lookup(response, "_ctrl"); | ||
| 69 | - if (_ctrl == NULL) | ||
| 70 | - fatal("_ctrl section missing"); | ||
| 71 | + if (!isccc_alist_alistp(_ctrl)) | ||
| 72 | + fatal("bad or missing ctrl section in response"); | ||
| 73 | nonce = 0; | ||
| 74 | if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) | ||
| 75 | nonce = 0; | ||
| 76 | |||
| 77 | diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c | ||
| 78 | index 9915568..ffcd584 100644 | ||
| 79 | --- a/lib/isccc/cc.c | ||
| 80 | +++ b/lib/isccc/cc.c | ||
| 81 | @@ -284,10 +284,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, | ||
| 82 | * Extract digest. | ||
| 83 | */ | ||
| 84 | _auth = isccc_alist_lookup(alist, "_auth"); | ||
| 85 | - if (_auth == NULL) | ||
| 86 | + if (!isccc_alist_alistp(_auth)) | ||
| 87 | return (ISC_R_FAILURE); | ||
| 88 | hmd5 = isccc_alist_lookup(_auth, "hmd5"); | ||
| 89 | - if (hmd5 == NULL) | ||
| 90 | + if (!isccc_sexpr_binaryp(hmac)) | ||
| 91 | return (ISC_R_FAILURE); | ||
| 92 | /* | ||
| 93 | * Compute digest. | ||
| 94 | @@ -540,7 +540,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, | ||
| 95 | REQUIRE(ackp != NULL && *ackp == NULL); | ||
| 96 | |||
| 97 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
| 98 | - if (_ctrl == NULL || | ||
| 99 | + if (!isccc_alist_alistp(_ctrl) || | ||
| 100 | isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || | ||
| 101 | isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) | ||
| 102 | return (ISC_R_FAILURE); | ||
| 103 | @@ -584,7 +584,7 @@ isccc_cc_isack(isccc_sexpr_t *message) { | ||
| 104 | isccc_sexpr_t *_ctrl; | ||
| 105 | |||
| 106 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
| 107 | - if (_ctrl == NULL) | ||
| 108 | + if (!isccc_alist_alistp(_ctrl)) | ||
| 109 | return (ISC_FALSE); | ||
| 110 | if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) | ||
| 111 | return (ISC_TRUE); | ||
| 112 | @@ -596,7 +596,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) { | ||
| 113 | isccc_sexpr_t *_ctrl; | ||
| 114 | |||
| 115 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
| 116 | - if (_ctrl == NULL) | ||
| 117 | + if (!isccc_alist_alistp(_ctrl)) | ||
| 118 | return (ISC_FALSE); | ||
| 119 | if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) | ||
| 120 | return (ISC_TRUE); | ||
| 121 | @@ -616,7 +616,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, | ||
| 122 | |||
| 123 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
| 124 | _data = isccc_alist_lookup(message, "_data"); | ||
| 125 | - if (_ctrl == NULL || _data == NULL || | ||
| 126 | + if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || | ||
| 127 | isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || | ||
| 128 | isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) | ||
| 129 | return (ISC_R_FAILURE); | ||
| 130 | @@ -797,7 +797,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, | ||
| 131 | isccc_sexpr_t *_ctrl; | ||
| 132 | |||
| 133 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
| 134 | - if (_ctrl == NULL || | ||
| 135 | + if (!isccc_alist_alistp(_ctrl) || | ||
| 136 | isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || | ||
| 137 | isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) | ||
| 138 | return (ISC_R_FAILURE); | ||
| 139 | -- | ||
| 140 | 1.9.1 | ||
| 141 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch new file mode 100644 index 0000000000..4a2c15ffc7 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch | |||
| @@ -0,0 +1,78 @@ | |||
| 1 | From 76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mukund Sivaraman <muks@isc.org> | ||
| 3 | Date: Mon, 22 Feb 2016 12:22:43 +0530 | ||
| 4 | Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling | ||
| 5 | (CVE-2016-1286) (#41753) | ||
| 6 | |||
| 7 | (cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) | ||
| 8 | (cherry picked from commit 456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3) | ||
| 9 | |||
| 10 | CVE: CVE-2016-1286 | ||
| 11 | Upstream-Status: Backport | ||
| 12 | |||
| 13 | [Skipped CHANGES and doc/arm/notes.xml changes.] | ||
| 14 | |||
| 15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 16 | --- | ||
| 17 | CHANGES | 4 ++++ | ||
| 18 | doc/arm/notes.xml | 7 +++++++ | ||
| 19 | lib/dns/resolver.c | 33 ++++++++++++++++++--------------- | ||
| 20 | 3 files changed, 29 insertions(+), 15 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
| 23 | index 735f7d2..0602070 100644 | ||
| 24 | --- a/lib/dns/resolver.c | ||
| 25 | +++ b/lib/dns/resolver.c | ||
| 26 | @@ -6701,21 +6701,26 @@ answer_response(fetchctx_t *fctx) { | ||
| 27 | isc_boolean_t found_dname = ISC_FALSE; | ||
| 28 | dns_name_t *dname_name; | ||
| 29 | |||
| 30 | + /* | ||
| 31 | + * Only pass DNAME or RRSIG(DNAME). | ||
| 32 | + */ | ||
| 33 | + if (rdataset->type != dns_rdatatype_dname && | ||
| 34 | + (rdataset->type != dns_rdatatype_rrsig || | ||
| 35 | + rdataset->covers != dns_rdatatype_dname)) | ||
| 36 | + continue; | ||
| 37 | + | ||
| 38 | + /* | ||
| 39 | + * If we're not chaining, then the DNAME and | ||
| 40 | + * its signature should not be external. | ||
| 41 | + */ | ||
| 42 | + if (!chaining && external) { | ||
| 43 | + log_formerr(fctx, "external DNAME"); | ||
| 44 | + return (DNS_R_FORMERR); | ||
| 45 | + } | ||
| 46 | + | ||
| 47 | found = ISC_FALSE; | ||
| 48 | aflag = 0; | ||
| 49 | if (rdataset->type == dns_rdatatype_dname) { | ||
| 50 | - /* | ||
| 51 | - * We're looking for something else, | ||
| 52 | - * but we found a DNAME. | ||
| 53 | - * | ||
| 54 | - * If we're not chaining, then the | ||
| 55 | - * DNAME should not be external. | ||
| 56 | - */ | ||
| 57 | - if (!chaining && external) { | ||
| 58 | - log_formerr(fctx, | ||
| 59 | - "external DNAME"); | ||
| 60 | - return (DNS_R_FORMERR); | ||
| 61 | - } | ||
| 62 | found = ISC_TRUE; | ||
| 63 | want_chaining = ISC_TRUE; | ||
| 64 | POST(want_chaining); | ||
| 65 | @@ -6744,9 +6749,7 @@ answer_response(fetchctx_t *fctx) { | ||
| 66 | &fctx->domain)) { | ||
| 67 | return (DNS_R_SERVFAIL); | ||
| 68 | } | ||
| 69 | - } else if (rdataset->type == dns_rdatatype_rrsig | ||
| 70 | - && rdataset->covers == | ||
| 71 | - dns_rdatatype_dname) { | ||
| 72 | + } else { | ||
| 73 | /* | ||
| 74 | * We've found a signature that | ||
| 75 | * covers the DNAME. | ||
| 76 | -- | ||
| 77 | 1.9.1 | ||
| 78 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch new file mode 100644 index 0000000000..eba4ea3a67 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch | |||
| @@ -0,0 +1,318 @@ | |||
| 1 | From ce3cd91caee698cb144e1350c6c78292c6be6339 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mark Andrews <marka@isc.org> | ||
| 3 | Date: Mon, 29 Feb 2016 07:16:48 +1100 | ||
| 4 | Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion | ||
| 5 | failure due to improper DNAME handling when parsing | ||
| 6 | fetch reply messages. (CVE-2016-1286) [RT #41753] | ||
| 7 | |||
| 8 | (cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374) | ||
| 9 | |||
| 10 | CVE: CVE-2016-1286 | ||
| 11 | Upstream-Status: Backport | ||
| 12 | |||
| 13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 14 | --- | ||
| 15 | lib/dns/resolver.c | 192 ++++++++++++++++++++++++++--------------------------- | ||
| 16 | 1 file changed, 93 insertions(+), 99 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
| 19 | index 0602070..273e06c 100644 | ||
| 20 | --- a/lib/dns/resolver.c | ||
| 21 | +++ b/lib/dns/resolver.c | ||
| 22 | @@ -5808,14 +5808,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { | ||
| 23 | } | ||
| 24 | |||
| 25 | static inline isc_result_t | ||
| 26 | -dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, | ||
| 27 | - dns_name_t *oname, dns_fixedname_t *fixeddname) | ||
| 28 | +dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, | ||
| 29 | + unsigned int nlabels, dns_fixedname_t *fixeddname) | ||
| 30 | { | ||
| 31 | isc_result_t result; | ||
| 32 | dns_rdata_t rdata = DNS_RDATA_INIT; | ||
| 33 | - unsigned int nlabels; | ||
| 34 | - int order; | ||
| 35 | - dns_namereln_t namereln; | ||
| 36 | dns_rdata_dname_t dname; | ||
| 37 | dns_fixedname_t prefix; | ||
| 38 | |||
| 39 | @@ -5830,21 +5827,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, | ||
| 40 | if (result != ISC_R_SUCCESS) | ||
| 41 | return (result); | ||
| 42 | |||
| 43 | - /* | ||
| 44 | - * Get the prefix of qname. | ||
| 45 | - */ | ||
| 46 | - namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); | ||
| 47 | - if (namereln != dns_namereln_subdomain) { | ||
| 48 | - char qbuf[DNS_NAME_FORMATSIZE]; | ||
| 49 | - char obuf[DNS_NAME_FORMATSIZE]; | ||
| 50 | - | ||
| 51 | - dns_rdata_freestruct(&dname); | ||
| 52 | - dns_name_format(qname, qbuf, sizeof(qbuf)); | ||
| 53 | - dns_name_format(oname, obuf, sizeof(obuf)); | ||
| 54 | - log_formerr(fctx, "unrelated DNAME in answer: " | ||
| 55 | - "%s is not in %s", qbuf, obuf); | ||
| 56 | - return (DNS_R_FORMERR); | ||
| 57 | - } | ||
| 58 | dns_fixedname_init(&prefix); | ||
| 59 | dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); | ||
| 60 | dns_fixedname_init(fixeddname); | ||
| 61 | @@ -6470,13 +6452,13 @@ static isc_result_t | ||
| 62 | answer_response(fetchctx_t *fctx) { | ||
| 63 | isc_result_t result; | ||
| 64 | dns_message_t *message; | ||
| 65 | - dns_name_t *name, *qname, tname, *ns_name; | ||
| 66 | + dns_name_t *name, *dname, *qname, tname, *ns_name; | ||
| 67 | dns_rdataset_t *rdataset, *ns_rdataset; | ||
| 68 | isc_boolean_t done, external, chaining, aa, found, want_chaining; | ||
| 69 | isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; | ||
| 70 | unsigned int aflag; | ||
| 71 | dns_rdatatype_t type; | ||
| 72 | - dns_fixedname_t dname, fqname; | ||
| 73 | + dns_fixedname_t fdname, fqname; | ||
| 74 | dns_view_t *view; | ||
| 75 | |||
| 76 | FCTXTRACE("answer_response"); | ||
| 77 | @@ -6504,10 +6486,15 @@ answer_response(fetchctx_t *fctx) { | ||
| 78 | view = fctx->res->view; | ||
| 79 | result = dns_message_firstname(message, DNS_SECTION_ANSWER); | ||
| 80 | while (!done && result == ISC_R_SUCCESS) { | ||
| 81 | + dns_namereln_t namereln; | ||
| 82 | + int order; | ||
| 83 | + unsigned int nlabels; | ||
| 84 | + | ||
| 85 | name = NULL; | ||
| 86 | dns_message_currentname(message, DNS_SECTION_ANSWER, &name); | ||
| 87 | external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); | ||
| 88 | - if (dns_name_equal(name, qname)) { | ||
| 89 | + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); | ||
| 90 | + if (namereln == dns_namereln_equal) { | ||
| 91 | wanted_chaining = ISC_FALSE; | ||
| 92 | for (rdataset = ISC_LIST_HEAD(name->list); | ||
| 93 | rdataset != NULL; | ||
| 94 | @@ -6632,10 +6619,11 @@ answer_response(fetchctx_t *fctx) { | ||
| 95 | */ | ||
| 96 | INSIST(!external); | ||
| 97 | if (aflag == | ||
| 98 | - DNS_RDATASETATTR_ANSWER) | ||
| 99 | + DNS_RDATASETATTR_ANSWER) { | ||
| 100 | have_answer = ISC_TRUE; | ||
| 101 | - name->attributes |= | ||
| 102 | - DNS_NAMEATTR_ANSWER; | ||
| 103 | + name->attributes |= | ||
| 104 | + DNS_NAMEATTR_ANSWER; | ||
| 105 | + } | ||
| 106 | rdataset->attributes |= aflag; | ||
| 107 | if (aa) | ||
| 108 | rdataset->trust = | ||
| 109 | @@ -6690,6 +6678,8 @@ answer_response(fetchctx_t *fctx) { | ||
| 110 | if (wanted_chaining) | ||
| 111 | chaining = ISC_TRUE; | ||
| 112 | } else { | ||
| 113 | + dns_rdataset_t *dnameset = NULL; | ||
| 114 | + | ||
| 115 | /* | ||
| 116 | * Look for a DNAME (or its SIG). Anything else is | ||
| 117 | * ignored. | ||
| 118 | @@ -6697,10 +6687,8 @@ answer_response(fetchctx_t *fctx) { | ||
| 119 | wanted_chaining = ISC_FALSE; | ||
| 120 | for (rdataset = ISC_LIST_HEAD(name->list); | ||
| 121 | rdataset != NULL; | ||
| 122 | - rdataset = ISC_LIST_NEXT(rdataset, link)) { | ||
| 123 | - isc_boolean_t found_dname = ISC_FALSE; | ||
| 124 | - dns_name_t *dname_name; | ||
| 125 | - | ||
| 126 | + rdataset = ISC_LIST_NEXT(rdataset, link)) | ||
| 127 | + { | ||
| 128 | /* | ||
| 129 | * Only pass DNAME or RRSIG(DNAME). | ||
| 130 | */ | ||
| 131 | @@ -6714,20 +6702,41 @@ answer_response(fetchctx_t *fctx) { | ||
| 132 | * its signature should not be external. | ||
| 133 | */ | ||
| 134 | if (!chaining && external) { | ||
| 135 | - log_formerr(fctx, "external DNAME"); | ||
| 136 | + char qbuf[DNS_NAME_FORMATSIZE]; | ||
| 137 | + char obuf[DNS_NAME_FORMATSIZE]; | ||
| 138 | + | ||
| 139 | + dns_name_format(name, qbuf, | ||
| 140 | + sizeof(qbuf)); | ||
| 141 | + dns_name_format(&fctx->domain, obuf, | ||
| 142 | + sizeof(obuf)); | ||
| 143 | + log_formerr(fctx, "external DNAME or " | ||
| 144 | + "RRSIG covering DNAME " | ||
| 145 | + "in answer: %s is " | ||
| 146 | + "not in %s", qbuf, obuf); | ||
| 147 | + return (DNS_R_FORMERR); | ||
| 148 | + } | ||
| 149 | + | ||
| 150 | + if (namereln != dns_namereln_subdomain) { | ||
| 151 | + char qbuf[DNS_NAME_FORMATSIZE]; | ||
| 152 | + char obuf[DNS_NAME_FORMATSIZE]; | ||
| 153 | + | ||
| 154 | + dns_name_format(qname, qbuf, | ||
| 155 | + sizeof(qbuf)); | ||
| 156 | + dns_name_format(name, obuf, | ||
| 157 | + sizeof(obuf)); | ||
| 158 | + log_formerr(fctx, "unrelated DNAME " | ||
| 159 | + "in answer: %s is " | ||
| 160 | + "not in %s", qbuf, obuf); | ||
| 161 | return (DNS_R_FORMERR); | ||
| 162 | } | ||
| 163 | |||
| 164 | - found = ISC_FALSE; | ||
| 165 | aflag = 0; | ||
| 166 | if (rdataset->type == dns_rdatatype_dname) { | ||
| 167 | - found = ISC_TRUE; | ||
| 168 | want_chaining = ISC_TRUE; | ||
| 169 | POST(want_chaining); | ||
| 170 | aflag = DNS_RDATASETATTR_ANSWER; | ||
| 171 | - result = dname_target(fctx, rdataset, | ||
| 172 | - qname, name, | ||
| 173 | - &dname); | ||
| 174 | + result = dname_target(rdataset, qname, | ||
| 175 | + nlabels, &fdname); | ||
| 176 | if (result == ISC_R_NOSPACE) { | ||
| 177 | /* | ||
| 178 | * We can't construct the | ||
| 179 | @@ -6739,14 +6748,12 @@ answer_response(fetchctx_t *fctx) { | ||
| 180 | } else if (result != ISC_R_SUCCESS) | ||
| 181 | return (result); | ||
| 182 | else | ||
| 183 | - found_dname = ISC_TRUE; | ||
| 184 | + dnameset = rdataset; | ||
| 185 | |||
| 186 | - dname_name = dns_fixedname_name(&dname); | ||
| 187 | + dname = dns_fixedname_name(&fdname); | ||
| 188 | if (!is_answertarget_allowed(view, | ||
| 189 | - qname, | ||
| 190 | - rdataset->type, | ||
| 191 | - dname_name, | ||
| 192 | - &fctx->domain)) { | ||
| 193 | + qname, rdataset->type, | ||
| 194 | + dname, &fctx->domain)) { | ||
| 195 | return (DNS_R_SERVFAIL); | ||
| 196 | } | ||
| 197 | } else { | ||
| 198 | @@ -6754,73 +6761,60 @@ answer_response(fetchctx_t *fctx) { | ||
| 199 | * We've found a signature that | ||
| 200 | * covers the DNAME. | ||
| 201 | */ | ||
| 202 | - found = ISC_TRUE; | ||
| 203 | aflag = DNS_RDATASETATTR_ANSWERSIG; | ||
| 204 | } | ||
| 205 | |||
| 206 | - if (found) { | ||
| 207 | + /* | ||
| 208 | + * We've found an answer to our | ||
| 209 | + * question. | ||
| 210 | + */ | ||
| 211 | + name->attributes |= DNS_NAMEATTR_CACHE; | ||
| 212 | + rdataset->attributes |= DNS_RDATASETATTR_CACHE; | ||
| 213 | + rdataset->trust = dns_trust_answer; | ||
| 214 | + if (!chaining) { | ||
| 215 | /* | ||
| 216 | - * We've found an answer to our | ||
| 217 | - * question. | ||
| 218 | + * This data is "the" answer to | ||
| 219 | + * our question only if we're | ||
| 220 | + * not chaining. | ||
| 221 | */ | ||
| 222 | - name->attributes |= | ||
| 223 | - DNS_NAMEATTR_CACHE; | ||
| 224 | - rdataset->attributes |= | ||
| 225 | - DNS_RDATASETATTR_CACHE; | ||
| 226 | - rdataset->trust = dns_trust_answer; | ||
| 227 | - if (!chaining) { | ||
| 228 | - /* | ||
| 229 | - * This data is "the" answer | ||
| 230 | - * to our question only if | ||
| 231 | - * we're not chaining. | ||
| 232 | - */ | ||
| 233 | - INSIST(!external); | ||
| 234 | - if (aflag == | ||
| 235 | - DNS_RDATASETATTR_ANSWER) | ||
| 236 | - have_answer = ISC_TRUE; | ||
| 237 | + INSIST(!external); | ||
| 238 | + if (aflag == DNS_RDATASETATTR_ANSWER) { | ||
| 239 | + have_answer = ISC_TRUE; | ||
| 240 | name->attributes |= | ||
| 241 | DNS_NAMEATTR_ANSWER; | ||
| 242 | - rdataset->attributes |= aflag; | ||
| 243 | - if (aa) | ||
| 244 | - rdataset->trust = | ||
| 245 | - dns_trust_authanswer; | ||
| 246 | - } else if (external) { | ||
| 247 | - rdataset->attributes |= | ||
| 248 | - DNS_RDATASETATTR_EXTERNAL; | ||
| 249 | - } | ||
| 250 | - | ||
| 251 | - /* | ||
| 252 | - * DNAME chaining. | ||
| 253 | - */ | ||
| 254 | - if (found_dname) { | ||
| 255 | - /* | ||
| 256 | - * Copy the dname into the | ||
| 257 | - * qname fixed name. | ||
| 258 | - * | ||
| 259 | - * Although we check for | ||
| 260 | - * failure of the copy | ||
| 261 | - * operation, in practice it | ||
| 262 | - * should never fail since | ||
| 263 | - * we already know that the | ||
| 264 | - * result fits in a fixedname. | ||
| 265 | - */ | ||
| 266 | - dns_fixedname_init(&fqname); | ||
| 267 | - result = dns_name_copy( | ||
| 268 | - dns_fixedname_name(&dname), | ||
| 269 | - dns_fixedname_name(&fqname), | ||
| 270 | - NULL); | ||
| 271 | - if (result != ISC_R_SUCCESS) | ||
| 272 | - return (result); | ||
| 273 | - wanted_chaining = ISC_TRUE; | ||
| 274 | - name->attributes |= | ||
| 275 | - DNS_NAMEATTR_CHAINING; | ||
| 276 | - rdataset->attributes |= | ||
| 277 | - DNS_RDATASETATTR_CHAINING; | ||
| 278 | - qname = dns_fixedname_name( | ||
| 279 | - &fqname); | ||
| 280 | } | ||
| 281 | + rdataset->attributes |= aflag; | ||
| 282 | + if (aa) | ||
| 283 | + rdataset->trust = | ||
| 284 | + dns_trust_authanswer; | ||
| 285 | + } else if (external) { | ||
| 286 | + rdataset->attributes |= | ||
| 287 | + DNS_RDATASETATTR_EXTERNAL; | ||
| 288 | } | ||
| 289 | } | ||
| 290 | + | ||
| 291 | + /* | ||
| 292 | + * DNAME chaining. | ||
| 293 | + */ | ||
| 294 | + if (dnameset != NULL) { | ||
| 295 | + /* | ||
| 296 | + * Copy the dname into the qname fixed name. | ||
| 297 | + * | ||
| 298 | + * Although we check for failure of the copy | ||
| 299 | + * operation, in practice it should never fail | ||
| 300 | + * since we already know that the result fits | ||
| 301 | + * in a fixedname. | ||
| 302 | + */ | ||
| 303 | + dns_fixedname_init(&fqname); | ||
| 304 | + qname = dns_fixedname_name(&fqname); | ||
| 305 | + result = dns_name_copy(dname, qname, NULL); | ||
| 306 | + if (result != ISC_R_SUCCESS) | ||
| 307 | + return (result); | ||
| 308 | + wanted_chaining = ISC_TRUE; | ||
| 309 | + name->attributes |= DNS_NAMEATTR_CHAINING; | ||
| 310 | + dnameset->attributes |= | ||
| 311 | + DNS_RDATASETATTR_CHAINING; | ||
| 312 | + } | ||
| 313 | if (wanted_chaining) | ||
| 314 | chaining = ISC_TRUE; | ||
| 315 | } | ||
| 316 | -- | ||
| 317 | 1.9.1 | ||
| 318 | |||
diff --git a/meta/recipes-connectivity/bind/bind/fix-typo-in-CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/fix-typo-in-CVE-2016-1285.patch new file mode 100644 index 0000000000..5858c805df --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/fix-typo-in-CVE-2016-1285.patch | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | From a078c9eeae8c2db7edf2b15ff1d25a3a297c7512 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Evan Hunt <each@isc.org> | ||
| 3 | Date: Wed, 17 Feb 2016 19:13:22 -0800 | ||
| 4 | Subject: [PATCH] [v9_9] fix backport error | ||
| 5 | |||
| 6 | This fixes typo in the: | ||
| 7 | CVE-2016-1285.patch [upstream commit 31e4657cf246e41d4c5c890315cb6cf89a0db25a] | ||
| 8 | |||
| 9 | Upstream-Status: Backport | ||
| 10 | |||
| 11 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 12 | --- | ||
| 13 | lib/isccc/cc.c | 2 +- | ||
| 14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 15 | |||
| 16 | diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c | ||
| 17 | index ffcd584..9c7d18c 100644 | ||
| 18 | --- a/lib/isccc/cc.c | ||
| 19 | +++ b/lib/isccc/cc.c | ||
| 20 | @@ -287,7 +287,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, | ||
| 21 | if (!isccc_alist_alistp(_auth)) | ||
| 22 | return (ISC_R_FAILURE); | ||
| 23 | hmd5 = isccc_alist_lookup(_auth, "hmd5"); | ||
| 24 | - if (!isccc_sexpr_binaryp(hmac)) | ||
| 25 | + if (!isccc_sexpr_binaryp(hmd5)) | ||
| 26 | return (ISC_R_FAILURE); | ||
| 27 | /* | ||
| 28 | * Compute digest. | ||
| 29 | -- | ||
| 30 | 1.9.1 | ||
| 31 | |||
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb index 68f5367a4b..80e2ca6cf5 100644 --- a/meta/recipes-connectivity/bind/bind_9.9.5.bb +++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb | |||
| @@ -21,6 +21,10 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
| 21 | file://CVE-2015-8000.patch \ | 21 | file://CVE-2015-8000.patch \ |
| 22 | file://CVE-2015-8704.patch \ | 22 | file://CVE-2015-8704.patch \ |
| 23 | file://CVE-2015-8461.patch \ | 23 | file://CVE-2015-8461.patch \ |
| 24 | file://CVE-2016-1285.patch \ | ||
| 25 | file://fix-typo-in-CVE-2016-1285.patch \ | ||
| 26 | file://CVE-2016-1286_1.patch \ | ||
| 27 | file://CVE-2016-1286_2.patch \ | ||
| 24 | " | 28 | " |
| 25 | 29 | ||
| 26 | SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" | 30 | SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" |