summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2016-10-03 00:52:11 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-12-06 22:46:44 (GMT)
commita37112a3bc79e001223574cee797ae73e97496a6 (patch)
treed211f5ebb2b13c783cc4ceb523f389e9e78c2e91
parentd11c5d8944f1d18b8280ae76b1d2416f520132c6 (diff)
downloadpoky-a37112a3bc79e001223574cee797ae73e97496a6.tar.gz
bind: Security fix CVE-2016-2776
affect bind < 9.10.4-p3 (From OE-Core rev: 57b4c03b263f2ad056d7973038662d6d6614a9de) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch112
-rw-r--r--meta/recipes-connectivity/bind/bind_9.10.2-P4.bb1
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 0000000..d22945d
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,112 @@
1From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Fri, 9 Sep 2016 11:29:48 +1000
4Subject: [PATCH] 4467. [security] It was possible to trigger a
5 assertion when rendering a message. [RT #43139]
6
7(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
8---
9 CHANGES | 3 +++
10 lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
11 2 files changed, 34 insertions(+), 11 deletions(-)
12
13Index: bind-9.10.2-P4/lib/dns/message.c
14===================================================================
15--- bind-9.10.2-P4.orig/lib/dns/message.c
16+++ bind-9.10.2-P4/lib/dns/message.c
17@@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m
18 if (r.length < DNS_MESSAGE_HEADERLEN)
19 return (ISC_R_NOSPACE);
20
21- if (r.length < msg->reserved)
22+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
23 return (ISC_R_NOSPACE);
24
25 /*
26@@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t *
27
28 return (ISC_TRUE);
29 }
30-
31 #endif
32+
33+static isc_result_t
34+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
35+ dns_compress_t *cctx, isc_buffer_t *target,
36+ unsigned int reserved, unsigned int options, unsigned int *countp)
37+{
38+ isc_result_t result;
39+
40+ /*
41+ * Shrink the space in the buffer by the reserved amount.
42+ */
43+ if (target->length - target->used < reserved)
44+ return (ISC_R_NOSPACE);
45+
46+ target->length -= reserved;
47+ result = dns_rdataset_towire(rdataset, owner_name,
48+ cctx, target, options, countp);
49+ target->length += reserved;
50+
51+ return (result);
52+}
53+
54 isc_result_t
55 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
56 unsigned int options)
57@@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t
58 /*
59 * Shrink the space in the buffer by the reserved amount.
60 */
61+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
62+ return (ISC_R_NOSPACE);
63 msg->buffer->length -= msg->reserved;
64
65 total = 0;
66@@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg
67 * Render.
68 */
69 count = 0;
70- result = dns_rdataset_towire(msg->opt, dns_rootname,
71- msg->cctx, msg->buffer, 0,
72- &count);
73+ result = renderset(msg->opt, dns_rootname, msg->cctx,
74+ msg->buffer, msg->reserved, 0, &count);
75 msg->counts[DNS_SECTION_ADDITIONAL] += count;
76 if (result != ISC_R_SUCCESS)
77 return (result);
78@@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg
79 if (result != ISC_R_SUCCESS)
80 return (result);
81 count = 0;
82- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
83- msg->cctx, msg->buffer, 0,
84- &count);
85+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
86+ msg->buffer, msg->reserved, 0, &count);
87 msg->counts[DNS_SECTION_ADDITIONAL] += count;
88 if (result != ISC_R_SUCCESS)
89 return (result);
90@@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg
91 * the owner name of a SIG(0) is irrelevant, and will not
92 * be set in a message being rendered.
93 */
94- result = dns_rdataset_towire(msg->sig0, dns_rootname,
95- msg->cctx, msg->buffer, 0,
96- &count);
97+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
98+ msg->buffer, msg->reserved, 0, &count);
99 msg->counts[DNS_SECTION_ADDITIONAL] += count;
100 if (result != ISC_R_SUCCESS)
101 return (result);
102Index: bind-9.10.2-P4/CHANGES
103===================================================================
104--- bind-9.10.2-P4.orig/CHANGES
105+++ bind-9.10.2-P4/CHANGES
106@@ -1,3 +1,6 @@
107+4467. [security] It was possible to trigger a assertion when rendering
108+ a message. [RT #43139]
109+
110 4406. [bug] getrrsetbyname with a non absolute name could
111 trigger a infinite recursion bug in lwresd
112 and named with lwres configured if when combined
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index 80c7b44..bc105d3 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -30,6 +30,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
30 file://CVE-2016-1286_2.patch \ 30 file://CVE-2016-1286_2.patch \
31 file://CVE-2016-2088.patch \ 31 file://CVE-2016-2088.patch \
32 file://CVE-2016-2775.patch \ 32 file://CVE-2016-2775.patch \
33 file://CVE-2016-2776.patch \
33 " 34 "
34 35
35SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7" 36SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"