summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2017-04-13 13:48:12 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-05-18 13:07:34 +0100
commit1e26fcb8bbcec01c75e343542b560ca652c32788 (patch)
treedac628a6e60647a4335960fc8c475729ec0f1ed2
parentb37b775e775ce162c268ec95d62fee8dd5caf81c (diff)
downloadpoky-1e26fcb8bbcec01c75e343542b560ca652c32788.tar.gz
bind: Security fix CVE-2016-8864
CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. External References: https://nvd.nist.gov/vuln/detail/CVE-2016-8864 Patch from: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8 (From OE-Core rev: c06f3a5993c7d63d91840c2a4d5b621e946ef78f) (From OE-Core rev: 6c1969bf82f36650c696c9fd7f0aa35d60dc4214) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch219
-rw-r--r--meta/recipes-connectivity/bind/bind_9.10.3-P3.bb1
2 files changed, 220 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
new file mode 100644
index 0000000000..b52d6800ff
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
@@ -0,0 +1,219 @@
1From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Fri, 21 Oct 2016 14:55:10 +1100
4Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
5 processing a response. (CVE-2016-8864) [RT #43465]
6
7(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
8
9Upstream-Status: Backport
10[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
11
12CVE: CVE-2016-8864
13
14Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
15---
16 CHANGES | 3 +++
17 lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++-----------------
18 2 files changed, 50 insertions(+), 22 deletions(-)
19
20diff --git a/CHANGES b/CHANGES
21index 5c8c61a..41cfce5 100644
22--- a/CHANGES
23+++ b/CHANGES
24@@ -1,3 +1,6 @@
25+4489. [security] It was possible to trigger assertions when processing
26+ a response. (CVE-2016-8864) [RT #43465]
27+
28 4467. [security] It was possible to trigger an assertion when
29 rendering a message. (CVE-2016-2776) [RT #43139]
30
31diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
32index ba1ae23..13c8b44 100644
33--- a/lib/dns/resolver.c
34+++ b/lib/dns/resolver.c
35@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
36 valarg->addrinfo = addrinfo;
37
38 if (!ISC_LIST_EMPTY(fctx->validators))
39- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
40+ valoptions |= DNS_VALIDATOR_DEFER;
41+ else
42+ valoptions &= ~DNS_VALIDATOR_DEFER;
43
44 result = dns_validator_create(fctx->res->view, name, type, rdataset,
45 sigrdataset, fctx->rmessage,
46@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
47 rdataset,
48 sigrdataset,
49 valoptions, task);
50- /*
51- * Defer any further validations.
52- * This prevents multiple validators
53- * from manipulating fctx->rmessage
54- * simultaneously.
55- */
56- valoptions |= DNS_VALIDATOR_DEFER;
57 }
58 } else if (CHAINING(rdataset)) {
59 if (rdataset->type == dns_rdatatype_cname)
60@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
61 eresult == DNS_R_NCACHENXRRSET);
62 }
63 event->result = eresult;
64+ if (adbp != NULL && *adbp != NULL) {
65+ if (anodep != NULL && *anodep != NULL)
66+ dns_db_detachnode(*adbp, anodep);
67+ dns_db_detach(adbp);
68+ }
69 dns_db_attach(fctx->cache, adbp);
70 dns_db_transfernode(fctx->cache, &node, anodep);
71 clone_results(fctx);
72@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
73 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
74 if (event != NULL) {
75 event->result = eresult;
76+ if (adbp != NULL && *adbp != NULL) {
77+ if (anodep != NULL && *anodep != NULL)
78+ dns_db_detachnode(*adbp, anodep);
79+ dns_db_detach(adbp);
80+ }
81 dns_db_attach(fctx->cache, adbp);
82 dns_db_transfernode(fctx->cache, &node, anodep);
83 clone_results(fctx);
84@@ -6718,13 +6723,15 @@ static isc_result_t
85 answer_response(fetchctx_t *fctx) {
86 isc_result_t result;
87 dns_message_t *message;
88- dns_name_t *name, *dname, *qname, tname, *ns_name;
89+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
90+ dns_name_t *cname = NULL;
91 dns_rdataset_t *rdataset, *ns_rdataset;
92 isc_boolean_t done, external, chaining, aa, found, want_chaining;
93- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
94+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
95+ isc_boolean_t wanted_chaining;
96 unsigned int aflag;
97 dns_rdatatype_t type;
98- dns_fixedname_t fdname, fqname;
99+ dns_fixedname_t fdname, fqname, fqdname;
100 dns_view_t *view;
101
102 FCTXTRACE("answer_response");
103@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
104
105 done = ISC_FALSE;
106 found_cname = ISC_FALSE;
107+ found_dname = ISC_FALSE;
108 found_type = ISC_FALSE;
109 chaining = ISC_FALSE;
110 have_answer = ISC_FALSE;
111@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
112 aa = ISC_TRUE;
113 else
114 aa = ISC_FALSE;
115- qname = &fctx->name;
116+ dqname = qname = &fctx->name;
117 type = fctx->type;
118 view = fctx->res->view;
119+ dns_fixedname_init(&fqdname);
120 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
121 while (!done && result == ISC_R_SUCCESS) {
122- dns_namereln_t namereln;
123+ dns_namereln_t namereln, dnamereln;
124 int order;
125 unsigned int nlabels;
126
127@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
128 dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
129 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
130 namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
131+ dnamereln = dns_name_fullcompare(dqname, name, &order,
132+ &nlabels);
133 if (namereln == dns_namereln_equal) {
134 wanted_chaining = ISC_FALSE;
135 for (rdataset = ISC_LIST_HEAD(name->list);
136@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
137 }
138 } else if (rdataset->type == dns_rdatatype_rrsig
139 && rdataset->covers ==
140- dns_rdatatype_cname
141+ dns_rdatatype_cname
142 && !found_type) {
143 /*
144 * We're looking for something else,
145@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
146 * a CNAME or DNAME).
147 */
148 INSIST(!external);
149- if (aflag ==
150- DNS_RDATASETATTR_ANSWER) {
151+ if ((rdataset->type !=
152+ dns_rdatatype_cname) ||
153+ !found_dname ||
154+ (aflag ==
155+ DNS_RDATASETATTR_ANSWER))
156+ {
157 have_answer = ISC_TRUE;
158+ if (rdataset->type ==
159+ dns_rdatatype_cname)
160+ cname = name;
161 name->attributes |=
162- DNS_NAMEATTR_ANSWER;
163+ DNS_NAMEATTR_ANSWER;
164 }
165 rdataset->attributes |= aflag;
166 if (aa)
167@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
168 return (DNS_R_FORMERR);
169 }
170
171- if (namereln != dns_namereln_subdomain) {
172+ if (dnamereln != dns_namereln_subdomain) {
173 char qbuf[DNS_NAME_FORMATSIZE];
174 char obuf[DNS_NAME_FORMATSIZE];
175
176- dns_name_format(qname, qbuf,
177+ dns_name_format(dqname, qbuf,
178 sizeof(qbuf));
179 dns_name_format(name, obuf,
180 sizeof(obuf));
181@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
182 want_chaining = ISC_TRUE;
183 POST(want_chaining);
184 aflag = DNS_RDATASETATTR_ANSWER;
185- result = dname_target(rdataset, qname,
186+ result = dname_target(rdataset, dqname,
187 nlabels, &fdname);
188 if (result == ISC_R_NOSPACE) {
189 /*
190@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
191
192 dname = dns_fixedname_name(&fdname);
193 if (!is_answertarget_allowed(view,
194- qname, rdataset->type,
195- dname, &fctx->domain)) {
196+ dqname, rdataset->type,
197+ dname, &fctx->domain))
198+ {
199 return (DNS_R_SERVFAIL);
200 }
201+ dqname = dns_fixedname_name(&fqdname);
202+ dns_name_copy(dname, dqname, NULL);
203 } else {
204 /*
205 * We've found a signature that
206@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
207 INSIST(!external);
208 if (aflag == DNS_RDATASETATTR_ANSWER) {
209 have_answer = ISC_TRUE;
210+ found_dname = ISC_TRUE;
211+ if (cname != NULL)
212+ cname->attributes &=
213+ ~DNS_NAMEATTR_ANSWER;
214 name->attributes |=
215 DNS_NAMEATTR_ANSWER;
216 }
217--
2182.7.4
219
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 4e2e856b72..fa45809980 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -27,6 +27,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
27 file://CVE-2016-2088.patch \ 27 file://CVE-2016-2088.patch \
28 file://CVE-2016-2775.patch \ 28 file://CVE-2016-2775.patch \
29 file://CVE-2016-2776.patch \ 29 file://CVE-2016-2776.patch \
30 file://CVE-2016-8864.patch \
30 " 31 "
31 32
32SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" 33SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"