bind: CVE-2016-1285 CVE-2016-1286

CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure CVE-2016-1286 bind: malformed signature records for DNAME records can trigger assertion failure [YOCTO #9400] External References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286 References to the Upstream commits and Security Advisories: CVE-2016-1285: https://kb.isc.org/article/AA-01352 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=e7e15d1302b26a96fa0a5307d6f2cb0d8ad4ea63 CVE-2016-1286: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=499952eb459c9a41d2092f1d98899c131f9103b2 (From OE-Core rev: e8bc043f871e507542955ad28de74f67afa9bc36) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-04-24 18:10:36 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-05-09 14:37:28 +0100
commit: 6b9d2edd7d64c00584d1bade8bf8cbe0036053c4 (patch)
tree: 139d3982f55be36787ac60a50afacd1d117bcbd9 /meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
parent: ed3115be57558ce5fe0b42a6ce1b93565c70d05f (diff)
download: poky-6b9d2edd7d64c00584d1bade8bf8cbe0036053c4.tar.gz
1 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
new file mode 100644
index 0000000000..f73f6421c3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
@@ -0,0 +1,138 @@
+From e7e15d1302b26a96fa0a5307d6f2cb0d8ad4ea63 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 18 Feb 2016 12:11:27 +1100
+Subject: [PATCH] 4318. [security] Malformed control messages can
+trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
+(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
+Hand applied Changelog changes.
+CVE: CVE-2016-1285
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/bin/named/control.c b/bin/named/control.c
+--- a/bin/named/control.c       2015-08-15 02:28:49.000000000 +0200
+++ b/bin/named/control.c       2016-04-11 09:38:20.940827528 +0200
+@@ -69,7 +69,7 @@
+ #endif
+ 
+        data = isccc_alist_lookup(message, "_data");
+-       if (data == NULL) {
+       if (!isccc_alist_alistp(data)) {
+                /*
+                 * No data section.
+                 */
+diff -ruN a/bin/named/controlconf.c b/bin/named/controlconf.c
+--- a/bin/named/controlconf.c   2015-08-15 02:28:49.000000000 +0200
+++ b/bin/named/controlconf.c   2016-04-11 09:38:20.944827355 +0200
+@@ -402,7 +402,7 @@
+         * Limit exposure to replay attacks.
+         */
+        _ctrl = isccc_alist_lookup(request, "_ctrl");
+-       if (_ctrl == NULL) {
+       if (!isccc_alist_alistp(_ctrl)) {
+                log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+                goto cleanup_request;
+        }
+diff -ruN a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+--- a/bin/rndc/rndc.c   2015-08-15 02:28:49.000000000 +0200
+++ b/bin/rndc/rndc.c   2016-04-11 09:38:20.944827355 +0200
+@@ -254,8 +254,8 @@
+           isccc_cc_fromwire(&source, &response, algorithm, &secret));
+ 
+        data = isccc_alist_lookup(response, "_data");
+-       if (data == NULL)
+-               fatal("no data section in response");
+       if (!isccc_alist_alistp(data))
+               fatal("bad or missing data section in response");
+        result = isccc_cc_lookupstring(data, "err", &errormsg);
+        if (result == ISC_R_SUCCESS) {
+                failed = ISC_TRUE;
+@@ -320,8 +320,8 @@
+           isccc_cc_fromwire(&source, &response, algorithm, &secret));
+ 
+        _ctrl = isccc_alist_lookup(response, "_ctrl");
+-       if (_ctrl == NULL)
+-               fatal("_ctrl section missing");
+       if (!isccc_alist_alistp(_ctrl))
+               fatal("bad or missing ctrl section in response");
+        nonce = 0;
+        if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
+                nonce = 0;
+diff -ruN a/CHANGES b/CHANGES
+--- a/CHANGES   2016-04-11 09:36:08.546578759 +0200
+++ b/CHANGES   2016-04-11 09:39:59.356552273 +0200
+@@ -1,3 +1,6 @@
+4318.  [security]      Malformed control messages can trigger assertions
+                       in named and rndc. (CVE-2016-1285) [RT #41666]
+
+ 4146.  [bug]           Address reference leak that could prevent a clean
+                        shutdown. [RT #37125]
+ 
+diff -ruN a/lib/isccc/cc.c b/lib/isccc/cc.c
+--- a/lib/isccc/cc.c    2015-08-15 02:28:49.000000000 +0200
+++ b/lib/isccc/cc.c    2016-04-11 09:38:20.944827355 +0200
+@@ -403,13 +403,13 @@
+         * Extract digest.
+         */
+        _auth = isccc_alist_lookup(alist, "_auth");
+-       if (_auth == NULL)
+       if (!isccc_alist_alistp(_auth))
+                return (ISC_R_FAILURE);
+        if (algorithm == ISCCC_ALG_HMACMD5)
+                hmac = isccc_alist_lookup(_auth, "hmd5");
+        else
+                hmac = isccc_alist_lookup(_auth, "hsha");
+-       if (hmac == NULL)
+       if (!isccc_sexpr_binaryp(hmac))
+                return (ISC_R_FAILURE);
+        /*
+         * Compute digest.
+@@ -728,7 +728,7 @@
+        REQUIRE(ackp != NULL && *ackp == NULL);
+ 
+        _ctrl = isccc_alist_lookup(message, "_ctrl");
+-       if (_ctrl == NULL ||
+       if (!isccc_alist_alistp(_ctrl) ||
+            isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+            isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
+                return (ISC_R_FAILURE);
+@@ -773,7 +773,7 @@
+        isccc_sexpr_t *_ctrl;
+ 
+        _ctrl = isccc_alist_lookup(message, "_ctrl");
+-       if (_ctrl == NULL)
+       if (!isccc_alist_alistp(_ctrl))
+                return (ISC_FALSE);
+        if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
+                return (ISC_TRUE);
+@@ -786,7 +786,7 @@
+        isccc_sexpr_t *_ctrl;
+ 
+        _ctrl = isccc_alist_lookup(message, "_ctrl");
+-       if (_ctrl == NULL)
+       if (!isccc_alist_alistp(_ctrl))
+                return (ISC_FALSE);
+        if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
+                return (ISC_TRUE);
+@@ -806,7 +806,7 @@
+ 
+        _ctrl = isccc_alist_lookup(message, "_ctrl");
+        _data = isccc_alist_lookup(message, "_data");
+-       if (_ctrl == NULL || _data == NULL ||
+       if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
+            isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+            isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
+                return (ISC_R_FAILURE);
+@@ -995,7 +995,7 @@
+        isccc_sexpr_t *_ctrl;
+ 
+        _ctrl = isccc_alist_lookup(message, "_ctrl");
+-       if (_ctrl == NULL ||
+       if (!isccc_alist_alistp(_ctrl) ||
+            isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
+            isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
+                return (ISC_R_FAILURE);
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-04-24 18:10:36 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-05-09 14:37:28 +0100
commit	6b9d2edd7d64c00584d1bade8bf8cbe0036053c4 (patch)
tree	139d3982f55be36787ac60a50afacd1d117bcbd9 /meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
parent	ed3115be57558ce5fe0b42a6ce1b93565c70d05f (diff)
download	poky-6b9d2edd7d64c00584d1bade8bf8cbe0036053c4.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch new file mode 100644 index 0000000000..f73f6421c3 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
@@ -0,0 +1,138 @@
	1	From e7e15d1302b26a96fa0a5307d6f2cb0d8ad4ea63 Mon Sep 17 00:00:00 2001
	2	From: Mark Andrews <marka@isc.org>
	3	Date: Thu, 18 Feb 2016 12:11:27 +1100
	4	Subject: [PATCH] 4318. [security] Malformed control messages can
	5	trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
	6
	7	(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
	8
	9	Hand applied Changelog changes.
	10
	11	CVE: CVE-2016-1285
	12	Upstream-Status: Backport
	13
	14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	15	---
	16	diff -ruN a/bin/named/control.c b/bin/named/control.c
	17	--- a/bin/named/control.c 2015-08-15 02:28:49.000000000 +0200
	18	+++ b/bin/named/control.c 2016-04-11 09:38:20.940827528 +0200
	19	@@ -69,7 +69,7 @@
	20	#endif
	21
	22	data = isccc_alist_lookup(message, "_data");
	23	- if (data == NULL) {
	24	+ if (!isccc_alist_alistp(data)) {
	25	/*
	26	* No data section.
	27	*/
	28	diff -ruN a/bin/named/controlconf.c b/bin/named/controlconf.c
	29	--- a/bin/named/controlconf.c 2015-08-15 02:28:49.000000000 +0200
	30	+++ b/bin/named/controlconf.c 2016-04-11 09:38:20.944827355 +0200
	31	@@ -402,7 +402,7 @@
	32	* Limit exposure to replay attacks.
	33	*/
	34	_ctrl = isccc_alist_lookup(request, "_ctrl");
	35	- if (_ctrl == NULL) {
	36	+ if (!isccc_alist_alistp(_ctrl)) {
	37	log_invalid(&conn->ccmsg, ISC_R_FAILURE);
	38	goto cleanup_request;
	39	}
	40	diff -ruN a/bin/rndc/rndc.c b/bin/rndc/rndc.c
	41	--- a/bin/rndc/rndc.c 2015-08-15 02:28:49.000000000 +0200
	42	+++ b/bin/rndc/rndc.c 2016-04-11 09:38:20.944827355 +0200
	43	@@ -254,8 +254,8 @@
	44	isccc_cc_fromwire(&source, &response, algorithm, &secret));
	45
	46	data = isccc_alist_lookup(response, "_data");
	47	- if (data == NULL)
	48	- fatal("no data section in response");
	49	+ if (!isccc_alist_alistp(data))
	50	+ fatal("bad or missing data section in response");
	51	result = isccc_cc_lookupstring(data, "err", &errormsg);
	52	if (result == ISC_R_SUCCESS) {
	53	failed = ISC_TRUE;
	54	@@ -320,8 +320,8 @@
	55	isccc_cc_fromwire(&source, &response, algorithm, &secret));
	56
	57	_ctrl = isccc_alist_lookup(response, "_ctrl");
	58	- if (_ctrl == NULL)
	59	- fatal("_ctrl section missing");
	60	+ if (!isccc_alist_alistp(_ctrl))
	61	+ fatal("bad or missing ctrl section in response");
	62	nonce = 0;
	63	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
	64	nonce = 0;
	65	diff -ruN a/CHANGES b/CHANGES
	66	--- a/CHANGES 2016-04-11 09:36:08.546578759 +0200
	67	+++ b/CHANGES 2016-04-11 09:39:59.356552273 +0200
	68	@@ -1,3 +1,6 @@
	69	+4318. [security] Malformed control messages can trigger assertions
	70	+ in named and rndc. (CVE-2016-1285) [RT #41666]
	71	+
	72	4146. [bug] Address reference leak that could prevent a clean
	73	shutdown. [RT #37125]
	74
	75	diff -ruN a/lib/isccc/cc.c b/lib/isccc/cc.c
	76	--- a/lib/isccc/cc.c 2015-08-15 02:28:49.000000000 +0200
	77	+++ b/lib/isccc/cc.c 2016-04-11 09:38:20.944827355 +0200
	78	@@ -403,13 +403,13 @@
	79	* Extract digest.
	80	*/
	81	_auth = isccc_alist_lookup(alist, "_auth");
	82	- if (_auth == NULL)
	83	+ if (!isccc_alist_alistp(_auth))
	84	return (ISC_R_FAILURE);
	85	if (algorithm == ISCCC_ALG_HMACMD5)
	86	hmac = isccc_alist_lookup(_auth, "hmd5");
	87	else
	88	hmac = isccc_alist_lookup(_auth, "hsha");
	89	- if (hmac == NULL)
	90	+ if (!isccc_sexpr_binaryp(hmac))
	91	return (ISC_R_FAILURE);
	92	/*
	93	* Compute digest.
	94	@@ -728,7 +728,7 @@
	95	REQUIRE(ackp != NULL && *ackp == NULL);
	96
	97	_ctrl = isccc_alist_lookup(message, "_ctrl");
	98	- if (_ctrl == NULL \|\|
	99	+ if (!isccc_alist_alistp(_ctrl) \|\|
	100	isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS \|\|
	101	isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
	102	return (ISC_R_FAILURE);
	103	@@ -773,7 +773,7 @@
	104	isccc_sexpr_t *_ctrl;
	105
	106	_ctrl = isccc_alist_lookup(message, "_ctrl");
	107	- if (_ctrl == NULL)
	108	+ if (!isccc_alist_alistp(_ctrl))
	109	return (ISC_FALSE);
	110	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
	111	return (ISC_TRUE);
	112	@@ -786,7 +786,7 @@
	113	isccc_sexpr_t *_ctrl;
	114
	115	_ctrl = isccc_alist_lookup(message, "_ctrl");
	116	- if (_ctrl == NULL)
	117	+ if (!isccc_alist_alistp(_ctrl))
	118	return (ISC_FALSE);
	119	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
	120	return (ISC_TRUE);
	121	@@ -806,7 +806,7 @@
	122
	123	_ctrl = isccc_alist_lookup(message, "_ctrl");
	124	_data = isccc_alist_lookup(message, "_data");
	125	- if (_ctrl == NULL \|\| _data == NULL \|\|
	126	+ if (!isccc_alist_alistp(_ctrl) \|\| !isccc_alist_alistp(_data) \|\|
	127	isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS \|\|
	128	isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
	129	return (ISC_R_FAILURE);
	130	@@ -995,7 +995,7 @@
	131	isccc_sexpr_t *_ctrl;
	132
	133	_ctrl = isccc_alist_lookup(message, "_ctrl");
	134	- if (_ctrl == NULL \|\|
	135	+ if (!isccc_alist_alistp(_ctrl) \|\|
	136	isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS \|\|
	137	isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
	138	return (ISC_R_FAILURE);