diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-04-13 08:32:15 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-04-14 10:58:33 +0100 |
commit | c3c55478f5d346c65bd6f1e0a188da49e5a1369e (patch) | |
tree | fa3be5ecc1e990668a2211e78c0d92fdd4d4a72f /meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch | |
parent | c4387a8b65cd1666a3eac1c85fb107d2b494ce0a (diff) | |
download | poky-c3c55478f5d346c65bd6f1e0a188da49e5a1369e.tar.gz |
bind: CVE-2016-1285 CVE-2016-1286
Fixes following vulnerabilities:
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure
[YOCTO #9400]
External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
References to the Upstream commits and Security Advisories:
===========================================================
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=70037e040e587329cec82123e12b9f4f7c945f67
CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=a3d327bf1ceaaeabb20223d8de85166e940b9f12
CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=7602be276a73a6eb5431c5acd9718e68a55e8b61
(From OE-Core rev: 080d1a313e4982dd05846b375ebf936c46934d80)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch new file mode 100644 index 0000000000..ae5cc48d9c --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mukund Sivaraman <muks@isc.org> | ||
3 | Date: Mon, 22 Feb 2016 12:22:43 +0530 | ||
4 | Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling | ||
5 | (CVE-2016-1286) (#41753) | ||
6 | |||
7 | (cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) | ||
8 | |||
9 | CVE: CVE-2016-1286 | ||
10 | Upstream-Status: Backport | ||
11 | |||
12 | [Removed doc/arm/notes.xml changes from upstream patch.] | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | diff -ruN a/CHANGES b/CHANGES | ||
17 | --- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 | ||
18 | +++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 | ||
19 | @@ -1,3 +1,7 @@ | ||
20 | +4319. [security] Fix resolver assertion failure due to improper | ||
21 | + DNAME handling when parsing fetch reply messages. | ||
22 | + (CVE-2016-1286) [RT #41753] | ||
23 | + | ||
24 | 4318. [security] Malformed control messages can trigger assertions | ||
25 | in named and rndc. (CVE-2016-1285) [RT #41666] | ||
26 | |||
27 | diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
28 | --- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 | ||
29 | +++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 | ||
30 | @@ -6967,21 +6967,26 @@ | ||
31 | isc_boolean_t found_dname = ISC_FALSE; | ||
32 | dns_name_t *dname_name; | ||
33 | |||
34 | + /* | ||
35 | + * Only pass DNAME or RRSIG(DNAME). | ||
36 | + */ | ||
37 | + if (rdataset->type != dns_rdatatype_dname && | ||
38 | + (rdataset->type != dns_rdatatype_rrsig || | ||
39 | + rdataset->covers != dns_rdatatype_dname)) | ||
40 | + continue; | ||
41 | + | ||
42 | + /* | ||
43 | + * If we're not chaining, then the DNAME and | ||
44 | + * its signature should not be external. | ||
45 | + */ | ||
46 | + if (!chaining && external) { | ||
47 | + log_formerr(fctx, "external DNAME"); | ||
48 | + return (DNS_R_FORMERR); | ||
49 | + } | ||
50 | + | ||
51 | found = ISC_FALSE; | ||
52 | aflag = 0; | ||
53 | if (rdataset->type == dns_rdatatype_dname) { | ||
54 | - /* | ||
55 | - * We're looking for something else, | ||
56 | - * but we found a DNAME. | ||
57 | - * | ||
58 | - * If we're not chaining, then the | ||
59 | - * DNAME should not be external. | ||
60 | - */ | ||
61 | - if (!chaining && external) { | ||
62 | - log_formerr(fctx, | ||
63 | - "external DNAME"); | ||
64 | - return (DNS_R_FORMERR); | ||
65 | - } | ||
66 | found = ISC_TRUE; | ||
67 | want_chaining = ISC_TRUE; | ||
68 | POST(want_chaining); | ||
69 | @@ -7010,9 +7015,7 @@ | ||
70 | &fctx->domain)) { | ||
71 | return (DNS_R_SERVFAIL); | ||
72 | } | ||
73 | - } else if (rdataset->type == dns_rdatatype_rrsig | ||
74 | - && rdataset->covers == | ||
75 | - dns_rdatatype_dname) { | ||
76 | + } else { | ||
77 | /* | ||
78 | * We've found a signature that | ||
79 | * covers the DNAME. | ||