bind: fix CVE-2020-8616/7

fix CVE-2020-8616 and CVE-2020-8617

(From OE-Core rev: 8681058cce46b342c9895819e3a4bc0770934d86)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d0df831830e4c5f8df2343a45ea75c2ab4f57058)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 29 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
new file mode 100644
index 0000000000..d8769c45cc
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
+CVE: CVE-2020-8617
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index b597a18d49..6357a3a486 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+                        goto cleanup_context;
+                }
+                msg->verified_sig = 1;
+-       } else if (tsig.error != dns_tsigerror_badsig &&
+-                  tsig.error != dns_tsigerror_badkey) {
++       } else if (!response || (tsig.error != dns_tsigerror_badsig &&
++                                tsig.error != dns_tsigerror_badkey))
++       {
+                tsig_log(msg->tsigkey, 2, "signature was empty");
+                return (DNS_R_TSIGVERIFYFAILURE);
+        }
+@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+                }
+        }
+ 
+-       if (tsig.error != dns_rcode_noerror) {
++       if (response && tsig.error != dns_rcode_noerror) {
+                msg->tsigstatus = tsig.error;
+                if (tsig.error == dns_tsigerror_badtime)
+                        ret = DNS_R_CLOCKSKEW;