diff options
author | Roy.Li <rongqing.li@windriver.com> | 2013-06-13 13:51:51 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2013-06-17 16:45:36 +0100 |
commit | f74a631c0ffb8448ac34614431bee4d4517d112d (patch) | |
tree | a6bafad2155f819590f2063045457ef5e81d0043 /meta/recipes-connectivity/bind | |
parent | e1baa0de2858b6723975e16440f172b114f90f58 (diff) | |
download | poky-f74a631c0ffb8448ac34614431bee4d4517d112d.tar.gz |
bind: backport six CVE patches
(From OE-Core rev: de1238a589ade1220d51cb4b9277cc17479f6f17)
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/bind')
7 files changed, 528 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch new file mode 100644 index 0000000000..0abb475adc --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | bind_Fix_for_CVE-2012-5166 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference:http://launchpadlibrarian.net/119212498/bind9_1%3A9.7.3.dfsOBg | ||
6 | -1ubuntu2.6_1%3A9.7.3.dfsg-1ubuntu2.7.diff.gz | ||
7 | |||
8 | ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before | ||
9 | 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows | ||
10 | remote attackers to cause a denial of service (named daemon hang) | ||
11 | via unspecified combinations of resource records. | ||
12 | |||
13 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5166 | ||
14 | |||
15 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | ||
16 | diff -urpN a/bin/named/query.c b/bin/named/query.c | ||
17 | --- a/bin/named/query.c 2012-10-22 13:24:27.000000000 +0800 | ||
18 | +++ b/bin/named/query.c 2012-10-22 13:17:04.000000000 +0800 | ||
19 | @@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d | ||
20 | mname = NULL; | ||
21 | } | ||
22 | |||
23 | - /* | ||
24 | - * If the dns_name_t we're looking up is already in the message, | ||
25 | - * we don't want to trigger the caller's name replacement logic. | ||
26 | - */ | ||
27 | - if (name == mname) | ||
28 | - mname = NULL; | ||
29 | - | ||
30 | *mnamep = mname; | ||
31 | |||
32 | CTRACE("query_isduplicate: false: done"); | ||
33 | @@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_ | ||
34 | if (dns_rdataset_isassociated(rdataset) && | ||
35 | !query_isduplicate(client, fname, type, &mname)) { | ||
36 | if (mname != NULL) { | ||
37 | + INSIST(mname != fname); | ||
38 | query_releasename(client, &fname); | ||
39 | fname = mname; | ||
40 | } else | ||
41 | @@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_ | ||
42 | mname = NULL; | ||
43 | if (!query_isduplicate(client, fname, | ||
44 | dns_rdatatype_a, &mname)) { | ||
45 | - if (mname != NULL) { | ||
46 | - query_releasename(client, &fname); | ||
47 | - fname = mname; | ||
48 | - } else | ||
49 | - need_addname = ISC_TRUE; | ||
50 | + if (mname != fname) { | ||
51 | + if (mname != NULL) { | ||
52 | + query_releasename(client, &fname); | ||
53 | + fname = mname; | ||
54 | + } else | ||
55 | + need_addname = ISC_TRUE; | ||
56 | + } | ||
57 | ISC_LIST_APPEND(fname->list, rdataset, link); | ||
58 | added_something = ISC_TRUE; | ||
59 | if (sigrdataset != NULL && | ||
60 | @@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_ | ||
61 | mname = NULL; | ||
62 | if (!query_isduplicate(client, fname, | ||
63 | dns_rdatatype_aaaa, &mname)) { | ||
64 | - if (mname != NULL) { | ||
65 | - query_releasename(client, &fname); | ||
66 | - fname = mname; | ||
67 | - } else | ||
68 | - need_addname = ISC_TRUE; | ||
69 | + if (mname != fname) { | ||
70 | + if (mname != NULL) { | ||
71 | + query_releasename(client, &fname); | ||
72 | + fname = mname; | ||
73 | + } else | ||
74 | + need_addname = ISC_TRUE; | ||
75 | + } | ||
76 | ISC_LIST_APPEND(fname->list, rdataset, link); | ||
77 | added_something = ISC_TRUE; | ||
78 | if (sigrdataset != NULL && | ||
79 | @@ -1960,22 +1958,24 @@ query_addadditional2(void *arg, dns_name | ||
80 | crdataset->type == dns_rdatatype_aaaa) { | ||
81 | if (!query_isduplicate(client, fname, crdataset->type, | ||
82 | &mname)) { | ||
83 | - if (mname != NULL) { | ||
84 | - /* | ||
85 | - * A different type of this name is | ||
86 | - * already stored in the additional | ||
87 | - * section. We'll reuse the name. | ||
88 | - * Note that this should happen at most | ||
89 | - * once. Otherwise, fname->link could | ||
90 | - * leak below. | ||
91 | - */ | ||
92 | - INSIST(mname0 == NULL); | ||
93 | - | ||
94 | - query_releasename(client, &fname); | ||
95 | - fname = mname; | ||
96 | - mname0 = mname; | ||
97 | - } else | ||
98 | - need_addname = ISC_TRUE; | ||
99 | + if (mname != fname) { | ||
100 | + if (mname != NULL) { | ||
101 | + /* | ||
102 | + * A different type of this name is | ||
103 | + * already stored in the additional | ||
104 | + * section. We'll reuse the name. | ||
105 | + * Note that this should happen at most | ||
106 | + * once. Otherwise, fname->link could | ||
107 | + * leak below. | ||
108 | + */ | ||
109 | + INSIST(mname0 == NULL); | ||
110 | + | ||
111 | + query_releasename(client, &fname); | ||
112 | + fname = mname; | ||
113 | + mname0 = mname; | ||
114 | + } else | ||
115 | + need_addname = ISC_TRUE; | ||
116 | + } | ||
117 | ISC_LIST_UNLINK(cfname.list, crdataset, link); | ||
118 | ISC_LIST_APPEND(fname->list, crdataset, link); | ||
119 | added_something = ISC_TRUE; | ||
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2011-4313.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2011-4313.patch new file mode 100644 index 0000000000..19d8df1c2d --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2011-4313.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | The patch to fix CVE-2011-4313 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference: https://www.redhat.com/security/data/cve/CVE-2011-4313.html | ||
6 | |||
7 | query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV | ||
8 | through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1 | ||
9 | through 9.9.0b1 allows remote attackers to cause a denial of service | ||
10 | (assertion failure and named exit) via unknown vectors related to recursive DNS | ||
11 | queries, error logging, and the caching of an invalid record by the resolver. | ||
12 | |||
13 | Signed-off-by Ming Liu <ming.liu@windriver.com> | ||
14 | --- | ||
15 | bin/named/query.c | 19 ++++++++----------- | ||
16 | lib/dns/rbtdb.c | 4 ++-- | ||
17 | 2 files changed, 10 insertions(+), 13 deletions(-) | ||
18 | |||
19 | --- a/bin/named/query.c | ||
20 | +++ b/bin/named/query.c | ||
21 | @@ -1393,11 +1393,9 @@ query_addadditional(void *arg, dns_name_ | ||
22 | goto addname; | ||
23 | if (result == DNS_R_NCACHENXRRSET) { | ||
24 | dns_rdataset_disassociate(rdataset); | ||
25 | - /* | ||
26 | - * Negative cache entries don't have sigrdatasets. | ||
27 | - */ | ||
28 | - INSIST(sigrdataset == NULL || | ||
29 | - ! dns_rdataset_isassociated(sigrdataset)); | ||
30 | + if (sigrdataset != NULL && | ||
31 | + dns_rdataset_isassociated(sigrdataset)) | ||
32 | + dns_rdataset_disassociate(sigrdataset); | ||
33 | } | ||
34 | if (result == ISC_R_SUCCESS) { | ||
35 | mname = NULL; | ||
36 | @@ -1438,8 +1436,9 @@ query_addadditional(void *arg, dns_name_ | ||
37 | goto addname; | ||
38 | if (result == DNS_R_NCACHENXRRSET) { | ||
39 | dns_rdataset_disassociate(rdataset); | ||
40 | - INSIST(sigrdataset == NULL || | ||
41 | - ! dns_rdataset_isassociated(sigrdataset)); | ||
42 | + if (sigrdataset != NULL && | ||
43 | + dns_rdataset_isassociated(sigrdataset)) | ||
44 | + dns_rdataset_disassociate(sigrdataset); | ||
45 | } | ||
46 | if (result == ISC_R_SUCCESS) { | ||
47 | mname = NULL; | ||
48 | @@ -1889,10 +1888,8 @@ query_addadditional2(void *arg, dns_name | ||
49 | goto setcache; | ||
50 | if (result == DNS_R_NCACHENXRRSET) { | ||
51 | dns_rdataset_disassociate(rdataset); | ||
52 | - /* | ||
53 | - * Negative cache entries don't have sigrdatasets. | ||
54 | - */ | ||
55 | - INSIST(! dns_rdataset_isassociated(sigrdataset)); | ||
56 | + if (dns_rdataset_isassociated(sigrdataset)) | ||
57 | + dns_rdataset_disassociate(sigrdataset); | ||
58 | } | ||
59 | if (result == ISC_R_SUCCESS) { | ||
60 | /* Remember the result as a cache */ | ||
61 | --- a/lib/dns/rbtdb.c | ||
62 | +++ b/lib/dns/rbtdb.c | ||
63 | @@ -5053,7 +5053,7 @@ cache_find(dns_db_t *db, dns_name_t *nam | ||
64 | rdataset); | ||
65 | if (need_headerupdate(found, search.now)) | ||
66 | update = found; | ||
67 | - if (foundsig != NULL) { | ||
68 | + if (!NEGATIVE(found) && foundsig != NULL) { | ||
69 | bind_rdataset(search.rbtdb, node, foundsig, search.now, | ||
70 | sigrdataset); | ||
71 | if (need_headerupdate(foundsig, search.now)) | ||
72 | @@ -5596,7 +5596,7 @@ zone_findrdataset(dns_db_t *db, dns_dbno | ||
73 | } | ||
74 | if (found != NULL) { | ||
75 | bind_rdataset(rbtdb, rbtnode, found, now, rdataset); | ||
76 | - if (foundsig != NULL) | ||
77 | + if (!NEGATIVE(found) && foundsig != NULL) | ||
78 | bind_rdataset(rbtdb, rbtnode, foundsig, now, | ||
79 | sigrdataset); | ||
80 | } | ||
81 | @@ -5685,7 +5685,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn | ||
82 | } | ||
83 | if (found != NULL) { | ||
84 | bind_rdataset(rbtdb, rbtnode, found, now, rdataset); | ||
85 | - if (foundsig != NULL) | ||
86 | + if (!NEGATIVE(found) && foundsig != NULL) | ||
87 | bind_rdataset(rbtdb, rbtnode, foundsig, now, | ||
88 | sigrdataset); | ||
89 | } | ||
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-1667.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-1667.patch new file mode 100644 index 0000000000..c441eab65d --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-1667.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | bind CVE-2012-1667 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, | ||
6 | and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource | ||
7 | records with a zero-length RDATA section, which allows remote DNS servers to | ||
8 | cause a denial of service (daemon crash or data corruption) or obtain | ||
9 | sensitive information from process memory via a crafted record. | ||
10 | |||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667 | ||
12 | |||
13 | The cve patch comes from bind97-9.7.0-10.P2.el5_8.1.src.rpm package. | ||
14 | |||
15 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
16 | --- | ||
17 | lib/dns/rdata.c | 8 ++++---- | ||
18 | lib/dns/rdataslab.c | 11 ++++++++--- | ||
19 | 2 files changed, 12 insertions(+), 7 deletions(-) | ||
20 | |||
21 | diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c | ||
22 | index 063b1f6..9337a80 100644 | ||
23 | --- a/lib/dns/rdata.c | ||
24 | +++ b/lib/dns/rdata.c | ||
25 | @@ -325,8 +325,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { | ||
26 | |||
27 | REQUIRE(rdata1 != NULL); | ||
28 | REQUIRE(rdata2 != NULL); | ||
29 | - REQUIRE(rdata1->data != NULL); | ||
30 | - REQUIRE(rdata2->data != NULL); | ||
31 | + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); | ||
32 | + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); | ||
33 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); | ||
34 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); | ||
35 | |||
36 | @@ -356,8 +356,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { | ||
37 | |||
38 | REQUIRE(rdata1 != NULL); | ||
39 | REQUIRE(rdata2 != NULL); | ||
40 | - REQUIRE(rdata1->data != NULL); | ||
41 | - REQUIRE(rdata2->data != NULL); | ||
42 | + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); | ||
43 | + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); | ||
44 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); | ||
45 | REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); | ||
46 | |||
47 | diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c | ||
48 | index a41f16f..ed13b30 100644 | ||
49 | --- a/lib/dns/rdataslab.c | ||
50 | +++ b/lib/dns/rdataslab.c | ||
51 | @@ -125,6 +125,11 @@ isc_result_t | ||
52 | dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
53 | isc_region_t *region, unsigned int reservelen) | ||
54 | { | ||
55 | + /* | ||
56 | + * Use &removed as a sentinal pointer for duplicate | ||
57 | + * rdata as rdata.data == NULL is valid. | ||
58 | + */ | ||
59 | + static unsigned char removed; | ||
60 | struct xrdata *x; | ||
61 | unsigned char *rawbuf; | ||
62 | #if DNS_RDATASET_FIXED | ||
63 | @@ -168,6 +173,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
64 | INSIST(result == ISC_R_SUCCESS); | ||
65 | dns_rdata_init(&x[i].rdata); | ||
66 | dns_rdataset_current(rdataset, &x[i].rdata); | ||
67 | + INSIST(x[i].rdata.data != &removed); | ||
68 | #if DNS_RDATASET_FIXED | ||
69 | x[i].order = i; | ||
70 | #endif | ||
71 | @@ -200,8 +206,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
72 | */ | ||
73 | for (i = 1; i < nalloc; i++) { | ||
74 | if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) { | ||
75 | - x[i-1].rdata.data = NULL; | ||
76 | - x[i-1].rdata.length = 0; | ||
77 | + x[i-1].rdata.data = &removed; | ||
78 | #if DNS_RDATASET_FIXED | ||
79 | /* | ||
80 | * Preserve the least order so A, B, A -> A, B | ||
81 | @@ -291,7 +296,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, | ||
82 | #endif | ||
83 | |||
84 | for (i = 0; i < nalloc; i++) { | ||
85 | - if (x[i].rdata.data == NULL) | ||
86 | + if (x[i].rdata.data == &removed) | ||
87 | continue; | ||
88 | #if DNS_RDATASET_FIXED | ||
89 | offsettable[x[i].order] = rawbuf - offsetbase; | ||
90 | -- | ||
91 | 1.7.0.5 | ||
92 | |||
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch new file mode 100644 index 0000000000..1e159bd2f8 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | bind: fix for CVE-2012-3817 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; | ||
6 | 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation | ||
7 | is enabled, does not properly initialize the failing-query cache, which allows | ||
8 | remote attackers to cause a denial of service (assertion failure and daemon exit) | ||
9 | by sending many queries. | ||
10 | |||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817 | ||
12 | |||
13 | This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package. | ||
14 | |||
15 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
16 | --- | ||
17 | resolver.c | 5 +++-- | ||
18 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
19 | |||
20 | --- a/lib/dns/resolver.c | ||
21 | +++ b/lib/dns/resolver.c | ||
22 | @@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t | ||
23 | goto cleanup; | ||
24 | bad->type = type; | ||
25 | bad->hashval = hashval; | ||
26 | + bad->expire = *expire; | ||
27 | isc_buffer_init(&buffer, bad + 1, name->length); | ||
28 | dns_name_init(&bad->name, NULL); | ||
29 | dns_name_copy(name, &bad->name, &buffer); | ||
30 | @@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t | ||
31 | if (resolver->badcount < resolver->badhash * 2 && | ||
32 | resolver->badhash > DNS_BADCACHE_SIZE) | ||
33 | resizehash(resolver, &now, ISC_FALSE); | ||
34 | - } | ||
35 | - bad->expire = *expire; | ||
36 | + } else | ||
37 | + bad->expire = *expire; | ||
38 | cleanup: | ||
39 | UNLOCK(&resolver->lock); | ||
40 | } | ||
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2013-2266.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2013-2266.patch new file mode 100644 index 0000000000..7ec6deb714 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2013-2266.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | bind: fix for CVE-2013-2266 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, | ||
6 | 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows | ||
7 | remote attackers to cause a denial of service (memory consumption) via a | ||
8 | crafted regular expression, as demonstrated by a memory-exhaustion attack | ||
9 | against a machine running a named process. | ||
10 | |||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2266 | ||
12 | |||
13 | Signed-off-by Ming Liu <ming.liu@windriver.com> | ||
14 | --- | ||
15 | config.h.in | 3 --- | ||
16 | configure.in | 2 +- | ||
17 | 2 files changed, 1 insertion(+), 4 deletions(-) | ||
18 | |||
19 | --- a/config.h.in | ||
20 | +++ b/config.h.in | ||
21 | @@ -277,9 +277,6 @@ int sigwait(const unsigned int *set, int | ||
22 | /* Define if your OpenSSL version supports GOST. */ | ||
23 | #undef HAVE_OPENSSL_GOST | ||
24 | |||
25 | -/* Define to 1 if you have the <regex.h> header file. */ | ||
26 | -#undef HAVE_REGEX_H | ||
27 | - | ||
28 | /* Define to 1 if you have the `setegid' function. */ | ||
29 | #undef HAVE_SETEGID | ||
30 | |||
31 | --- a/configure.in | ||
32 | +++ b/configure.in | ||
33 | @@ -279,7 +279,7 @@ esac | ||
34 | |||
35 | AC_HEADER_STDC | ||
36 | |||
37 | -AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,, | ||
38 | +AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,, | ||
39 | [$ac_includes_default | ||
40 | #ifdef HAVE_SYS_PARAM_H | ||
41 | # include <sys/param.h> | ||
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch new file mode 100644 index 0000000000..5dd6f69e45 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch | |||
@@ -0,0 +1,141 @@ | |||
1 | bind_Fix_for_CVE-2012-4244 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit | ||
6 | |||
7 | ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, | ||
8 | and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to | ||
9 | cause a denial of service (assertion failure and named daemon exit) via | ||
10 | a query for a long resource record. | ||
11 | |||
12 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | ||
13 | |||
14 | diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h | ||
15 | --- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800 | ||
16 | +++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800 | ||
17 | @@ -147,6 +147,17 @@ struct dns_rdata { | ||
18 | (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) | ||
19 | |||
20 | /* | ||
21 | + * The maximum length of a RDATA that can be sent on the wire. | ||
22 | + * Max packet size (65535) less header (12), less name (1), type (2), | ||
23 | + * class (2), ttl(4), length (2). | ||
24 | + * | ||
25 | + * None of the defined types that support name compression can exceed | ||
26 | + * this and all new types are to be sent uncompressed. | ||
27 | + */ | ||
28 | + | ||
29 | +#define DNS_RDATA_MAXLENGTH 65512U | ||
30 | + | ||
31 | +/* | ||
32 | * Flags affecting rdata formatting style. Flags 0xFFFF0000 | ||
33 | * are used by masterfile-level formatting and defined elsewhere. | ||
34 | * See additional comments at dns_rdata_tofmttext(). | ||
35 | diff -urpN a/lib/dns/master.c b/lib/dns/master.c | ||
36 | --- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800 | ||
37 | +++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800 | ||
38 | @@ -75,7 +75,7 @@ | ||
39 | /*% | ||
40 | * max message size - header - root - type - class - ttl - rdlen | ||
41 | */ | ||
42 | -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) | ||
43 | +#define MINTSIZ DNS_RDATA_MAXLENGTH | ||
44 | /*% | ||
45 | * Size for tokens in the presentation format, | ||
46 | * The largest tokens are the base64 blocks in KEY and CERT records, | ||
47 | diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c | ||
48 | --- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800 | ||
49 | +++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800 | ||
50 | @@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
51 | isc_buffer_t st; | ||
52 | isc_boolean_t use_default = ISC_FALSE; | ||
53 | isc_uint32_t activelength; | ||
54 | + size_t length; | ||
55 | |||
56 | REQUIRE(dctx != NULL); | ||
57 | if (rdata != NULL) { | ||
58 | @@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
59 | } | ||
60 | |||
61 | /* | ||
62 | + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH | ||
63 | + * as we cannot transmit it. | ||
64 | + */ | ||
65 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
66 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
67 | + result = DNS_R_FORMERR; | ||
68 | + | ||
69 | + /* | ||
70 | * We should have consumed all of our buffer. | ||
71 | */ | ||
72 | if (result == ISC_R_SUCCESS && !buffer_empty(source)) | ||
73 | @@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
74 | |||
75 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
76 | region.base = isc_buffer_used(&st); | ||
77 | - region.length = isc_buffer_usedlength(target) - | ||
78 | - isc_buffer_usedlength(&st); | ||
79 | + region.length = length; | ||
80 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
81 | } | ||
82 | |||
83 | @@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d | ||
84 | unsigned long line; | ||
85 | void (*callback)(dns_rdatacallbacks_t *, const char *, ...); | ||
86 | isc_result_t tresult; | ||
87 | + size_t length; | ||
88 | |||
89 | REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); | ||
90 | if (rdata != NULL) { | ||
91 | @@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d | ||
92 | } | ||
93 | } while (1); | ||
94 | |||
95 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
96 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
97 | + result = ISC_R_NOSPACE; | ||
98 | + | ||
99 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
100 | region.base = isc_buffer_used(&st); | ||
101 | - region.length = isc_buffer_usedlength(target) - | ||
102 | - isc_buffer_usedlength(&st); | ||
103 | + region.length = length; | ||
104 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
105 | } | ||
106 | if (result != ISC_R_SUCCESS) { | ||
107 | @@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, | ||
108 | isc_buffer_t st; | ||
109 | isc_region_t region; | ||
110 | isc_boolean_t use_default = ISC_FALSE; | ||
111 | + size_t length; | ||
112 | |||
113 | REQUIRE(source != NULL); | ||
114 | if (rdata != NULL) { | ||
115 | @@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, | ||
116 | if (use_default) | ||
117 | (void)NULL; | ||
118 | |||
119 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
120 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
121 | + result = ISC_R_NOSPACE; | ||
122 | + | ||
123 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
124 | region.base = isc_buffer_used(&st); | ||
125 | - region.length = isc_buffer_usedlength(target) - | ||
126 | - isc_buffer_usedlength(&st); | ||
127 | + region.length = length; | ||
128 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
129 | } | ||
130 | if (result != ISC_R_SUCCESS) | ||
131 | diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c | ||
132 | --- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800 | ||
133 | +++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800 | ||
134 | @@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ | ||
135 | length = x[i].rdata.length; | ||
136 | if (rdataset->type == dns_rdatatype_rrsig) | ||
137 | length++; | ||
138 | + INSIST(length <= 0xffff); | ||
139 | *rawbuf++ = (length & 0xff00) >> 8; | ||
140 | *rawbuf++ = (length & 0x00ff); | ||
141 | #if DNS_RDATASET_FIXED | ||
diff --git a/meta/recipes-connectivity/bind/bind_9.8.1.bb b/meta/recipes-connectivity/bind/bind_9.8.1.bb index b807dbf1a7..3c5d600944 100644 --- a/meta/recipes-connectivity/bind/bind_9.8.1.bb +++ b/meta/recipes-connectivity/bind/bind_9.8.1.bb | |||
@@ -12,6 +12,12 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
12 | file://conf.patch \ | 12 | file://conf.patch \ |
13 | file://cross-build-fix.patch \ | 13 | file://cross-build-fix.patch \ |
14 | file://make-etc-initd-bind-stop-work.patch \ | 14 | file://make-etc-initd-bind-stop-work.patch \ |
15 | file://bind-9.8.1-CVE-2012-5166.patch \ | ||
16 | file://bind-CVE-2011-4313.patch \ | ||
17 | file://bind-CVE-2012-1667.patch \ | ||
18 | file://bind-CVE-2012-3817.patch \ | ||
19 | file://bind-CVE-2013-2266.patch \ | ||
20 | file://bind-Fix-CVE-2012-4244.patch \ | ||
15 | " | 21 | " |
16 | 22 | ||
17 | SRC_URI[md5sum] = "cf31117c5d35af34d4c0702970ad9fb7" | 23 | SRC_URI[md5sum] = "cf31117c5d35af34d4c0702970ad9fb7" |