summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/bind
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-09-12 15:17:26 -0700
committerTudor Florea <tudor.florea@enea.com>2015-11-12 11:01:18 +0100
commitb6105680bfb85915e0012c456118441c4c74463d (patch)
tree179e8ae4340a8e0e7cedb2ca63590b907791a12d /meta/recipes-connectivity/bind
parentbf6c30908948b7bc9be1206fe88c09dc3f526387 (diff)
downloadpoky-b6105680bfb85915e0012c456118441c4c74463d.tar.gz
bind: CVE-2015-1349 CVE-2015-4620 CVE-2015-5722
three security fixes. (From OE-Core rev: d3af844b05e566c2188fc3145e66a9826fed0ec8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-connectivity/bind')
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch60
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch36
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch490
-rw-r--r--meta/recipes-connectivity/bind/bind_9.9.5.bb3
4 files changed, 589 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
new file mode 100644
index 0000000000..dea7aaef53
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
@@ -0,0 +1,60 @@
1CVE-2015-1349 bind: issue in trust anchor management can cause named to crash
2
3commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892
4Author: Evan Hunt <each@isc.org>
5Date: Tue Feb 3 18:30:38 2015 -0800
6
7 [v9_9_6_patch] avoid crash due to managed-key rollover
8
9 4053. [security] Revoking a managed trust anchor and supplying
10 an untrusted replacement could cause named
11 to crash with an assertion failure.
12 (CVE-2015-1349) [RT #38344]
13
14Upstream Status: Backport from Redhat
15
16https://bugzilla.redhat.com/attachment.cgi?id=993045
17
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20Index: bind-9.9.5/CHANGES
21===================================================================
22--- bind-9.9.5.orig/CHANGES
23+++ bind-9.9.5/CHANGES
24@@ -1,3 +1,10 @@
25+ --- 9.9.6-P2 released ---
26+
27+4053. [security] Revoking a managed trust anchor and supplying
28+ an untrusted replacement could cause named
29+ to crash with an assertion failure.
30+ (CVE-2015-1349) [RT #38344]
31+
32 --- 9.9.5 released ---
33
34 --- 9.9.5rc2 released ---
35Index: bind-9.9.5/lib/dns/zone.c
36===================================================================
37--- bind-9.9.5.orig/lib/dns/zone.c
38+++ bind-9.9.5/lib/dns/zone.c
39@@ -8496,6 +8496,12 @@ keyfetch_done(isc_task_t *task, isc_even
40 namebuf, tag);
41 trustkey = ISC_TRUE;
42 }
43+ } else {
44+ /*
45+ * No previously known key, and the key is not
46+ * secure, so skip it.
47+ */
48+ continue;
49 }
50
51 /* Delete old version */
52@@ -8544,7 +8550,7 @@ keyfetch_done(isc_task_t *task, isc_even
53 trust_key(zone, keyname, &dnskey, mctx);
54 }
55
56- if (!deletekey)
57+ if (secure && !deletekey)
58 set_refreshkeytimer(zone, &keydata, now);
59 }
60
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
new file mode 100644
index 0000000000..1a5051e638
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
@@ -0,0 +1,36 @@
1CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned()
2
3issue introduced by git commit
4
5https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=44f175a90a855326725439b2f1178f0dcca8f67d
6
7which is in this version of bind.
8
9Upstream Status: Backport from Redhat
10
11https://bugzilla.redhat.com/attachment.cgi?id=1044719
12
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15Index: bind-9.9.5/lib/dns/validator.c
16===================================================================
17--- bind-9.9.5.orig/lib/dns/validator.c
18+++ bind-9.9.5/lib/dns/validator.c
19@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
20 */
21 static isc_boolean_t
22 isselfsigned(dns_validator_t *val) {
23- dns_fixedname_t fixed;
24 dns_rdataset_t *rdataset, *sigrdataset;
25 dns_rdata_t rdata = DNS_RDATA_INIT;
26 dns_rdata_t sigrdata = DNS_RDATA_INIT;
27@@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) {
28 result = dns_dnssec_verify3(name, rdataset, dstkey,
29 ISC_TRUE,
30 val->view->maxbits,
31- mctx, &sigrdata,
32- dns_fixedname_name(&fixed));
33+ mctx, &sigrdata, NULL);
34 dst_key_free(&dstkey);
35 if (result != ISC_R_SUCCESS)
36 continue;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch
new file mode 100644
index 0000000000..af20d5c83f
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch
@@ -0,0 +1,490 @@
1CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service
2
3Upstream Status: Backport from Redhat
4
5https://bugzilla.redhat.com/attachment.cgi?id=1069245
6
7Signed-off-by: Armin Kuster <akuster@mvista.com>
8
9Index: bind-9.9.5/lib/dns/hmac_link.c
10===================================================================
11--- bind-9.9.5.orig/lib/dns/hmac_link.c
12+++ bind-9.9.5/lib/dns/hmac_link.c
13@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co
14 hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
15 if (hmacmd5ctx == NULL)
16 return (ISC_R_NOMEMORY);
17- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
18+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
19 dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
20 return (ISC_R_SUCCESS);
21 }
22@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c
23 else if (hkey1 == NULL || hkey2 == NULL)
24 return (ISC_FALSE);
25
26- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
27+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
28 return (ISC_TRUE);
29 else
30 return (ISC_FALSE);
31@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse
32 isc_buffer_t b;
33 isc_result_t ret;
34 unsigned int bytes;
35- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
36+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
37
38 UNUSED(callback);
39
40 bytes = (key->key_size + 7) / 8;
41- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
42- bytes = ISC_SHA1_BLOCK_LENGTH;
43- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
44+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
45+ bytes = ISC_MD5_BLOCK_LENGTH;
46+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
47 }
48
49- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
50+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
51 ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
52
53 if (ret != ISC_R_SUCCESS)
54@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse
55 isc_buffer_init(&b, data, bytes);
56 isc_buffer_add(&b, bytes);
57 ret = hmacmd5_fromdns(key, &b);
58- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
59+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
60
61 return (ret);
62 }
63@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
64
65 memset(hkey->key, 0, sizeof(hkey->key));
66
67- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
68+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
69 isc_md5_init(&md5ctx);
70 isc_md5_update(&md5ctx, r.base, r.length);
71 isc_md5_final(&md5ctx, hkey->key);
72@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
73 key->key_size = keylen * 8;
74 key->keydata.hmacmd5 = hkey;
75
76+ isc_buffer_forward(data, r.length);
77+
78 return (ISC_R_SUCCESS);
79 }
80
81@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf
82 key->key_size = keylen * 8;
83 key->keydata.hmacsha1 = hkey;
84
85+ isc_buffer_forward(data, r.length);
86+
87 return (ISC_R_SUCCESS);
88 }
89
90@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b
91 key->key_size = keylen * 8;
92 key->keydata.hmacsha224 = hkey;
93
94+ isc_buffer_forward(data, r.length);
95+
96 return (ISC_R_SUCCESS);
97 }
98
99@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b
100 key->key_size = keylen * 8;
101 key->keydata.hmacsha256 = hkey;
102
103+ isc_buffer_forward(data, r.length);
104+
105 return (ISC_R_SUCCESS);
106 }
107
108@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b
109 key->key_size = keylen * 8;
110 key->keydata.hmacsha384 = hkey;
111
112+ isc_buffer_forward(data, r.length);
113+
114 return (ISC_R_SUCCESS);
115 }
116
117@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b
118 key->key_size = keylen * 8;
119 key->keydata.hmacsha512 = hkey;
120
121+ isc_buffer_forward(data, r.length);
122+
123 return (ISC_R_SUCCESS);
124 }
125
126Index: bind-9.9.5/lib/dns/include/dst/dst.h
127===================================================================
128--- bind-9.9.5.orig/lib/dns/include/dst/dst.h
129+++ bind-9.9.5/lib/dns/include/dst/dst.h
130@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_
131 #define DST_ALG_HMACSHA256 163 /* XXXMPA */
132 #define DST_ALG_HMACSHA384 164 /* XXXMPA */
133 #define DST_ALG_HMACSHA512 165 /* XXXMPA */
134+#define DST_ALG_INDIRECT 252
135 #define DST_ALG_PRIVATE 254
136 #define DST_ALG_EXPAND 255
137 #define DST_MAX_ALGS 255
138Index: bind-9.9.5/lib/dns/ncache.c
139===================================================================
140--- bind-9.9.5.orig/lib/dns/ncache.c
141+++ bind-9.9.5/lib/dns/ncache.c
142@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t
143 dns_name_fromregion(&tname, &remaining);
144 INSIST(remaining.length >= tname.length);
145 isc_buffer_forward(&source, tname.length);
146- remaining.length -= tname.length;
147- remaining.base += tname.length;
148+ isc_region_consume(&remaining, tname.length);
149
150 INSIST(remaining.length >= 2);
151 type = isc_buffer_getuint16(&source);
152- remaining.length -= 2;
153- remaining.base += 2;
154+ isc_region_consume(&remaining, 2);
155
156 if (type != dns_rdatatype_rrsig ||
157 !dns_name_equal(&tname, name)) {
158@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
159 INSIST(remaining.length >= 1);
160 trust = isc_buffer_getuint8(&source);
161 INSIST(trust <= dns_trust_ultimate);
162- remaining.length -= 1;
163- remaining.base += 1;
164+ isc_region_consume(&remaining, 1);
165
166 raw = remaining.base;
167 count = raw[0] * 256 + raw[1];
168Index: bind-9.9.5/lib/dns/openssldh_link.c
169===================================================================
170--- bind-9.9.5.orig/lib/dns/openssldh_link.c
171+++ bind-9.9.5/lib/dns/openssldh_link.c
172@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
173
174 static void
175 uint16_toregion(isc_uint16_t val, isc_region_t *region) {
176- *region->base++ = (val & 0xff00) >> 8;
177- *region->base++ = (val & 0x00ff);
178+ *region->base = (val & 0xff00) >> 8;
179+ isc_region_consume(region, 1);
180+ *region->base = (val & 0x00ff);
181+ isc_region_consume(region, 1);
182 }
183
184 static isc_uint16_t
185@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region)
186 val = ((unsigned int)(cp[0])) << 8;
187 val |= ((unsigned int)(cp[1]));
188
189- region->base += 2;
190+ isc_region_consume(region, 2);
191+
192 return (val);
193 }
194
195@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is
196 }
197 else
198 BN_bn2bin(dh->p, r.base);
199- r.base += plen;
200+ isc_region_consume(&r, plen);
201
202 uint16_toregion(glen, &r);
203 if (glen > 0)
204 BN_bn2bin(dh->g, r.base);
205- r.base += glen;
206+ isc_region_consume(&r, glen);
207
208 uint16_toregion(publen, &r);
209 BN_bn2bin(dh->pub_key, r.base);
210- r.base += publen;
211+ isc_region_consume(&r, publen);
212
213 isc_buffer_add(data, dnslen);
214
215@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu
216 return (DST_R_INVALIDPUBLICKEY);
217 }
218 if (plen == 1 || plen == 2) {
219- if (plen == 1)
220- special = *r.base++;
221- else
222+ if (plen == 1) {
223+ special = *r.base;
224+ isc_region_consume(&r, 1);
225+ } else {
226 special = uint16_fromregion(&r);
227+ }
228 switch (special) {
229 case 1:
230 dh->p = &bn768;
231@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu
232 DH_free(dh);
233 return (DST_R_INVALIDPUBLICKEY);
234 }
235- }
236- else {
237+ } else {
238 dh->p = BN_bin2bn(r.base, plen, NULL);
239- r.base += plen;
240+ isc_region_consume(&r, plen);
241 }
242
243 /*
244@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu
245 return (DST_R_INVALIDPUBLICKEY);
246 }
247 }
248- }
249- else {
250+ } else {
251 if (glen == 0) {
252 DH_free(dh);
253 return (DST_R_INVALIDPUBLICKEY);
254 }
255 dh->g = BN_bin2bn(r.base, glen, NULL);
256 }
257- r.base += glen;
258+ isc_region_consume(&r, glen);
259
260 if (r.length < 2) {
261 DH_free(dh);
262@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu
263 return (DST_R_INVALIDPUBLICKEY);
264 }
265 dh->pub_key = BN_bin2bn(r.base, publen, NULL);
266- r.base += publen;
267+ isc_region_consume(&r, publen);
268
269 key->key_size = BN_num_bits(dh->p);
270
271Index: bind-9.9.5/lib/dns/openssldsa_link.c
272===================================================================
273--- bind-9.9.5.orig/lib/dns/openssldsa_link.c
274+++ bind-9.9.5/lib/dns/openssldsa_link.c
275@@ -29,8 +29,6 @@
276 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
277 */
278
279-/* $Id$ */
280-
281 #ifdef OPENSSL
282 #ifndef USE_EVP
283 #define USE_EVP 1
284@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc
285 DSA *dsa = key->keydata.dsa;
286 isc_region_t r;
287 DSA_SIG *dsasig;
288+ unsigned int klen;
289 #if USE_EVP
290 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
291 EVP_PKEY *pkey;
292@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc
293 ISC_R_FAILURE));
294 }
295 free(sigbuf);
296+
297 #elif 0
298 /* Only use EVP for the Digest */
299 if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
300@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc
301 "DSA_do_sign",
302 DST_R_SIGNFAILURE));
303 #endif
304- *r.base++ = (key->key_size - 512)/64;
305+
306+ klen = (key->key_size - 512)/64;
307+ if (klen > 255)
308+ return (ISC_R_FAILURE);
309+ *r.base = klen;
310+ isc_region_consume(&r, 1);
311+
312 BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
313- r.base += ISC_SHA1_DIGESTLENGTH;
314+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
315 BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
316- r.base += ISC_SHA1_DIGESTLENGTH;
317+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
318 DSA_SIG_free(dsasig);
319 isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
320
321@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, i
322 if (r.length < (unsigned int) dnslen)
323 return (ISC_R_NOSPACE);
324
325- *r.base++ = t;
326+ *r.base = t;
327+ isc_region_consume(&r, 1);
328 BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
329- r.base += ISC_SHA1_DIGESTLENGTH;
330+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
331 BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
332- r.base += p_bytes;
333+ isc_region_consume(&r, p_bytes);
334 BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
335- r.base += p_bytes;
336+ isc_region_consume(&r, p_bytes);
337 BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
338- r.base += p_bytes;
339+ isc_region_consume(&r, p_bytes);
340
341 isc_buffer_add(data, dnslen);
342
343@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b
344 return (ISC_R_NOMEMORY);
345 dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
346
347- t = (unsigned int) *r.base++;
348+ t = (unsigned int) *r.base;
349+ isc_region_consume(&r, 1);
350 if (t > 8) {
351 DSA_free(dsa);
352 return (DST_R_INVALIDPUBLICKEY);
353 }
354 p_bytes = 64 + 8 * t;
355
356- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
357+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
358 DSA_free(dsa);
359 return (DST_R_INVALIDPUBLICKEY);
360 }
361
362 dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
363- r.base += ISC_SHA1_DIGESTLENGTH;
364+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
365
366 dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
367- r.base += p_bytes;
368+ isc_region_consume(&r, p_bytes);
369
370 dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
371- r.base += p_bytes;
372+ isc_region_consume(&r, p_bytes);
373
374 dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
375- r.base += p_bytes;
376+ isc_region_consume(&r, p_bytes);
377
378 key->key_size = p_bytes * 8;
379
380Index: bind-9.9.5/lib/dns/opensslecdsa_link.c
381===================================================================
382--- bind-9.9.5.orig/lib/dns/opensslecdsa_link.c
383+++ bind-9.9.5/lib/dns/opensslecdsa_link.c
384@@ -14,8 +14,6 @@
385 * PERFORMANCE OF THIS SOFTWARE.
386 */
387
388-/* $Id$ */
389-
390 #include <config.h>
391
392 #ifdef HAVE_OPENSSL_ECDSA
393@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, i
394 "ECDSA_do_sign",
395 DST_R_SIGNFAILURE));
396 BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
397- r.base += siglen / 2;
398+ isc_region_consume(&r, siglen / 2);
399 BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
400- r.base += siglen / 2;
401+ isc_region_consume(&r, siglen / 2);
402 ECDSA_SIG_free(ecdsasig);
403 isc_buffer_add(sig, siglen);
404 ret = ISC_R_SUCCESS;
405Index: bind-9.9.5/lib/dns/opensslrsa_link.c
406===================================================================
407--- bind-9.9.5.orig/lib/dns/opensslrsa_link.c
408+++ bind-9.9.5/lib/dns/opensslrsa_link.c
409@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
410 RSA *rsa;
411 isc_region_t r;
412 unsigned int e_bytes;
413+ unsigned int length;
414 #if USE_EVP
415 EVP_PKEY *pkey;
416 #endif
417@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
418 isc_buffer_remainingregion(data, &r);
419 if (r.length == 0)
420 return (ISC_R_SUCCESS);
421+ length = r.length;
422
423 rsa = RSA_new();
424 if (rsa == NULL)
425@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
426 RSA_free(rsa);
427 return (DST_R_INVALIDPUBLICKEY);
428 }
429- e_bytes = *r.base++;
430- r.length--;
431+ e_bytes = *r.base;
432+ isc_region_consume(&r, 1);
433
434 if (e_bytes == 0) {
435 if (r.length < 2) {
436 RSA_free(rsa);
437 return (DST_R_INVALIDPUBLICKEY);
438 }
439- e_bytes = ((*r.base++) << 8);
440- e_bytes += *r.base++;
441- r.length -= 2;
442+ e_bytes = (*r.base) << 8;
443+ isc_region_consume(&r, 1);
444+ e_bytes += *r.base;
445+ isc_region_consume(&r, 1);
446 }
447
448 if (r.length < e_bytes) {
449@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
450 return (DST_R_INVALIDPUBLICKEY);
451 }
452 rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
453- r.base += e_bytes;
454- r.length -= e_bytes;
455+ isc_region_consume(&r, e_bytes);
456
457 rsa->n = BN_bin2bn(r.base, r.length, NULL);
458
459 key->key_size = BN_num_bits(rsa->n);
460
461- isc_buffer_forward(data, r.length);
462+ isc_buffer_forward(data, length);
463
464 #if USE_EVP
465 pkey = EVP_PKEY_new();
466Index: bind-9.9.5/lib/dns/resolver.c
467===================================================================
468--- bind-9.9.5.orig/lib/dns/resolver.c
469+++ bind-9.9.5/lib/dns/resolver.c
470@@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_res
471
472 REQUIRE(VALID_RESOLVER(resolver));
473
474+ /*
475+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
476+ */
477+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
478+ return (ISC_FALSE);
479+
480 #if USE_ALGLOCK
481 RWLOCK(&resolver->alglock, isc_rwlocktype_read);
482 #endif
483@@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_res
484 #endif
485 if (found)
486 return (ISC_FALSE);
487+
488 return (dst_algorithm_supported(alg));
489 }
490
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb
index e206cc45d8..ee940112f7 100644
--- a/meta/recipes-connectivity/bind/bind_9.9.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb
@@ -19,6 +19,9 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
19 file://init.d-add-support-for-read-only-rootfs.patch \ 19 file://init.d-add-support-for-read-only-rootfs.patch \
20 file://bind9_9_5-CVE-2014-8500.patch \ 20 file://bind9_9_5-CVE-2014-8500.patch \
21 file://bind9_9_5-CVE-2015-5477.patch \ 21 file://bind9_9_5-CVE-2015-5477.patch \
22 file://CVE-2015-1349.patch \
23 file://CVE-2015-4620.patch \
24 file://CVE-2015-5722.patch \
22 " 25 "
23 26
24SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" 27SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"