bind: patch for CVE-2018-5740

(From OE-Core rev: bf81b4e5327134e131e3198adad68c74afb5e259) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2018-09-10 17:18:46 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-09-11 09:05:35 +0100
commit: ea8dfcf2d1739f1f539b6201ec42cfa91877ec04 (patch)
tree: 585ecb4dfdaec9e8b6499ea330019abd6b87cc5c /meta/recipes-connectivity
parent: c0f6e29c2146c66dffee65d7d650fc906a57a26c (diff)
download: poky-ea8dfcf2d1739f1f539b6201ec42cfa91877ec04.tar.gz
2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
new file mode 100644
index 0000000000..7a2ba7eab6
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
+CVE: CVE-2018-5740
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+diff --git a/CHANGES b/CHANGES
+index 750b600..3d8d655 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,9 @@
+       --- 9.11.4-P1 released ---
+
+4997.  [security]      named could crash during recursive processing
+                       of DNAME records when "deny-answer-aliases" was
+                       in use. (CVE-2018-5740) [GL #387]
+
+        --- 9.11.4 released ---
+ 
+        --- 9.11.4rc2 released ---
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8f674a2..41d1385 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+        unsigned int nlabels;
+        dns_fixedname_t fixed;
+        dns_name_t prefix;
+       int order;
+ 
+        REQUIRE(rdataset != NULL);
+        REQUIRE(rdataset->type == dns_rdatatype_cname ||
+@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+                tname = &cname.cname;
+                break;
+        case dns_rdatatype_dname:
+               if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+                   dns_namereln_subdomain)
+               {
+                       return (ISC_TRUE);
+               }
+                result = dns_rdata_tostruct(&rdata, &dname, NULL);
+                RUNTIME_CHECK(result == ISC_R_SUCCESS);
+                dns_name_init(&prefix, NULL);
+                tname = dns_fixedname_initname(&fixed);
+-               nlabels = dns_name_countlabels(qname) -
+-                         dns_name_countlabels(rname);
+               nlabels = dns_name_countlabels(rname);
+                dns_name_split(qname, nlabels, &prefix, NULL);
+                result = dns_name_concatenate(&prefix, &dname.dname, tname,
+                                              NULL);
+-               if (result == DNS_R_NAMETOOLONG)
+               if (result == DNS_R_NAMETOOLONG) {
+                       if (chainingp != NULL) {
+                               *chainingp = ISC_TRUE;
+                       }
+                        return (ISC_TRUE);
+               }
+                RUNTIME_CHECK(result == ISC_R_SUCCESS);
+                break;
+        default:
+@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
+                }
+                if ((ardataset->type == dns_rdatatype_cname ||
+                     ardataset->type == dns_rdatatype_dname) &&
+-                    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+                   type != ardataset->type &&
+                   type != dns_rdatatype_any &&
+                   !is_answertarget_allowed(fctx, qname, aname, ardataset,
+                                              NULL))
+                {
+                        return (DNS_R_SERVFAIL);
diff --git a/meta/recipes-connectivity/bind/bind_9.11.4.bb b/meta/recipes-connectivity/bind/bind_9.11.4.bb
index d27068c64f..23c3aadf9c 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://0001-lib-dns-gen.c-fix-too-long-error.patch \
           file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
+           file://CVE-2018-5740.patch \
 "
 SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"
author	Changqing Li <changqing.li@windriver.com>	2018-09-10 17:18:46 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-09-11 09:05:35 +0100
commit	ea8dfcf2d1739f1f539b6201ec42cfa91877ec04 (patch)
tree	585ecb4dfdaec9e8b6499ea330019abd6b87cc5c /meta/recipes-connectivity
parent	c0f6e29c2146c66dffee65d7d650fc906a57a26c (diff)
download	poky-ea8dfcf2d1739f1f539b6201ec42cfa91877ec04.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch new file mode 100644 index 0000000000..7a2ba7eab6 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
@@ -0,0 +1,72 @@
		1	Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
		2
		3	CVE: CVE-2018-5740
		4
		5	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		6
		7	diff --git a/CHANGES b/CHANGES
		8	index 750b600..3d8d655 100644
		9	--- a/CHANGES
		10	+++ b/CHANGES
		11	@@ -1,3 +1,9 @@
		12	+ --- 9.11.4-P1 released ---
		13	+
		14	+4997. [security] named could crash during recursive processing
		15	+ of DNAME records when "deny-answer-aliases" was
		16	+ in use. (CVE-2018-5740) [GL #387]
		17	+
		18	--- 9.11.4 released ---
		19
		20	--- 9.11.4rc2 released ---
		21	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
		22	index 8f674a2..41d1385 100644
		23	--- a/lib/dns/resolver.c
		24	+++ b/lib/dns/resolver.c
		25	@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t fctx, dns_name_t qname, dns_name_t *rname,
		26	unsigned int nlabels;
		27	dns_fixedname_t fixed;
		28	dns_name_t prefix;
		29	+ int order;
		30
		31	REQUIRE(rdataset != NULL);
		32	REQUIRE(rdataset->type == dns_rdatatype_cname \|\|
		33	@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t fctx, dns_name_t qname, dns_name_t *rname,
		34	tname = &cname.cname;
		35	break;
		36	case dns_rdatatype_dname:
		37	+ if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
		38	+ dns_namereln_subdomain)
		39	+ {
		40	+ return (ISC_TRUE);
		41	+ }
		42	result = dns_rdata_tostruct(&rdata, &dname, NULL);
		43	RUNTIME_CHECK(result == ISC_R_SUCCESS);
		44	dns_name_init(&prefix, NULL);
		45	tname = dns_fixedname_initname(&fixed);
		46	- nlabels = dns_name_countlabels(qname) -
		47	- dns_name_countlabels(rname);
		48	+ nlabels = dns_name_countlabels(rname);
		49	dns_name_split(qname, nlabels, &prefix, NULL);
		50	result = dns_name_concatenate(&prefix, &dname.dname, tname,
		51	NULL);
		52	- if (result == DNS_R_NAMETOOLONG)
		53	+ if (result == DNS_R_NAMETOOLONG) {
		54	+ if (chainingp != NULL) {
		55	+ *chainingp = ISC_TRUE;
		56	+ }
		57	return (ISC_TRUE);
		58	+ }
		59	RUNTIME_CHECK(result == ISC_R_SUCCESS);
		60	break;
		61	default:
		62	@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
		63	}
		64	if ((ardataset->type == dns_rdatatype_cname \|\|
		65	ardataset->type == dns_rdatatype_dname) &&
		66	- !is_answertarget_allowed(fctx, qname, aname, ardataset,
		67	+ type != ardataset->type &&
		68	+ type != dns_rdatatype_any &&
		69	+ !is_answertarget_allowed(fctx, qname, aname, ardataset,
		70	NULL))
		71	{
		72	return (DNS_R_SERVFAIL);


diff --git a/meta/recipes-connectivity/bind/bind_9.11.4.bb b/meta/recipes-connectivity/bind/bind_9.11.4.bb index d27068c64f..23c3aadf9c 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.4.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
19	file://0001-lib-dns-gen.c-fix-too-long-error.patch \	19	file://0001-lib-dns-gen.c-fix-too-long-error.patch \
20	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \	20	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
21	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \	21	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
		22	file://CVE-2018-5740.patch \
22	"	23	"
23		24
24	SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"	25	SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"