bind: fix CVE-2020-8616/7

fix CVE-2020-8616 and CVE-2020-8617 (From OE-Core rev: d0df831830e4c5f8df2343a45ea75c2ab4f57058) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-05-27 17:11:11 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-05-30 12:32:47 +0100
commit: 17b4987d5e1f8898664e71a236016ea443d93659 (patch)
tree: ca7edf0baa42d4f959b295ba7112a397be956188 /meta
parent: 0e3ff0c307e8607045827788a58d530e1ed593d6 (diff)
download: poky-17b4987d5e1f8898664e71a236016ea443d93659.tar.gz
3 files changed, 237 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
new file mode 100644
index 0000000000..8f00231919
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
@@ -0,0 +1,206 @@
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
+CVE: CVE-2020-8616
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+diff --git a/lib/dns/adb.c b/lib/dns/adb.c
+index 058495f6a5..6b8a9537f0 100644
+--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
+@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
+  */
+ #define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+ #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+-#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
+-                                != 0)
+-#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
+-                                != 0)
+-#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+-#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+-#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
+-#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_AVOIDFETCHES(fn)  (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
+#define FIND_STARTATZONE(fn)   (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
+#define FIND_HINTOK(fn)                (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn)                (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn)     (!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn)    (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_NOFETCH(fn)       (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
+ 
+ /*
+  * These are currently used on simple unsigned ints, so they are
+@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+                 * Listen to negative cache hints, and don't start
+                 * another query.
+                 */
+-               if (NCACHE_RESULT(result) || AUTH_NX(result))
+               if (NCACHE_RESULT(result) || AUTH_NX(result)) {
+                        goto fetch;
+               }
+ 
+-               if (!NAME_FETCH_V6(adbname))
+               if (!NAME_FETCH_V6(adbname)) {
+                        wanted_fetches |= DNS_ADBFIND_INET6;
+               }
+        }
+ 
+  fetch:
+        if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
+            (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
+       {
+                have_address = true;
+-       else
+       } else {
+                have_address = false;
+-       if (wanted_fetches != 0 &&
+-           ! (FIND_AVOIDFETCHES(find) && have_address)) {
+       }
+       if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
+           !FIND_NOFETCH(find))
+       {
+                /*
+                 * We're missing at least one address family.  Either the
+                 * caller hasn't instructed us to avoid fetches, or we don't
+@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+                 * be acceptable so we have to launch fetches.
+                 */
+ 
+-               if (FIND_STARTATZONE(find))
+               if (FIND_STARTATZONE(find)) {
+                        start_at_zone = true;
+               }
+ 
+                /*
+                 * Start V4.
+diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
+index 63a13c4e41..edf6e54935 100644
+--- a/lib/dns/include/dns/adb.h
+++ b/lib/dns/include/dns/adb.h
+@@ -207,6 +207,10 @@ struct dns_adbfind {
+  *      lame for this query.
+  */
+ #define DNS_ADBFIND_OVERQUOTA          0x00000400
+/*%
+ *     Don't perform a fetch even if there are no address records available.
+ */
+#define DNS_ADBFIND_NOFETCH            0x00000800
+ 
+ /*%
+  * The answers to queries come back as a list of these.
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 7c44478a26..0a40859d08 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -172,6 +172,14 @@
+ #define DEFAULT_MAX_QUERIES 75
+ #endif
+ 
+/*
+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
+ * stop trying to fetch, in order to avoid wasting resources.
+ */
+#define NS_FAIL_LIMIT 4
+#define NS_RR_LIMIT   5
+
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+ #define RES_DOMAIN_BUCKETS     523
+@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
+ static void
+ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+         unsigned int options, unsigned int flags, isc_stdtime_t now,
+-        bool *overquota, bool *need_alternate)
+-{
+        bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
+        dns_adbaddrinfo_t *ai;
+        dns_adbfind_t *find;
+        dns_resolver_t *res;
+@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+                              find->result_v6 != DNS_R_NXDOMAIN) ||
+                             (res->dispatches6 == NULL &&
+                              find->result_v4 != DNS_R_NXDOMAIN)))
+                       {
+                                *need_alternate = true;
+                       }
+                       if (no_addresses != NULL) {
+                               (*no_addresses)++;
+                       }
+                } else {
+                        if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
+                                if (overquota != NULL)
+@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+        dns_rdata_ns_t ns;
+        bool need_alternate = false;
+        bool all_spilled = true;
+       unsigned int no_addresses = 0;
+ 
+        FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+                 * Extract the name from the NS record.
+                 */
+                result = dns_rdata_tostruct(&rdata, &ns, NULL);
+-               if (result != ISC_R_SUCCESS)
+               if (result != ISC_R_SUCCESS) {
+                        continue;
+               }
+ 
+-               findname(fctx, &ns.name, 0, stdoptions, 0, now,
+-                        &overquota, &need_alternate);
+               if (no_addresses > NS_FAIL_LIMIT &&
+                   dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
+               {
+                       stdoptions |= DNS_ADBFIND_NOFETCH;
+               }
+               findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
+                        &need_alternate, &no_addresses);
+ 
+-               if (!overquota)
+               if (!overquota) {
+                        all_spilled = false;
+               }
+ 
+                dns_rdata_reset(&rdata);
+                dns_rdata_freestruct(&ns);
+        }
+-       if (result != ISC_R_NOMORE)
+       if (result != ISC_R_NOMORE) {
+                return (result);
+       }
+ 
+        /*
+         * Do we need to use 6 to 4?
+@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+                        if (!a->isaddress) {
+                                findname(fctx, &a->_u._n.name, a->_u._n.port,
+                                         stdoptions, FCTX_ADDRINFO_FORWARDER,
+-                                        now, NULL, NULL);
+                                        now, NULL, NULL, NULL);
+                                continue;
+                        }
+                        if (isc_sockaddr_pf(&a->_u.addr) != family)
+@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
+                }
+        }
+ 
+-       if (dns_name_countlabels(&fctx->domain) > 2) {
+-               result = isc_counter_increment(fctx->qc);
+-               if (result != ISC_R_SUCCESS) {
+-                       isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+-                                     DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+-                                     "exceeded max queries resolving '%s'",
+-                                     fctx->info);
+-                       fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+-                       return;
+-               }
+       result = isc_counter_increment(fctx->qc);
+       if (result != ISC_R_SUCCESS) {
+               isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+                             DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+                             "exceeded max queries resolving '%s'",
+                             fctx->info);
+               fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+               return;
+        }
+ 
+        bucketnum = fctx->bucketnum;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
new file mode 100644
index 0000000000..d8769c45cc
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
+CVE: CVE-2020-8617
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index b597a18d49..6357a3a486 100644
+--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
+@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+                        goto cleanup_context;
+                }
+                msg->verified_sig = 1;
+-       } else if (tsig.error != dns_tsigerror_badsig &&
+-                  tsig.error != dns_tsigerror_badkey) {
+       } else if (!response || (tsig.error != dns_tsigerror_badsig &&
+                                tsig.error != dns_tsigerror_badkey))
+       {
+                tsig_log(msg->tsigkey, 2, "signature was empty");
+                return (DNS_R_TSIGVERIFYFAILURE);
+        }
+@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+                }
+        }
+ 
+-       if (tsig.error != dns_rcode_noerror) {
+       if (response && tsig.error != dns_rcode_noerror) {
+                msg->tsigstatus = tsig.error;
+                if (tsig.error == dns_tsigerror_badtime)
+                        ret = DNS_R_CLOCKSKEW;
diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.13.bb
index 4e64171cc1..8f2d702dcb 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.13.bb
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
           file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2020-8616.patch \
+           file://CVE-2020-8617.patch \
           "
 SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-05-27 17:11:11 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-05-30 12:32:47 +0100
commit	17b4987d5e1f8898664e71a236016ea443d93659 (patch)
tree	ca7edf0baa42d4f959b295ba7112a397be956188 /meta
parent	0e3ff0c307e8607045827788a58d530e1ed593d6 (diff)
download	poky-17b4987d5e1f8898664e71a236016ea443d93659.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch new file mode 100644 index 0000000000..8f00231919 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
@@ -0,0 +1,206 @@
		1	Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
		2	CVE: CVE-2020-8616
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4	---
		5	diff --git a/lib/dns/adb.c b/lib/dns/adb.c
		6	index 058495f6a5..6b8a9537f0 100644
		7	--- a/lib/dns/adb.c
		8	+++ b/lib/dns/adb.c
		9	@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t entry, const char fmt, ...)
		10	*/
		11	#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
		12	#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
		13	-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
		14	- != 0)
		15	-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
		16	- != 0)
		17	-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
		18	-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
		19	-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
		20	-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
		21	+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
		22	+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
		23	+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
		24	+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
		25	+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
		26	+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
		27	+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
		28
		29	/*
		30	* These are currently used on simple unsigned ints, so they are
		31	@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t adb, isc_task_t task, isc_taskaction_t action,
		32	* Listen to negative cache hints, and don't start
		33	* another query.
		34	*/
		35	- if (NCACHE_RESULT(result) \|\| AUTH_NX(result))
		36	+ if (NCACHE_RESULT(result) \|\| AUTH_NX(result)) {
		37	goto fetch;
		38	+ }
		39
		40	- if (!NAME_FETCH_V6(adbname))
		41	+ if (!NAME_FETCH_V6(adbname)) {
		42	wanted_fetches \|= DNS_ADBFIND_INET6;
		43	+ }
		44	}
		45
		46	fetch:
		47	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) \|\|
		48	(WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
		49	+ {
		50	have_address = true;
		51	- else
		52	+ } else {
		53	have_address = false;
		54	- if (wanted_fetches != 0 &&
		55	- ! (FIND_AVOIDFETCHES(find) && have_address)) {
		56	+ }
		57	+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
		58	+ !FIND_NOFETCH(find))
		59	+ {
		60	/*
		61	* We're missing at least one address family. Either the
		62	* caller hasn't instructed us to avoid fetches, or we don't
		63	@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t adb, isc_task_t task, isc_taskaction_t action,
		64	* be acceptable so we have to launch fetches.
		65	*/
		66
		67	- if (FIND_STARTATZONE(find))
		68	+ if (FIND_STARTATZONE(find)) {
		69	start_at_zone = true;
		70	+ }
		71
		72	/*
		73	* Start V4.
		74	diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
		75	index 63a13c4e41..edf6e54935 100644
		76	--- a/lib/dns/include/dns/adb.h
		77	+++ b/lib/dns/include/dns/adb.h
		78	@@ -207,6 +207,10 @@ struct dns_adbfind {
		79	* lame for this query.
		80	*/
		81	#define DNS_ADBFIND_OVERQUOTA 0x00000400
		82	+/*%
		83	+ * Don't perform a fetch even if there are no address records available.
		84	+ */
		85	+#define DNS_ADBFIND_NOFETCH 0x00000800
		86
		87	/*%
		88	* The answers to queries come back as a list of these.
		89	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
		90	index 7c44478a26..0a40859d08 100644
		91	--- a/lib/dns/resolver.c
		92	+++ b/lib/dns/resolver.c
		93	@@ -172,6 +172,14 @@
		94	#define DEFAULT_MAX_QUERIES 75
		95	#endif
		96
		97	+/*
		98	+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
		99	+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
		100	+ * stop trying to fetch, in order to avoid wasting resources.
		101	+ */
		102	+#define NS_FAIL_LIMIT 4
		103	+#define NS_RR_LIMIT 5
		104	+
		105	/* Number of hash buckets for zone counters */
		106	#ifndef RES_DOMAIN_BUCKETS
		107	#define RES_DOMAIN_BUCKETS 523
		108	@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
		109	static void
		110	findname(fetchctx_t fctx, dns_name_t name, in_port_t port,
		111	unsigned int options, unsigned int flags, isc_stdtime_t now,
		112	- bool overquota, bool need_alternate)
		113	-{
		114	+ bool overquota, bool need_alternate, unsigned int *no_addresses) {
		115	dns_adbaddrinfo_t *ai;
		116	dns_adbfind_t *find;
		117	dns_resolver_t *res;
		118	@@ -3219,7 +3226,12 @@ findname(fetchctx_t fctx, dns_name_t name, in_port_t port,
		119	find->result_v6 != DNS_R_NXDOMAIN) \|\|
		120	(res->dispatches6 == NULL &&
		121	find->result_v4 != DNS_R_NXDOMAIN)))
		122	+ {
		123	*need_alternate = true;
		124	+ }
		125	+ if (no_addresses != NULL) {
		126	+ (*no_addresses)++;
		127	+ }
		128	} else {
		129	if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
		130	if (overquota != NULL)
		131	@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
		132	dns_rdata_ns_t ns;
		133	bool need_alternate = false;
		134	bool all_spilled = true;
		135	+ unsigned int no_addresses = 0;
		136
		137	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
		138
		139	@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
		140	* Extract the name from the NS record.
		141	*/
		142	result = dns_rdata_tostruct(&rdata, &ns, NULL);
		143	- if (result != ISC_R_SUCCESS)
		144	+ if (result != ISC_R_SUCCESS) {
		145	continue;
		146	+ }
		147
		148	- findname(fctx, &ns.name, 0, stdoptions, 0, now,
		149	- &overquota, &need_alternate);
		150	+ if (no_addresses > NS_FAIL_LIMIT &&
		151	+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
		152	+ {
		153	+ stdoptions \|= DNS_ADBFIND_NOFETCH;
		154	+ }
		155	+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
		156	+ &need_alternate, &no_addresses);
		157
		158	- if (!overquota)
		159	+ if (!overquota) {
		160	all_spilled = false;
		161	+ }
		162
		163	dns_rdata_reset(&rdata);
		164	dns_rdata_freestruct(&ns);
		165	}
		166	- if (result != ISC_R_NOMORE)
		167	+ if (result != ISC_R_NOMORE) {
		168	return (result);
		169	+ }
		170
		171	/*
		172	* Do we need to use 6 to 4?
		173	@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
		174	if (!a->isaddress) {
		175	findname(fctx, &a->_u._n.name, a->_u._n.port,
		176	stdoptions, FCTX_ADDRINFO_FORWARDER,
		177	- now, NULL, NULL);
		178	+ now, NULL, NULL, NULL);
		179	continue;
		180	}
		181	if (isc_sockaddr_pf(&a->_u.addr) != family)
		182	@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
		183	}
		184	}
		185
		186	- if (dns_name_countlabels(&fctx->domain) > 2) {
		187	- result = isc_counter_increment(fctx->qc);
		188	- if (result != ISC_R_SUCCESS) {
		189	- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
		190	- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
		191	- "exceeded max queries resolving '%s'",
		192	- fctx->info);
		193	- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
		194	- return;
		195	- }
		196	+ result = isc_counter_increment(fctx->qc);
		197	+ if (result != ISC_R_SUCCESS) {
		198	+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
		199	+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
		200	+ "exceeded max queries resolving '%s'",
		201	+ fctx->info);
		202	+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
		203	+ return;
		204	}
		205
		206	bucketnum = fctx->bucketnum;


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch new file mode 100644 index 0000000000..d8769c45cc --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
@@ -0,0 +1,29 @@
		1	Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
		2	CVE: CVE-2020-8617
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4	---
		5	diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
		6	index b597a18d49..6357a3a486 100644
		7	--- a/lib/dns/tsig.c
		8	+++ b/lib/dns/tsig.c
		9	@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t source, dns_message_t msg,
		10	goto cleanup_context;
		11	}
		12	msg->verified_sig = 1;
		13	- } else if (tsig.error != dns_tsigerror_badsig &&
		14	- tsig.error != dns_tsigerror_badkey) {
		15	+ } else if (!response \|\| (tsig.error != dns_tsigerror_badsig &&
		16	+ tsig.error != dns_tsigerror_badkey))
		17	+ {
		18	tsig_log(msg->tsigkey, 2, "signature was empty");
		19	return (DNS_R_TSIGVERIFYFAILURE);
		20	}
		21	@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t source, dns_message_t msg,
		22	}
		23	}
		24
		25	- if (tsig.error != dns_rcode_noerror) {
		26	+ if (response && tsig.error != dns_rcode_noerror) {
		27	msg->tsigstatus = tsig.error;
		28	if (tsig.error == dns_tsigerror_badtime)
		29	ret = DNS_R_CLOCKSKEW;


diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.13.bb index 4e64171cc1..8f2d702dcb 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.13.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.13.bb
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
18	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \	18	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \	19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
20	file://0001-avoid-start-failure-with-bind-user.patch \	20	file://0001-avoid-start-failure-with-bind-user.patch \
		21	file://CVE-2020-8616.patch \
		22	file://CVE-2020-8617.patch \
21	"	23	"
22		24
23	SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"	25	SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"