bind: Security fix CVE-2016-2775

affect bind < 9.10.4-p2 (From OE-Core rev: 54bf7379036eec6d6c4399aa374f898ba3464996) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2016-10-02 17:49:24 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-12-06 22:46:44 +0000
commit: d11c5d8944f1d18b8280ae76b1d2416f520132c6 (patch)
tree: 8b79485c221d63dbe2530b6ea09a44966c55e75f /meta
parent: 1f8eb08791b3a661d56e0498c2386c5ad2859bc4 (diff)
download: poky-d11c5d8944f1d18b8280ae76b1d2416f520132c6.tar.gz
2 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000000..5d4d9126bf
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,84 @@
+From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 7 Jul 2016 12:52:47 +1000
+Subject: [PATCH] 4406.   [bug]           getrrsetbyname with a non absolute
+ name could                         trigger a infinite recursion bug in lwresd
+                         and named with lwres configured if when combined     
+                    with a search list entry the resulting name is            
+             too long. [RT #42694]
+(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
+Upstream-Status: Backport
+CVE: CVE-2016-2775
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  8 ++++++++
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
+++ bind-9.10.2-P4/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+        INSIST(client->lookup == NULL);
+ 
+        dns_fixedname_init(&absname);
+-       result = ns_lwsearchctx_current(&client->searchctx,
+-                                       dns_fixedname_name(&absname));
+
+        /*
+-        * This will return failure if relative name + suffix is too long.
+-        * In this case, just go on to the next entry in the search path.
+        * Perform search across all search domains until success
+        * is returned. Return in case of failure.
+         */
+-       if (result != ISC_R_SUCCESS)
+-               start_lookup(client);
+       while (ns_lwsearchctx_current(&client->searchctx,
+                       dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
+               if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
+                       ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+                       return;
+               }
+       }
+ 
+        result = dns_lookup_create(cm->mctx,
+                                   dns_fixedname_name(&absname),
+Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
+++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+@@ -768,6 +768,14 @@ main(void) {
+        test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+        test_getrrsetbyname("", 1, 1, 0, 0, 0);
+ 
+       test_getrrsetbyname("123456789.123456789.123456789.123456789."
+                           "123456789.123456789.123456789.123456789."
+                           "123456789.123456789.123456789.123456789."
+                           "123456789.123456789.123456789.123456789."
+                           "123456789.123456789.123456789.123456789."
+                           "123456789.123456789.123456789.123456789."
+                           "123456789", 1, 1, 0, 0, 0);
+
+        if (fails == 0)
+                printf("I:ok\n");
+        return (fails);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
+++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,9 @@
+4406.  [bug]           getrrsetbyname with a non absolute name could
+                       trigger a infinite recursion bug in lwresd
+                       and named with lwres configured if when combined
+                       with a search list entry the resulting name is
+                       too long. [RT #42694]
+
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index 0dfa314f7a..80c7b44127 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -29,6 +29,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://CVE-2016-1286_1.patch \
           file://CVE-2016-1286_2.patch \
           file://CVE-2016-2088.patch \
+           file://CVE-2016-2775.patch \
           "
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
author	Armin Kuster <akuster808@gmail.com>	2016-10-02 17:49:24 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-12-06 22:46:44 +0000
commit	d11c5d8944f1d18b8280ae76b1d2416f520132c6 (patch)
tree	8b79485c221d63dbe2530b6ea09a44966c55e75f /meta
parent	1f8eb08791b3a661d56e0498c2386c5ad2859bc4 (diff)
download	poky-d11c5d8944f1d18b8280ae76b1d2416f520132c6.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch new file mode 100644 index 0000000000..5d4d9126bf --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,84 @@
		1	From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Thu, 7 Jul 2016 12:52:47 +1000
		4	Subject: [PATCH] 4406. [bug] getrrsetbyname with a non absolute
		5	name could trigger a infinite recursion bug in lwresd
		6	and named with lwres configured if when combined
		7	with a search list entry the resulting name is
		8	too long. [RT #42694]
		9
		10	(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
		11
		12	Upstream-Status: Backport
		13	CVE: CVE-2016-2775
		14
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	CHANGES \| 6 ++++++
		19	bin/named/lwdgrbn.c \| 16 ++++++++++------
		20	bin/tests/system/lwresd/lwtest.c \| 8 ++++++++
		21	3 files changed, 24 insertions(+), 6 deletions(-)
		22
		23	Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
		24	===================================================================
		25	--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
		26	+++ bind-9.10.2-P4/bin/named/lwdgrbn.c
		27	@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
		28	INSIST(client->lookup == NULL);
		29
		30	dns_fixedname_init(&absname);
		31	- result = ns_lwsearchctx_current(&client->searchctx,
		32	- dns_fixedname_name(&absname));
		33	+
		34	/*
		35	- * This will return failure if relative name + suffix is too long.
		36	- * In this case, just go on to the next entry in the search path.
		37	+ * Perform search across all search domains until success
		38	+ * is returned. Return in case of failure.
		39	*/
		40	- if (result != ISC_R_SUCCESS)
		41	- start_lookup(client);
		42	+ while (ns_lwsearchctx_current(&client->searchctx,
		43	+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
		44	+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
		45	+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
		46	+ return;
		47	+ }
		48	+ }
		49
		50	result = dns_lookup_create(cm->mctx,
		51	dns_fixedname_name(&absname),
		52	Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
		53	===================================================================
		54	--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
		55	+++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
		56	@@ -768,6 +768,14 @@ main(void) {
		57	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
		58	test_getrrsetbyname("", 1, 1, 0, 0, 0);
		59
		60	+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
		61	+ "123456789.123456789.123456789.123456789."
		62	+ "123456789.123456789.123456789.123456789."
		63	+ "123456789.123456789.123456789.123456789."
		64	+ "123456789.123456789.123456789.123456789."
		65	+ "123456789.123456789.123456789.123456789."
		66	+ "123456789", 1, 1, 0, 0, 0);
		67	+
		68	if (fails == 0)
		69	printf("I:ok\n");
		70	return (fails);
		71	Index: bind-9.10.2-P4/CHANGES
		72	===================================================================
		73	--- bind-9.10.2-P4.orig/CHANGES
		74	+++ bind-9.10.2-P4/CHANGES
		75	@@ -1,3 +1,9 @@
		76	+4406. [bug] getrrsetbyname with a non absolute name could
		77	+ trigger a infinite recursion bug in lwresd
		78	+ and named with lwres configured if when combined
		79	+ with a search list entry the resulting name is
		80	+ too long. [RT #42694]
		81	+
		82	4322. [security] Duplicate EDNS COOKIE options in a response could
		83	trigger an assertion failure. (CVE-2016-2088)
		84	[RT #41809]


diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb index 0dfa314f7a..80c7b44127 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -29,6 +29,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
29	file://CVE-2016-1286_1.patch \	29	file://CVE-2016-1286_1.patch \
30	file://CVE-2016-1286_2.patch \	30	file://CVE-2016-1286_2.patch \
31	file://CVE-2016-2088.patch \	31	file://CVE-2016-2088.patch \
		32	file://CVE-2016-2775.patch \
32	"	33	"
33		34
34	SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"	35	SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"