bind: Security fix CVE-2016-2088

(From OE-Core rev: 91e05c25eb221ff1dc2bde5cfaa0bea88345b1e4) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-09-17 14:22:15 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-23 23:22:03 +0100
commit: 9657825ef32ab0c864b1d9de92325b661da046b0 (patch)
tree: 4339c197657203c23163fb12c565e5a2b08ea3eb /meta
parent: 9f1dc20619dd4e96368d67190009d548d8b8ffab (diff)
download: poky-9657825ef32ab0c864b1d9de92325b661da046b0.tar.gz
2 files changed, 217 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
new file mode 100644
index 0000000000..f3f2cc82d2
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
@@ -0,0 +1,216 @@
+From d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Sat, 27 Feb 2016 11:23:50 +1100
+Subject: [PATCH] 4322.   [security]      Duplicate EDNS COOKIE options in a
+ response could                         trigger an assertion failure.
+ (CVE-2016-2088)                         [RT #41809]
+(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
+(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
+Upstream-Status: Backport
+CVE: CVE-2016-2088
+minor fixup to get to apply.
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ CHANGES            |  5 +++++
+ bin/dig/dighost.c  |  9 +++++++++
+ bin/named/client.c | 33 +++++++++++++++++++++++----------
+ doc/arm/notes.xml  |  7 +++++++
+ lib/dns/resolver.c | 14 +++++++++++++-
+ 5 files changed, 57 insertions(+), 11 deletions(-)
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
+++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,7 @@
+4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                       trigger an assertion failure. (CVE-2016-2088)
+                       [RT #41809]
+
+ 4319.  [security]      Fix resolver assertion failure due to improper
+                        DNAME handling when parsing fetch reply messages.
+                        (CVE-2016-1286) [RT #41753]
+Index: bind-9.10.2-P4/bin/dig/dighost.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/dig/dighost.c
+++ bind-9.10.2-P4/bin/dig/dighost.c
+@@ -3349,6 +3349,7 @@ process_opt(dig_lookup_t *l, dns_message
+        isc_buffer_t optbuf;
+        isc_uint16_t optcode, optlen;
+        dns_rdataset_t *opt = msg->opt;
+       isc_boolean_t seen_cookie = ISC_FALSE;
+ 
+        result = dns_rdataset_first(opt);
+        if (result == ISC_R_SUCCESS) {
+@@ -3360,8 +3361,16 @@ process_opt(dig_lookup_t *l, dns_message
+                        optcode = isc_buffer_getuint16(&optbuf);
+                        optlen = isc_buffer_getuint16(&optbuf);
+                        switch (optcode) {
+-                       case DNS_OPT_SIT:
+                       case DNS_OPT_SIT:
+                                /*
+                                 * Only process the first cookie option.
+                                 */
+                                if (seen_cookie) {
+                                        isc_buffer_forward(&optbuf, optlen);
+                                        break;
+                                }
+                                process_sit(l, msg, &optbuf, optlen);
+                                seen_cookie = ISC_TRUE;
+                                break;
+                        default:
+                                isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/bin/named/client.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/client.c
+++ bind-9.10.2-P4/bin/named/client.c
+@@ -121,7 +121,10 @@
+  */
+ #endif
+ 
+-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
+
+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
+ 
+ /*% nameserver client manager structure */
+ struct ns_clientmgr {
+@@ -1391,7 +1394,7 @@ ns_client_addopt(ns_client_t *client, dn
+ {
+        char nsid[BUFSIZ], *nsidp;
+ #ifdef ISC_PLATFORM_USESIT
+-       unsigned char sit[SIT_SIZE];
+       unsigned char sit[COOKIE_SIZE];
+ #endif
+        isc_result_t result;
+        dns_view_t *view;
+@@ -1416,7 +1419,7 @@ ns_client_addopt(ns_client_t *client, dn
+        flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
+ 
+        /* Set EDNS options if applicable */
+-       if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
+       if (WANTNSID(client) &&
+            (ns_g_server->server_id != NULL ||
+             ns_g_server->server_usehostname)) {
+                if (ns_g_server->server_usehostname) {
+@@ -1449,7 +1452,7 @@ ns_client_addopt(ns_client_t *client, dn
+ 
+                INSIST(count < DNS_EDNSOPTIONS);
+                ednsopts[count].code = DNS_OPT_SIT;
+-               ednsopts[count].length = SIT_SIZE;
+               ednsopts[count].length = COOKIE_SIZE;
+                ednsopts[count].value = sit;
+                count++;
+        }
+@@ -1657,19 +1660,26 @@ compute_sit(ns_client_t *client, isc_uin
+ 
+ static void
+ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+-       unsigned char dbuf[SIT_SIZE];
+       unsigned char dbuf[COOKIE_SIZE];
+        unsigned char *old;
+        isc_stdtime_t now;
+        isc_uint32_t when;
+        isc_uint32_t nonce;
+        isc_buffer_t db;
+ 
+       /*
+        * If we have already seen a ECS option skip this ECS option.
+        */
+       if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
+               isc_buffer_forward(buf, optlen);
+               return;
+       }
+        client->attributes |= NS_CLIENTATTR_WANTSIT;
+ 
+        isc_stats_increment(ns_g_server->nsstats,
+                            dns_nsstatscounter_sitopt);
+ 
+-       if (optlen != SIT_SIZE) {
+       if (optlen != COOKIE_SIZE) {
+                /*
+                 * Not our token.
+                 */
+@@ -1713,7 +1723,7 @@ process_sit(ns_client_t *client, isc_buf
+        isc_buffer_init(&db, dbuf, sizeof(dbuf));
+        compute_sit(client, when, nonce, &db);
+ 
+-       if (memcmp(old, dbuf, SIT_SIZE) != 0) {
+       if (memcmp(old, dbuf, COOKIE_SIZE) != 0) {
+                isc_stats_increment(ns_g_server->nsstats,
+                                    dns_nsstatscounter_sitnomatch);
+                return;
+@@ -1779,7 +1789,9 @@ process_opt(ns_client_t *client, dns_rda
+                        optlen = isc_buffer_getuint16(&optbuf);
+                        switch (optcode) {
+                        case DNS_OPT_NSID:
+-                               isc_stats_increment(ns_g_server->nsstats,
+                               if (!WANTNSID(client))
+                                       isc_stats_increment(
+                                                   ns_g_server->nsstats,
+                                                    dns_nsstatscounter_nsidopt);
+                                client->attributes |= NS_CLIENTATTR_WANTNSID;
+                                isc_buffer_forward(&optbuf, optlen);
+@@ -1790,7 +1802,9 @@ process_opt(ns_client_t *client, dns_rda
+                                break;
+ #endif
+                        case DNS_OPT_EXPIRE:
+-                               isc_stats_increment(ns_g_server->nsstats,
+                               if (!WANTEXPIRE(client))
+                                       isc_stats_increment(
+                                                 ns_g_server->nsstats,
+                                                  dns_nsstatscounter_expireopt);
+                                client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
+                                isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
+++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7144,7 +7144,9 @@ process_opt(resquery_t *query, dns_rdata
+        unsigned char *sit;
+        dns_adbaddrinfo_t *addrinfo;
+        unsigned char cookie[8];
+       isc_boolean_t seen_cookie = ISC_FALSE;
+ #endif
+       isc_boolean_t seen_nsid = ISC_FALSE;
+ 
+        result = dns_rdataset_first(opt);
+        if (result == ISC_R_SUCCESS) {
+@@ -7158,14 +7160,23 @@ process_opt(resquery_t *query, dns_rdata
+                        INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+                        switch (optcode) {
+                        case DNS_OPT_NSID:
+-                               if (query->options & DNS_FETCHOPT_WANTNSID)
+                               if (!seen_nsid &&
+                                    query->options & DNS_FETCHOPT_WANTNSID)
+                                        log_nsid(&optbuf, optlen, query,
+                                                 ISC_LOG_DEBUG(3),
+                                                 query->fctx->res->mctx);
+                                isc_buffer_forward(&optbuf, optlen);
+                               seen_nsid = ISC_TRUE;
+                                break;
+ #ifdef ISC_PLATFORM_USESIT
+                        case DNS_OPT_SIT:
+                                /*
+                                 * Only process the first cookie option.
+                                 */
+                                if (seen_cookie) {
+                                        isc_buffer_forward(&optbuf, optlen);
+                                        break;
+                                }
+                                sit = isc_buffer_current(&optbuf);
+                                compute_cc(query, cookie, sizeof(cookie));
+                                INSIST(query->fctx->rmessage->sitbad == 0 &&
+@@ -7183,6 +7194,7 @@ process_opt(resquery_t *query, dns_rdata
+                                isc_buffer_forward(&optbuf, optlen);
+                                inc_stats(query->fctx->res,
+                                          dns_resstatscounter_sitin);
+                               seen_cookie = ISC_TRUE;
+                                break;
+ #endif
+                        default:
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index f1951a0a57..0dfa314f7a 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -28,6 +28,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://CVE-2016-1285.patch \
           file://CVE-2016-1286_1.patch \
           file://CVE-2016-1286_2.patch \
+           file://CVE-2016-2088.patch \
           "
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
author	Armin Kuster <akuster@mvista.com>	2016-09-17 14:22:15 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-23 23:22:03 +0100
commit	9657825ef32ab0c864b1d9de92325b661da046b0 (patch)
tree	4339c197657203c23163fb12c565e5a2b08ea3eb /meta
parent	9f1dc20619dd4e96368d67190009d548d8b8ffab (diff)
download	poky-9657825ef32ab0c864b1d9de92325b661da046b0.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch new file mode 100644 index 0000000000..f3f2cc82d2 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
@@ -0,0 +1,216 @@
		1	From d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Sat, 27 Feb 2016 11:23:50 +1100
		4	Subject: [PATCH] 4322. [security] Duplicate EDNS COOKIE options in a
		5	response could trigger an assertion failure.
		6	(CVE-2016-2088) [RT #41809]
		7
		8	(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
		9	(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2016-2088
		13	minor fixup to get to apply.
		14
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	CHANGES \| 5 +++++
		19	bin/dig/dighost.c \| 9 +++++++++
		20	bin/named/client.c \| 33 +++++++++++++++++++++++----------
		21	doc/arm/notes.xml \| 7 +++++++
		22	lib/dns/resolver.c \| 14 +++++++++++++-
		23	5 files changed, 57 insertions(+), 11 deletions(-)
		24
		25	Index: bind-9.10.2-P4/CHANGES
		26	===================================================================
		27	--- bind-9.10.2-P4.orig/CHANGES
		28	+++ bind-9.10.2-P4/CHANGES
		29	@@ -1,3 +1,7 @@
		30	+4322. [security] Duplicate EDNS COOKIE options in a response could
		31	+ trigger an assertion failure. (CVE-2016-2088)
		32	+ [RT #41809]
		33	+
		34	4319. [security] Fix resolver assertion failure due to improper
		35	DNAME handling when parsing fetch reply messages.
		36	(CVE-2016-1286) [RT #41753]
		37	Index: bind-9.10.2-P4/bin/dig/dighost.c
		38	===================================================================
		39	--- bind-9.10.2-P4.orig/bin/dig/dighost.c
		40	+++ bind-9.10.2-P4/bin/dig/dighost.c
		41	@@ -3349,6 +3349,7 @@ process_opt(dig_lookup_t *l, dns_message
		42	isc_buffer_t optbuf;
		43	isc_uint16_t optcode, optlen;
		44	dns_rdataset_t *opt = msg->opt;
		45	+ isc_boolean_t seen_cookie = ISC_FALSE;
		46
		47	result = dns_rdataset_first(opt);
		48	if (result == ISC_R_SUCCESS) {
		49	@@ -3360,8 +3361,16 @@ process_opt(dig_lookup_t *l, dns_message
		50	optcode = isc_buffer_getuint16(&optbuf);
		51	optlen = isc_buffer_getuint16(&optbuf);
		52	switch (optcode) {
		53	- case DNS_OPT_SIT:
		54	+ case DNS_OPT_SIT:
		55	+ /*
		56	+ * Only process the first cookie option.
		57	+ */
		58	+ if (seen_cookie) {
		59	+ isc_buffer_forward(&optbuf, optlen);
		60	+ break;
		61	+ }
		62	process_sit(l, msg, &optbuf, optlen);
		63	+ seen_cookie = ISC_TRUE;
		64	break;
		65	default:
		66	isc_buffer_forward(&optbuf, optlen);
		67	Index: bind-9.10.2-P4/bin/named/client.c
		68	===================================================================
		69	--- bind-9.10.2-P4.orig/bin/named/client.c
		70	+++ bind-9.10.2-P4/bin/named/client.c
		71	@@ -121,7 +121,10 @@
		72	*/
		73	#endif
		74
		75	-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
		76	+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
		77	+
		78	+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
		79	+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
		80
		81	/% nameserver client manager structure /
		82	struct ns_clientmgr {
		83	@@ -1391,7 +1394,7 @@ ns_client_addopt(ns_client_t *client, dn
		84	{
		85	char nsid[BUFSIZ], *nsidp;
		86	#ifdef ISC_PLATFORM_USESIT
		87	- unsigned char sit[SIT_SIZE];
		88	+ unsigned char sit[COOKIE_SIZE];
		89	#endif
		90	isc_result_t result;
		91	dns_view_t *view;
		92	@@ -1416,7 +1419,7 @@ ns_client_addopt(ns_client_t *client, dn
		93	flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
		94
		95	/* Set EDNS options if applicable */
		96	- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
		97	+ if (WANTNSID(client) &&
		98	(ns_g_server->server_id != NULL \|\|
		99	ns_g_server->server_usehostname)) {
		100	if (ns_g_server->server_usehostname) {
		101	@@ -1449,7 +1452,7 @@ ns_client_addopt(ns_client_t *client, dn
		102
		103	INSIST(count < DNS_EDNSOPTIONS);
		104	ednsopts[count].code = DNS_OPT_SIT;
		105	- ednsopts[count].length = SIT_SIZE;
		106	+ ednsopts[count].length = COOKIE_SIZE;
		107	ednsopts[count].value = sit;
		108	count++;
		109	}
		110	@@ -1657,19 +1660,26 @@ compute_sit(ns_client_t *client, isc_uin
		111
		112	static void
		113	process_sit(ns_client_t client, isc_buffer_t buf, size_t optlen) {
		114	- unsigned char dbuf[SIT_SIZE];
		115	+ unsigned char dbuf[COOKIE_SIZE];
		116	unsigned char *old;
		117	isc_stdtime_t now;
		118	isc_uint32_t when;
		119	isc_uint32_t nonce;
		120	isc_buffer_t db;
		121
		122	+ /*
		123	+ * If we have already seen a ECS option skip this ECS option.
		124	+ */
		125	+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
		126	+ isc_buffer_forward(buf, optlen);
		127	+ return;
		128	+ }
		129	client->attributes \|= NS_CLIENTATTR_WANTSIT;
		130
		131	isc_stats_increment(ns_g_server->nsstats,
		132	dns_nsstatscounter_sitopt);
		133
		134	- if (optlen != SIT_SIZE) {
		135	+ if (optlen != COOKIE_SIZE) {
		136	/*
		137	* Not our token.
		138	*/
		139	@@ -1713,7 +1723,7 @@ process_sit(ns_client_t *client, isc_buf
		140	isc_buffer_init(&db, dbuf, sizeof(dbuf));
		141	compute_sit(client, when, nonce, &db);
		142
		143	- if (memcmp(old, dbuf, SIT_SIZE) != 0) {
		144	+ if (memcmp(old, dbuf, COOKIE_SIZE) != 0) {
		145	isc_stats_increment(ns_g_server->nsstats,
		146	dns_nsstatscounter_sitnomatch);
		147	return;
		148	@@ -1779,7 +1789,9 @@ process_opt(ns_client_t *client, dns_rda
		149	optlen = isc_buffer_getuint16(&optbuf);
		150	switch (optcode) {
		151	case DNS_OPT_NSID:
		152	- isc_stats_increment(ns_g_server->nsstats,
		153	+ if (!WANTNSID(client))
		154	+ isc_stats_increment(
		155	+ ns_g_server->nsstats,
		156	dns_nsstatscounter_nsidopt);
		157	client->attributes \|= NS_CLIENTATTR_WANTNSID;
		158	isc_buffer_forward(&optbuf, optlen);
		159	@@ -1790,7 +1802,9 @@ process_opt(ns_client_t *client, dns_rda
		160	break;
		161	#endif
		162	case DNS_OPT_EXPIRE:
		163	- isc_stats_increment(ns_g_server->nsstats,
		164	+ if (!WANTEXPIRE(client))
		165	+ isc_stats_increment(
		166	+ ns_g_server->nsstats,
		167	dns_nsstatscounter_expireopt);
		168	client->attributes \|= NS_CLIENTATTR_WANTEXPIRE;
		169	isc_buffer_forward(&optbuf, optlen);
		170	Index: bind-9.10.2-P4/lib/dns/resolver.c
		171	===================================================================
		172	--- bind-9.10.2-P4.orig/lib/dns/resolver.c
		173	+++ bind-9.10.2-P4/lib/dns/resolver.c
		174	@@ -7144,7 +7144,9 @@ process_opt(resquery_t *query, dns_rdata
		175	unsigned char *sit;
		176	dns_adbaddrinfo_t *addrinfo;
		177	unsigned char cookie[8];
		178	+ isc_boolean_t seen_cookie = ISC_FALSE;
		179	#endif
		180	+ isc_boolean_t seen_nsid = ISC_FALSE;
		181
		182	result = dns_rdataset_first(opt);
		183	if (result == ISC_R_SUCCESS) {
		184	@@ -7158,14 +7160,23 @@ process_opt(resquery_t *query, dns_rdata
		185	INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
		186	switch (optcode) {
		187	case DNS_OPT_NSID:
		188	- if (query->options & DNS_FETCHOPT_WANTNSID)
		189	+ if (!seen_nsid &&
		190	+ query->options & DNS_FETCHOPT_WANTNSID)
		191	log_nsid(&optbuf, optlen, query,
		192	ISC_LOG_DEBUG(3),
		193	query->fctx->res->mctx);
		194	isc_buffer_forward(&optbuf, optlen);
		195	+ seen_nsid = ISC_TRUE;
		196	break;
		197	#ifdef ISC_PLATFORM_USESIT
		198	case DNS_OPT_SIT:
		199	+ /*
		200	+ * Only process the first cookie option.
		201	+ */
		202	+ if (seen_cookie) {
		203	+ isc_buffer_forward(&optbuf, optlen);
		204	+ break;
		205	+ }
		206	sit = isc_buffer_current(&optbuf);
		207	compute_cc(query, cookie, sizeof(cookie));
		208	INSIST(query->fctx->rmessage->sitbad == 0 &&
		209	@@ -7183,6 +7194,7 @@ process_opt(resquery_t *query, dns_rdata
		210	isc_buffer_forward(&optbuf, optlen);
		211	inc_stats(query->fctx->res,
		212	dns_resstatscounter_sitin);
		213	+ seen_cookie = ISC_TRUE;
		214	break;
		215	#endif
		216	default:


diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb index f1951a0a57..0dfa314f7a 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -28,6 +28,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
28	file://CVE-2016-1285.patch \	28	file://CVE-2016-1285.patch \
29	file://CVE-2016-1286_1.patch \	29	file://CVE-2016-1286_1.patch \
30	file://CVE-2016-1286_2.patch \	30	file://CVE-2016-1286_2.patch \
		31	file://CVE-2016-2088.patch \
31	"	32	"
32		33
33	SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"	34	SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"