4 files changed, 589 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
new file mode 100644
index 0000000000..dea7aaef53
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
@@ -0,0 +1,60 @@
+CVE-2015-1349 bind: issue in trust anchor management can cause named to crash
+commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892
+Author: Evan Hunt <each@isc.org>
+Date:   Tue Feb 3 18:30:38 2015 -0800
+    [v9_9_6_patch] avoid crash due to managed-key rollover
+    
+    4053.       [security]      Revoking a managed trust anchor and supplying
+                        an untrusted replacement could cause named
+                        to crash with an assertion failure.
+                        (CVE-2015-1349) [RT #38344]
+Upstream Status: Backport from Redhat
+https://bugzilla.redhat.com/attachment.cgi?id=993045
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: bind-9.9.5/CHANGES
+===================================================================
+--- bind-9.9.5.orig/CHANGES
+++ bind-9.9.5/CHANGES
+@@ -1,3 +1,10 @@
+       --- 9.9.6-P2 released ---
+
+4053.  [security]      Revoking a managed trust anchor and supplying
+                       an untrusted replacement could cause named
+                       to crash with an assertion failure.
+                       (CVE-2015-1349) [RT #38344]
+
+        --- 9.9.5 released ---
+ 
+        --- 9.9.5rc2 released ---
+Index: bind-9.9.5/lib/dns/zone.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/zone.c
+++ bind-9.9.5/lib/dns/zone.c
+@@ -8496,6 +8496,12 @@ keyfetch_done(isc_task_t *task, isc_even
+                                             namebuf, tag);
+                                trustkey = ISC_TRUE;
+                        }
+               } else {
+                       /*
+                        * No previously known key, and the key is not
+                        * secure, so skip it.
+                        */
+                       continue;
+                }
+ 
+                /* Delete old version */
+@@ -8544,7 +8550,7 @@ keyfetch_done(isc_task_t *task, isc_even
+                        trust_key(zone, keyname, &dnskey, mctx);
+                }
+ 
+-               if (!deletekey)
+               if (secure && !deletekey) 
+                        set_refreshkeytimer(zone, &keydata, now);
+        }
+ 
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
new file mode 100644
index 0000000000..1a5051e638
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
@@ -0,0 +1,36 @@
+CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned()
+issue introduced by git commit
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=44f175a90a855326725439b2f1178f0dcca8f67d
+which is in this version of bind.
+Upstream Status: Backport from Redhat
+https://bugzilla.redhat.com/attachment.cgi?id=1044719
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: bind-9.9.5/lib/dns/validator.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/validator.c
+++ bind-9.9.5/lib/dns/validator.c
+@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
+  */
+ static isc_boolean_t
+ isselfsigned(dns_validator_t *val) {
+-       dns_fixedname_t fixed;
+        dns_rdataset_t *rdataset, *sigrdataset;
+        dns_rdata_t rdata = DNS_RDATA_INIT;
+        dns_rdata_t sigrdata = DNS_RDATA_INIT;
+@@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) {
+                        result = dns_dnssec_verify3(name, rdataset, dstkey,
+                                                    ISC_TRUE,
+                                                    val->view->maxbits,
+-                                                   mctx, &sigrdata,
+-                                                   dns_fixedname_name(&fixed));
+                                                   mctx, &sigrdata, NULL);
+                        dst_key_free(&dstkey);
+                        if (result != ISC_R_SUCCESS)
+                                continue;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch
new file mode 100644
index 0000000000..af20d5c83f
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch
@@ -0,0 +1,490 @@
+CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service
+Upstream Status: Backport from Redhat
+https://bugzilla.redhat.com/attachment.cgi?id=1069245
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: bind-9.9.5/lib/dns/hmac_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/hmac_link.c
+++ bind-9.9.5/lib/dns/hmac_link.c
+@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co
+        hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+        if (hmacmd5ctx == NULL)
+                return (ISC_R_NOMEMORY);
+-       isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
+       isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+        dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+        return (ISC_R_SUCCESS);
+ }
+@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c
+        else if (hkey1 == NULL || hkey2 == NULL)
+                return (ISC_FALSE);
+ 
+-       if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
+       if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+                return (ISC_TRUE);
+        else
+                return (ISC_FALSE);
+@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse
+        isc_buffer_t b;
+        isc_result_t ret;
+        unsigned int bytes;
+-       unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+       unsigned char data[ISC_MD5_BLOCK_LENGTH];
+ 
+        UNUSED(callback);
+ 
+        bytes = (key->key_size + 7) / 8;
+-       if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+-               bytes = ISC_SHA1_BLOCK_LENGTH;
+-               key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
+       if (bytes > ISC_MD5_BLOCK_LENGTH) {
+               bytes = ISC_MD5_BLOCK_LENGTH;
+               key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+        }
+ 
+-       memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+       memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+        ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+        if (ret != ISC_R_SUCCESS)
+@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse
+        isc_buffer_init(&b, data, bytes);
+        isc_buffer_add(&b, bytes);
+        ret = hmacmd5_fromdns(key, &b);
+-       memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+       memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 
+        return (ret);
+ }
+@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+ 
+        memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-       if (r.length > ISC_SHA1_BLOCK_LENGTH) {
+       if (r.length > ISC_MD5_BLOCK_LENGTH) {
+                isc_md5_init(&md5ctx);
+                isc_md5_update(&md5ctx, r.base, r.length);
+                isc_md5_final(&md5ctx, hkey->key);
+@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+        key->key_size = keylen * 8;
+        key->keydata.hmacmd5 = hkey;
+ 
+       isc_buffer_forward(data, r.length);
+
+        return (ISC_R_SUCCESS);
+ }
+ 
+@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf
+        key->key_size = keylen * 8;
+        key->keydata.hmacsha1 = hkey;
+ 
+       isc_buffer_forward(data, r.length);
+
+        return (ISC_R_SUCCESS);
+ }
+ 
+@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b
+        key->key_size = keylen * 8;
+        key->keydata.hmacsha224 = hkey;
+ 
+       isc_buffer_forward(data, r.length);
+
+        return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b
+        key->key_size = keylen * 8;
+        key->keydata.hmacsha256 = hkey;
+ 
+       isc_buffer_forward(data, r.length);
+
+        return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b
+        key->key_size = keylen * 8;
+        key->keydata.hmacsha384 = hkey;
+ 
+       isc_buffer_forward(data, r.length);
+
+        return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b
+        key->key_size = keylen * 8;
+        key->keydata.hmacsha512 = hkey;
+ 
+       isc_buffer_forward(data, r.length);
+
+        return (ISC_R_SUCCESS);
+ }
+ 
+Index: bind-9.9.5/lib/dns/include/dst/dst.h
+===================================================================
+--- bind-9.9.5.orig/lib/dns/include/dst/dst.h
+++ bind-9.9.5/lib/dns/include/dst/dst.h
+@@ -69,6 +69,7 @@ typedef struct dst_context    dst_context_
+ #define DST_ALG_HMACSHA256     163     /* XXXMPA */
+ #define DST_ALG_HMACSHA384     164     /* XXXMPA */
+ #define DST_ALG_HMACSHA512     165     /* XXXMPA */
+#define DST_ALG_INDIRECT       252
+ #define DST_ALG_PRIVATE                254
+ #define DST_ALG_EXPAND         255
+ #define DST_MAX_ALGS           255
+Index: bind-9.9.5/lib/dns/ncache.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/ncache.c
+++ bind-9.9.5/lib/dns/ncache.c
+@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+                dns_name_fromregion(&tname, &remaining);
+                INSIST(remaining.length >= tname.length);
+                isc_buffer_forward(&source, tname.length);
+-               remaining.length -= tname.length;
+-               remaining.base += tname.length;
+               isc_region_consume(&remaining, tname.length);
+ 
+                INSIST(remaining.length >= 2);
+                type = isc_buffer_getuint16(&source);
+-               remaining.length -= 2;
+-               remaining.base += 2;
+               isc_region_consume(&remaining, 2);
+ 
+                if (type != dns_rdatatype_rrsig ||
+                    !dns_name_equal(&tname, name)) {
+@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+                INSIST(remaining.length >= 1);
+                trust = isc_buffer_getuint8(&source);
+                INSIST(trust <= dns_trust_ultimate);
+-               remaining.length -= 1;
+-               remaining.base += 1;
+               isc_region_consume(&remaining, 1);
+ 
+                raw = remaining.base;
+                count = raw[0] * 256 + raw[1];
+Index: bind-9.9.5/lib/dns/openssldh_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/openssldh_link.c
+++ bind-9.9.5/lib/dns/openssldh_link.c
+@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
+ 
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+-       *region->base++ = (val & 0xff00) >> 8;
+-       *region->base++ = (val & 0x00ff);
+       *region->base = (val & 0xff00) >> 8;
+       isc_region_consume(region, 1);
+       *region->base = (val & 0x00ff);
+       isc_region_consume(region, 1);
+ }
+ 
+ static isc_uint16_t
+@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region)
+        val = ((unsigned int)(cp[0])) << 8;
+        val |= ((unsigned int)(cp[1]));
+ 
+-       region->base += 2;
+       isc_region_consume(region, 2);
+
+        return (val);
+ }
+ 
+@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is
+        }
+        else
+                BN_bn2bin(dh->p, r.base);
+-       r.base += plen;
+       isc_region_consume(&r, plen);
+ 
+        uint16_toregion(glen, &r);
+        if (glen > 0)
+                BN_bn2bin(dh->g, r.base);
+-       r.base += glen;
+       isc_region_consume(&r, glen);
+ 
+        uint16_toregion(publen, &r);
+        BN_bn2bin(dh->pub_key, r.base);
+-       r.base += publen;
+       isc_region_consume(&r, publen);
+ 
+        isc_buffer_add(data, dnslen);
+ 
+@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+                return (DST_R_INVALIDPUBLICKEY);
+        }
+        if (plen == 1 || plen == 2) {
+-               if (plen == 1)
+-                       special = *r.base++;
+-               else
+               if (plen == 1) {
+                       special = *r.base;
+                       isc_region_consume(&r, 1);
+               } else {
+                        special = uint16_fromregion(&r);
+               }
+                switch (special) {
+                        case 1:
+                                dh->p = &bn768;
+@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+                                DH_free(dh);
+                                return (DST_R_INVALIDPUBLICKEY);
+                }
+-       }
+-       else {
+       } else {
+                dh->p = BN_bin2bn(r.base, plen, NULL);
+-               r.base += plen;
+               isc_region_consume(&r, plen);
+        }
+ 
+        /*
+@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+                                return (DST_R_INVALIDPUBLICKEY);
+                        }
+                }
+-       }
+-       else {
+       } else {
+                if (glen == 0) {
+                        DH_free(dh);
+                        return (DST_R_INVALIDPUBLICKEY);
+                }
+                dh->g = BN_bin2bn(r.base, glen, NULL);
+        }
+-       r.base += glen;
+       isc_region_consume(&r, glen);
+ 
+        if (r.length < 2) {
+                DH_free(dh);
+@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+                return (DST_R_INVALIDPUBLICKEY);
+        }
+        dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+-       r.base += publen;
+       isc_region_consume(&r, publen);
+ 
+        key->key_size = BN_num_bits(dh->p);
+ 
+Index: bind-9.9.5/lib/dns/openssldsa_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/openssldsa_link.c
+++ bind-9.9.5/lib/dns/openssldsa_link.c
+@@ -29,8 +29,6 @@
+  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id$ */
+-
+ #ifdef OPENSSL
+ #ifndef USE_EVP
+ #define USE_EVP 1
+@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+        DSA *dsa = key->keydata.dsa;
+        isc_region_t r;
+        DSA_SIG *dsasig;
+       unsigned int klen;
+ #if USE_EVP
+        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+        EVP_PKEY *pkey;
+@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+                                               ISC_R_FAILURE));
+        }
+        free(sigbuf);
+
+ #elif 0
+        /* Only use EVP for the Digest */
+        if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc
+                                               "DSA_do_sign",
+                                               DST_R_SIGNFAILURE));
+ #endif
+-       *r.base++ = (key->key_size - 512)/64;
+
+       klen = (key->key_size - 512)/64;
+       if (klen > 255)
+               return (ISC_R_FAILURE);
+       *r.base = klen;
+       isc_region_consume(&r, 1);
+
+        BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+-       r.base += ISC_SHA1_DIGESTLENGTH;
+       isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+        BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+-       r.base += ISC_SHA1_DIGESTLENGTH;
+       isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+        DSA_SIG_free(dsasig);
+        isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+ 
+@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, i
+        if (r.length < (unsigned int) dnslen)
+                return (ISC_R_NOSPACE);
+ 
+-       *r.base++ = t;
+       *r.base = t;
+       isc_region_consume(&r, 1);
+        BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+-       r.base += ISC_SHA1_DIGESTLENGTH;
+       isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+        BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+-       r.base += p_bytes;
+       isc_region_consume(&r, p_bytes);
+        BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+-       r.base += p_bytes;
+       isc_region_consume(&r, p_bytes);
+        BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+-       r.base += p_bytes;
+       isc_region_consume(&r, p_bytes);
+ 
+        isc_buffer_add(data, dnslen);
+ 
+@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b
+                return (ISC_R_NOMEMORY);
+        dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+ 
+-       t = (unsigned int) *r.base++;
+       t = (unsigned int) *r.base;
+       isc_region_consume(&r, 1);
+        if (t > 8) {
+                DSA_free(dsa);
+                return (DST_R_INVALIDPUBLICKEY);
+        }
+        p_bytes = 64 + 8 * t;
+ 
+-       if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+       if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+                DSA_free(dsa);
+                return (DST_R_INVALIDPUBLICKEY);
+        }
+ 
+        dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+-       r.base += ISC_SHA1_DIGESTLENGTH;
+       isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 
+        dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+-       r.base += p_bytes;
+       isc_region_consume(&r, p_bytes);
+ 
+        dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+-       r.base += p_bytes;
+       isc_region_consume(&r, p_bytes);
+ 
+        dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+-       r.base += p_bytes;
+       isc_region_consume(&r, p_bytes);
+ 
+        key->key_size = p_bytes * 8;
+ 
+Index: bind-9.9.5/lib/dns/opensslecdsa_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/opensslecdsa_link.c
+++ bind-9.9.5/lib/dns/opensslecdsa_link.c
+@@ -14,8 +14,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id$ */
+-
+ #include <config.h>
+ 
+ #ifdef HAVE_OPENSSL_ECDSA
+@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, i
+                                               "ECDSA_do_sign",
+                                               DST_R_SIGNFAILURE));
+        BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
+-       r.base += siglen / 2;
+       isc_region_consume(&r, siglen / 2);
+        BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
+-       r.base += siglen / 2;
+       isc_region_consume(&r, siglen / 2);
+        ECDSA_SIG_free(ecdsasig);
+        isc_buffer_add(sig, siglen);
+        ret = ISC_R_SUCCESS;
+Index: bind-9.9.5/lib/dns/opensslrsa_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/opensslrsa_link.c
+++ bind-9.9.5/lib/dns/opensslrsa_link.c
+@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+        RSA *rsa;
+        isc_region_t r;
+        unsigned int e_bytes;
+       unsigned int length;
+ #if USE_EVP
+        EVP_PKEY *pkey;
+ #endif
+@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+        isc_buffer_remainingregion(data, &r);
+        if (r.length == 0)
+                return (ISC_R_SUCCESS);
+       length = r.length;
+ 
+        rsa = RSA_new();
+        if (rsa == NULL)
+@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+                RSA_free(rsa);
+                return (DST_R_INVALIDPUBLICKEY);
+        }
+-       e_bytes = *r.base++;
+-       r.length--;
+       e_bytes = *r.base;
+       isc_region_consume(&r, 1);
+ 
+        if (e_bytes == 0) {
+                if (r.length < 2) {
+                        RSA_free(rsa);
+                        return (DST_R_INVALIDPUBLICKEY);
+                }
+-               e_bytes = ((*r.base++) << 8);
+-               e_bytes += *r.base++;
+-               r.length -= 2;
+               e_bytes = (*r.base) << 8;
+               isc_region_consume(&r, 1);
+               e_bytes += *r.base;
+               isc_region_consume(&r, 1);
+        }
+ 
+        if (r.length < e_bytes) {
+@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+                return (DST_R_INVALIDPUBLICKEY);
+        }
+        rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+-       r.base += e_bytes;
+-       r.length -= e_bytes;
+       isc_region_consume(&r, e_bytes);
+ 
+        rsa->n = BN_bin2bn(r.base, r.length, NULL);
+ 
+        key->key_size = BN_num_bits(rsa->n);
+ 
+-       isc_buffer_forward(data, r.length);
+       isc_buffer_forward(data, length);
+ 
+ #if USE_EVP
+        pkey = EVP_PKEY_new();
+Index: bind-9.9.5/lib/dns/resolver.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/resolver.c
+++ bind-9.9.5/lib/dns/resolver.c
+@@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_res
+ 
+        REQUIRE(VALID_RESOLVER(resolver));
+ 
+       /*
+        * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
+        */
+       if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
+               return (ISC_FALSE);
+
+ #if USE_ALGLOCK
+        RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+ #endif
+@@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_res
+ #endif
+        if (found)
+                return (ISC_FALSE);
+
+        return (dst_algorithm_supported(alg));
+ }
+ 
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb
index e206cc45d8..ee940112f7 100644
--- a/meta/recipes-connectivity/bind/bind_9.9.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb
@@ -19,6 +19,9 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://init.d-add-support-for-read-only-rootfs.patch \
           file://bind9_9_5-CVE-2014-8500.patch \
           file://bind9_9_5-CVE-2015-5477.patch \
+           file://CVE-2015-1349.patch \ 
+           file://CVE-2015-4620.patch \
+           file://CVE-2015-5722.patch \
           "
 SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch new file mode 100644 index 0000000000..dea7aaef53 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
@@ -0,0 +1,60 @@
		1	CVE-2015-1349 bind: issue in trust anchor management can cause named to crash
		2
		3	commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892
		4	Author: Evan Hunt <each@isc.org>
		5	Date: Tue Feb 3 18:30:38 2015 -0800
		6
		7	[v9_9_6_patch] avoid crash due to managed-key rollover
		8
		9	4053. [security] Revoking a managed trust anchor and supplying
		10	an untrusted replacement could cause named
		11	to crash with an assertion failure.
		12	(CVE-2015-1349) [RT #38344]
		13
		14	Upstream Status: Backport from Redhat
		15
		16	https://bugzilla.redhat.com/attachment.cgi?id=993045
		17
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20	Index: bind-9.9.5/CHANGES
		21	===================================================================
		22	--- bind-9.9.5.orig/CHANGES
		23	+++ bind-9.9.5/CHANGES
		24	@@ -1,3 +1,10 @@
		25	+ --- 9.9.6-P2 released ---
		26	+
		27	+4053. [security] Revoking a managed trust anchor and supplying
		28	+ an untrusted replacement could cause named
		29	+ to crash with an assertion failure.
		30	+ (CVE-2015-1349) [RT #38344]
		31	+
		32	--- 9.9.5 released ---
		33
		34	--- 9.9.5rc2 released ---
		35	Index: bind-9.9.5/lib/dns/zone.c
		36	===================================================================
		37	--- bind-9.9.5.orig/lib/dns/zone.c
		38	+++ bind-9.9.5/lib/dns/zone.c
		39	@@ -8496,6 +8496,12 @@ keyfetch_done(isc_task_t *task, isc_even
		40	namebuf, tag);
		41	trustkey = ISC_TRUE;
		42	}
		43	+ } else {
		44	+ /*
		45	+ * No previously known key, and the key is not
		46	+ * secure, so skip it.
		47	+ */
		48	+ continue;
		49	}
		50
		51	/* Delete old version */
		52	@@ -8544,7 +8550,7 @@ keyfetch_done(isc_task_t *task, isc_even
		53	trust_key(zone, keyname, &dnskey, mctx);
		54	}
		55
		56	- if (!deletekey)
		57	+ if (secure && !deletekey)
		58	set_refreshkeytimer(zone, &keydata, now);
		59	}
		60


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch new file mode 100644 index 0000000000..1a5051e638 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
@@ -0,0 +1,36 @@
		1	CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned()
		2
		3	issue introduced by git commit
		4
		5	https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=44f175a90a855326725439b2f1178f0dcca8f67d
		6
		7	which is in this version of bind.
		8
		9	Upstream Status: Backport from Redhat
		10
		11	https://bugzilla.redhat.com/attachment.cgi?id=1044719
		12
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	Index: bind-9.9.5/lib/dns/validator.c
		16	===================================================================
		17	--- bind-9.9.5.orig/lib/dns/validator.c
		18	+++ bind-9.9.5/lib/dns/validator.c
		19	@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
		20	*/
		21	static isc_boolean_t
		22	isselfsigned(dns_validator_t *val) {
		23	- dns_fixedname_t fixed;
		24	dns_rdataset_t rdataset, sigrdataset;
		25	dns_rdata_t rdata = DNS_RDATA_INIT;
		26	dns_rdata_t sigrdata = DNS_RDATA_INIT;
		27	@@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) {
		28	result = dns_dnssec_verify3(name, rdataset, dstkey,
		29	ISC_TRUE,
		30	val->view->maxbits,
		31	- mctx, &sigrdata,
		32	- dns_fixedname_name(&fixed));
		33	+ mctx, &sigrdata, NULL);
		34	dst_key_free(&dstkey);
		35	if (result != ISC_R_SUCCESS)
		36	continue;


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch new file mode 100644 index 0000000000..af20d5c83f --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch
@@ -0,0 +1,490 @@
		1	CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service
		2
		3	Upstream Status: Backport from Redhat
		4
		5	https://bugzilla.redhat.com/attachment.cgi?id=1069245
		6
		7	Signed-off-by: Armin Kuster <akuster@mvista.com>
		8
		9	Index: bind-9.9.5/lib/dns/hmac_link.c
		10	===================================================================
		11	--- bind-9.9.5.orig/lib/dns/hmac_link.c
		12	+++ bind-9.9.5/lib/dns/hmac_link.c
		13	@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co
		14	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
		15	if (hmacmd5ctx == NULL)
		16	return (ISC_R_NOMEMORY);
		17	- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
		18	+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
		19	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
		20	return (ISC_R_SUCCESS);
		21	}
		22	@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c
		23	else if (hkey1 == NULL \|\| hkey2 == NULL)
		24	return (ISC_FALSE);
		25
		26	- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
		27	+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
		28	return (ISC_TRUE);
		29	else
		30	return (ISC_FALSE);
		31	@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse
		32	isc_buffer_t b;
		33	isc_result_t ret;
		34	unsigned int bytes;
		35	- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
		36	+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
		37
		38	UNUSED(callback);
		39
		40	bytes = (key->key_size + 7) / 8;
		41	- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
		42	- bytes = ISC_SHA1_BLOCK_LENGTH;
		43	- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
		44	+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
		45	+ bytes = ISC_MD5_BLOCK_LENGTH;
		46	+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
		47	}
		48
		49	- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
		50	+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
		51	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
		52
		53	if (ret != ISC_R_SUCCESS)
		54	@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse
		55	isc_buffer_init(&b, data, bytes);
		56	isc_buffer_add(&b, bytes);
		57	ret = hmacmd5_fromdns(key, &b);
		58	- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
		59	+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
		60
		61	return (ret);
		62	}
		63	@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
		64
		65	memset(hkey->key, 0, sizeof(hkey->key));
		66
		67	- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
		68	+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
		69	isc_md5_init(&md5ctx);
		70	isc_md5_update(&md5ctx, r.base, r.length);
		71	isc_md5_final(&md5ctx, hkey->key);
		72	@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
		73	key->key_size = keylen * 8;
		74	key->keydata.hmacmd5 = hkey;
		75
		76	+ isc_buffer_forward(data, r.length);
		77	+
		78	return (ISC_R_SUCCESS);
		79	}
		80
		81	@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf
		82	key->key_size = keylen * 8;
		83	key->keydata.hmacsha1 = hkey;
		84
		85	+ isc_buffer_forward(data, r.length);
		86	+
		87	return (ISC_R_SUCCESS);
		88	}
		89
		90	@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b
		91	key->key_size = keylen * 8;
		92	key->keydata.hmacsha224 = hkey;
		93
		94	+ isc_buffer_forward(data, r.length);
		95	+
		96	return (ISC_R_SUCCESS);
		97	}
		98
		99	@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b
		100	key->key_size = keylen * 8;
		101	key->keydata.hmacsha256 = hkey;
		102
		103	+ isc_buffer_forward(data, r.length);
		104	+
		105	return (ISC_R_SUCCESS);
		106	}
		107
		108	@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b
		109	key->key_size = keylen * 8;
		110	key->keydata.hmacsha384 = hkey;
		111
		112	+ isc_buffer_forward(data, r.length);
		113	+
		114	return (ISC_R_SUCCESS);
		115	}
		116
		117	@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b
		118	key->key_size = keylen * 8;
		119	key->keydata.hmacsha512 = hkey;
		120
		121	+ isc_buffer_forward(data, r.length);
		122	+
		123	return (ISC_R_SUCCESS);
		124	}
		125
		126	Index: bind-9.9.5/lib/dns/include/dst/dst.h
		127	===================================================================
		128	--- bind-9.9.5.orig/lib/dns/include/dst/dst.h
		129	+++ bind-9.9.5/lib/dns/include/dst/dst.h
		130	@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_
		131	#define DST_ALG_HMACSHA256 163 /* XXXMPA */
		132	#define DST_ALG_HMACSHA384 164 /* XXXMPA */
		133	#define DST_ALG_HMACSHA512 165 /* XXXMPA */
		134	+#define DST_ALG_INDIRECT 252
		135	#define DST_ALG_PRIVATE 254
		136	#define DST_ALG_EXPAND 255
		137	#define DST_MAX_ALGS 255
		138	Index: bind-9.9.5/lib/dns/ncache.c
		139	===================================================================
		140	--- bind-9.9.5.orig/lib/dns/ncache.c
		141	+++ bind-9.9.5/lib/dns/ncache.c
		142	@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t
		143	dns_name_fromregion(&tname, &remaining);
		144	INSIST(remaining.length >= tname.length);
		145	isc_buffer_forward(&source, tname.length);
		146	- remaining.length -= tname.length;
		147	- remaining.base += tname.length;
		148	+ isc_region_consume(&remaining, tname.length);
		149
		150	INSIST(remaining.length >= 2);
		151	type = isc_buffer_getuint16(&source);
		152	- remaining.length -= 2;
		153	- remaining.base += 2;
		154	+ isc_region_consume(&remaining, 2);
		155
		156	if (type != dns_rdatatype_rrsig \|\|
		157	!dns_name_equal(&tname, name)) {
		158	@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
		159	INSIST(remaining.length >= 1);
		160	trust = isc_buffer_getuint8(&source);
		161	INSIST(trust <= dns_trust_ultimate);
		162	- remaining.length -= 1;
		163	- remaining.base += 1;
		164	+ isc_region_consume(&remaining, 1);
		165
		166	raw = remaining.base;
		167	count = raw[0] * 256 + raw[1];
		168	Index: bind-9.9.5/lib/dns/openssldh_link.c
		169	===================================================================
		170	--- bind-9.9.5.orig/lib/dns/openssldh_link.c
		171	+++ bind-9.9.5/lib/dns/openssldh_link.c
		172	@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
		173
		174	static void
		175	uint16_toregion(isc_uint16_t val, isc_region_t *region) {
		176	- *region->base++ = (val & 0xff00) >> 8;
		177	- *region->base++ = (val & 0x00ff);
		178	+ *region->base = (val & 0xff00) >> 8;
		179	+ isc_region_consume(region, 1);
		180	+ *region->base = (val & 0x00ff);
		181	+ isc_region_consume(region, 1);
		182	}
		183
		184	static isc_uint16_t
		185	@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region)
		186	val = ((unsigned int)(cp[0])) << 8;
		187	val \|= ((unsigned int)(cp[1]));
		188
		189	- region->base += 2;
		190	+ isc_region_consume(region, 2);
		191	+
		192	return (val);
		193	}
		194
		195	@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is
		196	}
		197	else
		198	BN_bn2bin(dh->p, r.base);
		199	- r.base += plen;
		200	+ isc_region_consume(&r, plen);
		201
		202	uint16_toregion(glen, &r);
		203	if (glen > 0)
		204	BN_bn2bin(dh->g, r.base);
		205	- r.base += glen;
		206	+ isc_region_consume(&r, glen);
		207
		208	uint16_toregion(publen, &r);
		209	BN_bn2bin(dh->pub_key, r.base);
		210	- r.base += publen;
		211	+ isc_region_consume(&r, publen);
		212
		213	isc_buffer_add(data, dnslen);
		214
		215	@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu
		216	return (DST_R_INVALIDPUBLICKEY);
		217	}
		218	if (plen == 1 \|\| plen == 2) {
		219	- if (plen == 1)
		220	- special = *r.base++;
		221	- else
		222	+ if (plen == 1) {
		223	+ special = *r.base;
		224	+ isc_region_consume(&r, 1);
		225	+ } else {
		226	special = uint16_fromregion(&r);
		227	+ }
		228	switch (special) {
		229	case 1:
		230	dh->p = &bn768;
		231	@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu
		232	DH_free(dh);
		233	return (DST_R_INVALIDPUBLICKEY);
		234	}
		235	- }
		236	- else {
		237	+ } else {
		238	dh->p = BN_bin2bn(r.base, plen, NULL);
		239	- r.base += plen;
		240	+ isc_region_consume(&r, plen);
		241	}
		242
		243	/*
		244	@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu
		245	return (DST_R_INVALIDPUBLICKEY);
		246	}
		247	}
		248	- }
		249	- else {
		250	+ } else {
		251	if (glen == 0) {
		252	DH_free(dh);
		253	return (DST_R_INVALIDPUBLICKEY);
		254	}
		255	dh->g = BN_bin2bn(r.base, glen, NULL);
		256	}
		257	- r.base += glen;
		258	+ isc_region_consume(&r, glen);
		259
		260	if (r.length < 2) {
		261	DH_free(dh);
		262	@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu
		263	return (DST_R_INVALIDPUBLICKEY);
		264	}
		265	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
		266	- r.base += publen;
		267	+ isc_region_consume(&r, publen);
		268
		269	key->key_size = BN_num_bits(dh->p);
		270
		271	Index: bind-9.9.5/lib/dns/openssldsa_link.c
		272	===================================================================
		273	--- bind-9.9.5.orig/lib/dns/openssldsa_link.c
		274	+++ bind-9.9.5/lib/dns/openssldsa_link.c
		275	@@ -29,8 +29,6 @@
		276	* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		277	*/
		278
		279	-/* $Id$ */
		280	-
		281	#ifdef OPENSSL
		282	#ifndef USE_EVP
		283	#define USE_EVP 1
		284	@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc
		285	DSA *dsa = key->keydata.dsa;
		286	isc_region_t r;
		287	DSA_SIG *dsasig;
		288	+ unsigned int klen;
		289	#if USE_EVP
		290	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
		291	EVP_PKEY *pkey;
		292	@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc
		293	ISC_R_FAILURE));
		294	}
		295	free(sigbuf);
		296	+
		297	#elif 0
		298	/* Only use EVP for the Digest */
		299	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
		300	@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc
		301	"DSA_do_sign",
		302	DST_R_SIGNFAILURE));
		303	#endif
		304	- *r.base++ = (key->key_size - 512)/64;
		305	+
		306	+ klen = (key->key_size - 512)/64;
		307	+ if (klen > 255)
		308	+ return (ISC_R_FAILURE);
		309	+ *r.base = klen;
		310	+ isc_region_consume(&r, 1);
		311	+
		312	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
		313	- r.base += ISC_SHA1_DIGESTLENGTH;
		314	+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
		315	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
		316	- r.base += ISC_SHA1_DIGESTLENGTH;
		317	+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
		318	DSA_SIG_free(dsasig);
		319	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
		320
		321	@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, i
		322	if (r.length < (unsigned int) dnslen)
		323	return (ISC_R_NOSPACE);
		324
		325	- *r.base++ = t;
		326	+ *r.base = t;
		327	+ isc_region_consume(&r, 1);
		328	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
		329	- r.base += ISC_SHA1_DIGESTLENGTH;
		330	+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
		331	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
		332	- r.base += p_bytes;
		333	+ isc_region_consume(&r, p_bytes);
		334	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
		335	- r.base += p_bytes;
		336	+ isc_region_consume(&r, p_bytes);
		337	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
		338	- r.base += p_bytes;
		339	+ isc_region_consume(&r, p_bytes);
		340
		341	isc_buffer_add(data, dnslen);
		342
		343	@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b
		344	return (ISC_R_NOMEMORY);
		345	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
		346
		347	- t = (unsigned int) *r.base++;
		348	+ t = (unsigned int) *r.base;
		349	+ isc_region_consume(&r, 1);
		350	if (t > 8) {
		351	DSA_free(dsa);
		352	return (DST_R_INVALIDPUBLICKEY);
		353	}
		354	p_bytes = 64 + 8 * t;
		355
		356	- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
		357	+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
		358	DSA_free(dsa);
		359	return (DST_R_INVALIDPUBLICKEY);
		360	}
		361
		362	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
		363	- r.base += ISC_SHA1_DIGESTLENGTH;
		364	+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
		365
		366	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
		367	- r.base += p_bytes;
		368	+ isc_region_consume(&r, p_bytes);
		369
		370	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
		371	- r.base += p_bytes;
		372	+ isc_region_consume(&r, p_bytes);
		373
		374	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
		375	- r.base += p_bytes;
		376	+ isc_region_consume(&r, p_bytes);
		377
		378	key->key_size = p_bytes * 8;
		379
		380	Index: bind-9.9.5/lib/dns/opensslecdsa_link.c
		381	===================================================================
		382	--- bind-9.9.5.orig/lib/dns/opensslecdsa_link.c
		383	+++ bind-9.9.5/lib/dns/opensslecdsa_link.c
		384	@@ -14,8 +14,6 @@
		385	* PERFORMANCE OF THIS SOFTWARE.
		386	*/
		387
		388	-/* $Id$ */
		389	-
		390	#include <config.h>
		391
		392	#ifdef HAVE_OPENSSL_ECDSA
		393	@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, i
		394	"ECDSA_do_sign",
		395	DST_R_SIGNFAILURE));
		396	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
		397	- r.base += siglen / 2;
		398	+ isc_region_consume(&r, siglen / 2);
		399	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
		400	- r.base += siglen / 2;
		401	+ isc_region_consume(&r, siglen / 2);
		402	ECDSA_SIG_free(ecdsasig);
		403	isc_buffer_add(sig, siglen);
		404	ret = ISC_R_SUCCESS;
		405	Index: bind-9.9.5/lib/dns/opensslrsa_link.c
		406	===================================================================
		407	--- bind-9.9.5.orig/lib/dns/opensslrsa_link.c
		408	+++ bind-9.9.5/lib/dns/opensslrsa_link.c
		409	@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
		410	RSA *rsa;
		411	isc_region_t r;
		412	unsigned int e_bytes;
		413	+ unsigned int length;
		414	#if USE_EVP
		415	EVP_PKEY *pkey;
		416	#endif
		417	@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
		418	isc_buffer_remainingregion(data, &r);
		419	if (r.length == 0)
		420	return (ISC_R_SUCCESS);
		421	+ length = r.length;
		422
		423	rsa = RSA_new();
		424	if (rsa == NULL)
		425	@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
		426	RSA_free(rsa);
		427	return (DST_R_INVALIDPUBLICKEY);
		428	}
		429	- e_bytes = *r.base++;
		430	- r.length--;
		431	+ e_bytes = *r.base;
		432	+ isc_region_consume(&r, 1);
		433
		434	if (e_bytes == 0) {
		435	if (r.length < 2) {
		436	RSA_free(rsa);
		437	return (DST_R_INVALIDPUBLICKEY);
		438	}
		439	- e_bytes = ((*r.base++) << 8);
		440	- e_bytes += *r.base++;
		441	- r.length -= 2;
		442	+ e_bytes = (*r.base) << 8;
		443	+ isc_region_consume(&r, 1);
		444	+ e_bytes += *r.base;
		445	+ isc_region_consume(&r, 1);
		446	}
		447
		448	if (r.length < e_bytes) {
		449	@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
		450	return (DST_R_INVALIDPUBLICKEY);
		451	}
		452	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
		453	- r.base += e_bytes;
		454	- r.length -= e_bytes;
		455	+ isc_region_consume(&r, e_bytes);
		456
		457	rsa->n = BN_bin2bn(r.base, r.length, NULL);
		458
		459	key->key_size = BN_num_bits(rsa->n);
		460
		461	- isc_buffer_forward(data, r.length);
		462	+ isc_buffer_forward(data, length);
		463
		464	#if USE_EVP
		465	pkey = EVP_PKEY_new();
		466	Index: bind-9.9.5/lib/dns/resolver.c
		467	===================================================================
		468	--- bind-9.9.5.orig/lib/dns/resolver.c
		469	+++ bind-9.9.5/lib/dns/resolver.c
		470	@@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_res
		471
		472	REQUIRE(VALID_RESOLVER(resolver));
		473
		474	+ /*
		475	+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
		476	+ */
		477	+ if ((alg == DST_ALG_DH) \|\| (alg == DST_ALG_INDIRECT))
		478	+ return (ISC_FALSE);
		479	+
		480	#if USE_ALGLOCK
		481	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
		482	#endif
		483	@@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_res
		484	#endif
		485	if (found)
		486	return (ISC_FALSE);
		487	+
		488	return (dst_algorithm_supported(alg));
		489	}
		490


diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb index e206cc45d8..ee940112f7 100644 --- a/meta/recipes-connectivity/bind/bind_9.9.5.bb +++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb
@@ -19,6 +19,9 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
19	file://init.d-add-support-for-read-only-rootfs.patch \	19	file://init.d-add-support-for-read-only-rootfs.patch \
20	file://bind9_9_5-CVE-2014-8500.patch \	20	file://bind9_9_5-CVE-2014-8500.patch \
21	file://bind9_9_5-CVE-2015-5477.patch \	21	file://bind9_9_5-CVE-2015-5477.patch \
		22	file://CVE-2015-1349.patch \
		23	file://CVE-2015-4620.patch \
		24	file://CVE-2015-5722.patch \
22	"	25	"
23		26
24	SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"	27	SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"