summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch84
-rw-r--r--meta/recipes-connectivity/bind/bind_9.10.2-P4.bb1
2 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000000..5d4d9126bf
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,84 @@
1From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Thu, 7 Jul 2016 12:52:47 +1000
4Subject: [PATCH] 4406. [bug] getrrsetbyname with a non absolute
5 name could trigger a infinite recursion bug in lwresd
6 and named with lwres configured if when combined
7 with a search list entry the resulting name is
8 too long. [RT #42694]
9
10(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
11
12Upstream-Status: Backport
13CVE: CVE-2016-2775
14
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 CHANGES | 6 ++++++
19 bin/named/lwdgrbn.c | 16 ++++++++++------
20 bin/tests/system/lwresd/lwtest.c | 8 ++++++++
21 3 files changed, 24 insertions(+), 6 deletions(-)
22
23Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
24===================================================================
25--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
26+++ bind-9.10.2-P4/bin/named/lwdgrbn.c
27@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
28 INSIST(client->lookup == NULL);
29
30 dns_fixedname_init(&absname);
31- result = ns_lwsearchctx_current(&client->searchctx,
32- dns_fixedname_name(&absname));
33+
34 /*
35- * This will return failure if relative name + suffix is too long.
36- * In this case, just go on to the next entry in the search path.
37+ * Perform search across all search domains until success
38+ * is returned. Return in case of failure.
39 */
40- if (result != ISC_R_SUCCESS)
41- start_lookup(client);
42+ while (ns_lwsearchctx_current(&client->searchctx,
43+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
44+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
45+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
46+ return;
47+ }
48+ }
49
50 result = dns_lookup_create(cm->mctx,
51 dns_fixedname_name(&absname),
52Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
53===================================================================
54--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
55+++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
56@@ -768,6 +768,14 @@ main(void) {
57 test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
58 test_getrrsetbyname("", 1, 1, 0, 0, 0);
59
60+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
61+ "123456789.123456789.123456789.123456789."
62+ "123456789.123456789.123456789.123456789."
63+ "123456789.123456789.123456789.123456789."
64+ "123456789.123456789.123456789.123456789."
65+ "123456789.123456789.123456789.123456789."
66+ "123456789", 1, 1, 0, 0, 0);
67+
68 if (fails == 0)
69 printf("I:ok\n");
70 return (fails);
71Index: bind-9.10.2-P4/CHANGES
72===================================================================
73--- bind-9.10.2-P4.orig/CHANGES
74+++ bind-9.10.2-P4/CHANGES
75@@ -1,3 +1,9 @@
76+4406. [bug] getrrsetbyname with a non absolute name could
77+ trigger a infinite recursion bug in lwresd
78+ and named with lwres configured if when combined
79+ with a search list entry the resulting name is
80+ too long. [RT #42694]
81+
82 4322. [security] Duplicate EDNS COOKIE options in a response could
83 trigger an assertion failure. (CVE-2016-2088)
84 [RT #41809]
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index 0dfa314f7a..80c7b44127 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -29,6 +29,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
29 file://CVE-2016-1286_1.patch \ 29 file://CVE-2016-1286_1.patch \
30 file://CVE-2016-1286_2.patch \ 30 file://CVE-2016-1286_2.patch \
31 file://CVE-2016-2088.patch \ 31 file://CVE-2016-2088.patch \
32 file://CVE-2016-2775.patch \
32 " 33 "
33 34
34SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7" 35SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"