1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
new file mode 100644
index 0000000000..5002147f1a
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
@@ -0,0 +1,79 @@
+From 456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3 Mon Sep 17 00:00:00 2001
+From: Mukund Sivaraman <muks@isc.org>
+Date: Mon, 22 Feb 2016 12:22:43 +0530
+Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
+ (CVE-2016-1286) (#41753)
+(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
+Hand applied Changelog changes.
+CVE: CVE-2016-1286
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/CHANGES b/CHANGES
+--- a/CHANGES   2016-04-11 09:46:42.075057394 +0200
+++ b/CHANGES   2016-04-11 09:44:21.857148819 +0200
+@@ -1,3 +1,7 @@
+4319.  [security]      Fix resolver assertion failure due to improper
+                       DNAME handling when parsing fetch reply messages.
+                       (CVE-2016-1286) [RT #41753]
+
+ 4318.  [security]      Malformed control messages can trigger assertions
+                        in named and rndc. (CVE-2016-1285) [RT #41666]
+ 
+diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
+--- a/lib/dns/resolver.c        2016-04-11 09:36:08.550578585 +0200
+++ b/lib/dns/resolver.c        2016-04-11 09:43:23.091701714 +0200
+@@ -6634,21 +6634,26 @@
+                                isc_boolean_t found_dname = ISC_FALSE;
+                                dns_name_t *dname_name;
+ 
+                               /*
+                                * Only pass DNAME or RRSIG(DNAME).
+                                */
+                               if (rdataset->type != dns_rdatatype_dname &&
+                                   (rdataset->type != dns_rdatatype_rrsig ||
+                                    rdataset->covers != dns_rdatatype_dname))
+                                       continue;
+
+                               /*
+                                * If we're not chaining, then the DNAME and
+                                * its signature should not be external.
+                                */
+                               if (!chaining && external) {
+                                       log_formerr(fctx, "external DNAME");
+                                       return (DNS_R_FORMERR);
+                               }
+
+                                found = ISC_FALSE;
+                                aflag = 0;
+                                if (rdataset->type == dns_rdatatype_dname) {
+-                                       /*
+-                                        * We're looking for something else,
+-                                        * but we found a DNAME.
+-                                        *
+-                                        * If we're not chaining, then the
+-                                        * DNAME should not be external.
+-                                        */
+-                                       if (!chaining && external) {
+-                                               log_formerr(fctx,
+-                                                           "external DNAME");
+-                                               return (DNS_R_FORMERR);
+-                                       }
+                                        found = ISC_TRUE;
+                                        want_chaining = ISC_TRUE;
+                                        POST(want_chaining);
+@@ -6677,9 +6682,7 @@
+                                                        &fctx->domain)) {
+                                                return (DNS_R_SERVFAIL);
+                                        }
+-                               } else if (rdataset->type == dns_rdatatype_rrsig
+-                                          && rdataset->covers ==
+-                                          dns_rdatatype_dname) {
+                               } else {
+                                        /*
+                                         * We've found a signature that
+                                         * covers the DNAME.

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch new file mode 100644 index 0000000000..5002147f1a --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
@@ -0,0 +1,79 @@
	1	From 456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3 Mon Sep 17 00:00:00 2001
	2	From: Mukund Sivaraman <muks@isc.org>
	3	Date: Mon, 22 Feb 2016 12:22:43 +0530
	4	Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
	5	(CVE-2016-1286) (#41753)
	6
	7	(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
	8
	9	Hand applied Changelog changes.
	10
	11	CVE: CVE-2016-1286
	12	Upstream-Status: Backport
	13
	14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	15	---
	16	diff -ruN a/CHANGES b/CHANGES
	17	--- a/CHANGES 2016-04-11 09:46:42.075057394 +0200
	18	+++ b/CHANGES 2016-04-11 09:44:21.857148819 +0200
	19	@@ -1,3 +1,7 @@
	20	+4319. [security] Fix resolver assertion failure due to improper
	21	+ DNAME handling when parsing fetch reply messages.
	22	+ (CVE-2016-1286) [RT #41753]
	23	+
	24	4318. [security] Malformed control messages can trigger assertions
	25	in named and rndc. (CVE-2016-1285) [RT #41666]
	26
	27	diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
	28	--- a/lib/dns/resolver.c 2016-04-11 09:36:08.550578585 +0200
	29	+++ b/lib/dns/resolver.c 2016-04-11 09:43:23.091701714 +0200
	30	@@ -6634,21 +6634,26 @@
	31	isc_boolean_t found_dname = ISC_FALSE;
	32	dns_name_t *dname_name;
	33
	34	+ /*
	35	+ * Only pass DNAME or RRSIG(DNAME).
	36	+ */
	37	+ if (rdataset->type != dns_rdatatype_dname &&
	38	+ (rdataset->type != dns_rdatatype_rrsig \|\|
	39	+ rdataset->covers != dns_rdatatype_dname))
	40	+ continue;
	41	+
	42	+ /*
	43	+ * If we're not chaining, then the DNAME and
	44	+ * its signature should not be external.
	45	+ */
	46	+ if (!chaining && external) {
	47	+ log_formerr(fctx, "external DNAME");
	48	+ return (DNS_R_FORMERR);
	49	+ }
	50	+
	51	found = ISC_FALSE;
	52	aflag = 0;
	53	if (rdataset->type == dns_rdatatype_dname) {
	54	- /*
	55	- * We're looking for something else,
	56	- * but we found a DNAME.
	57	- *
	58	- * If we're not chaining, then the
	59	- * DNAME should not be external.
	60	- */
	61	- if (!chaining && external) {
	62	- log_formerr(fctx,
	63	- "external DNAME");
	64	- return (DNS_R_FORMERR);
	65	- }
	66	found = ISC_TRUE;
	67	want_chaining = ISC_TRUE;
	68	POST(want_chaining);
	69	@@ -6677,9 +6682,7 @@
	70	&fctx->domain)) {
	71	return (DNS_R_SERVFAIL);
	72	}
	73	- } else if (rdataset->type == dns_rdatatype_rrsig
	74	- && rdataset->covers ==
	75	- dns_rdatatype_dname) {
	76	+ } else {
	77	/*
	78	* We've found a signature that
	79	* covers the DNAME.