1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000000..5393063c56
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,90 @@
+From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 12 Oct 2016 19:52:59 +0900
+Subject: [PATCH]
+4406.   [security]      getrrsetbyname with a non absolute name could
+                        trigger an infinite recursion bug in lwresd
+                        and named with lwres configured if when combined
+                        with a search list entry the resulting name is
+                        too long. (CVE-2016-2775) [RT #42694]
+Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
+v9.11.0_patch branch.
+CVE: CVE-2016-2775
+Upstream-Status: Backport
+Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  9 ++++++++-
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index d2e3360..d0a9d12 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,9 @@
+4406.   [security]      getrrsetbyname with a non absolute name could
+                        trigger an infinite recursion bug in lwresd
+                        and named with lwres configured if when combined
+                        with a search list entry the resulting name is
+                        too long. (CVE-2016-2775) [RT #42694]
+
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]
+diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
+index 3e7b15b..e1e9adc 100644
+--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+        INSIST(client->lookup == NULL);
+ 
+        dns_fixedname_init(&absname);
+-       result = ns_lwsearchctx_current(&client->searchctx,
+-                                       dns_fixedname_name(&absname));
+
+        /*
+-        * This will return failure if relative name + suffix is too long.
+-        * In this case, just go on to the next entry in the search path.
+         * Perform search across all search domains until success
+         * is returned. Return in case of failure.
+         */
+-       if (result != ISC_R_SUCCESS)
+-               start_lookup(client);
+        while (ns_lwsearchctx_current(&client->searchctx,
+                        dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
+                if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
+                        ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+                        return;
+                }
+        }
+ 
+        result = dns_lookup_create(cm->mctx,
+                                   dns_fixedname_name(&absname),
+diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
+index ad9b551..3eb4a66 100644
+--- a/bin/tests/system/lwresd/lwtest.c
+++ b/bin/tests/system/lwresd/lwtest.c
+@@ -768,7 +768,14 @@ main(void) {
+        test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
+        test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+        test_getrrsetbyname("", 1, 1, 0, 0, 0);
+-
+        test_getrrsetbyname("123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789", 1, 1, 0, 0, 0);
+ 
+        if (fails == 0)
+                printf("I:ok\n");
+        return (fails);
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch new file mode 100644 index 0000000000..5393063c56 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,90 @@
	1	From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
	2	From: Mark Andrews <marka@isc.org>
	3	Date: Wed, 12 Oct 2016 19:52:59 +0900
	4	Subject: [PATCH]
	5	4406. [security] getrrsetbyname with a non absolute name could
	6	trigger an infinite recursion bug in lwresd
	7	and named with lwres configured if when combined
	8	with a search list entry the resulting name is
	9	too long. (CVE-2016-2775) [RT #42694]
	10
	11	Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
	12	v9.11.0_patch branch.
	13
	14	CVE: CVE-2016-2775
	15	Upstream-Status: Backport
	16
	17	Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
	18
	19	---
	20	CHANGES \| 6 ++++++
	21	bin/named/lwdgrbn.c \| 16 ++++++++++------
	22	bin/tests/system/lwresd/lwtest.c \| 9 ++++++++-
	23	3 files changed, 24 insertions(+), 7 deletions(-)
	24
	25	diff --git a/CHANGES b/CHANGES
	26	index d2e3360..d0a9d12 100644
	27	--- a/CHANGES
	28	+++ b/CHANGES
	29	@@ -1,3 +1,9 @@
	30	+4406. [security] getrrsetbyname with a non absolute name could
	31	+ trigger an infinite recursion bug in lwresd
	32	+ and named with lwres configured if when combined
	33	+ with a search list entry the resulting name is
	34	+ too long. (CVE-2016-2775) [RT #42694]
	35	+
	36	4322. [security] Duplicate EDNS COOKIE options in a response could
	37	trigger an assertion failure. (CVE-2016-2088)
	38	[RT #41809]
	39	diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
	40	index 3e7b15b..e1e9adc 100644
	41	--- a/bin/named/lwdgrbn.c
	42	+++ b/bin/named/lwdgrbn.c
	43	@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
	44	INSIST(client->lookup == NULL);
	45
	46	dns_fixedname_init(&absname);
	47	- result = ns_lwsearchctx_current(&client->searchctx,
	48	- dns_fixedname_name(&absname));
	49	+
	50	/*
	51	- * This will return failure if relative name + suffix is too long.
	52	- * In this case, just go on to the next entry in the search path.
	53	+ * Perform search across all search domains until success
	54	+ * is returned. Return in case of failure.
	55	*/
	56	- if (result != ISC_R_SUCCESS)
	57	- start_lookup(client);
	58	+ while (ns_lwsearchctx_current(&client->searchctx,
	59	+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
	60	+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
	61	+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
	62	+ return;
	63	+ }
	64	+ }
	65
	66	result = dns_lookup_create(cm->mctx,
	67	dns_fixedname_name(&absname),
	68	diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
	69	index ad9b551..3eb4a66 100644
	70	--- a/bin/tests/system/lwresd/lwtest.c
	71	+++ b/bin/tests/system/lwresd/lwtest.c
	72	@@ -768,7 +768,14 @@ main(void) {
	73	test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
	74	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
	75	test_getrrsetbyname("", 1, 1, 0, 0, 0);
	76	-
	77	+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
	78	+ "123456789.123456789.123456789.123456789."
	79	+ "123456789.123456789.123456789.123456789."
	80	+ "123456789.123456789.123456789.123456789."
	81	+ "123456789.123456789.123456789.123456789."
	82	+ "123456789.123456789.123456789.123456789."
	83	+ "123456789", 1, 1, 0, 0, 0);
	84	+
	85	if (fails == 0)
	86	printf("I:ok\n");
	87	return (fails);
	88	--
	89	2.7.4
	90