diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch new file mode 100644 index 0000000000..5d4d9126bf --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Thu, 7 Jul 2016 12:52:47 +1000 | ||
4 | Subject: [PATCH] 4406. [bug] getrrsetbyname with a non absolute | ||
5 | name could trigger a infinite recursion bug in lwresd | ||
6 | and named with lwres configured if when combined | ||
7 | with a search list entry the resulting name is | ||
8 | too long. [RT #42694] | ||
9 | |||
10 | (cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232) | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2016-2775 | ||
14 | |||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | CHANGES | 6 ++++++ | ||
19 | bin/named/lwdgrbn.c | 16 ++++++++++------ | ||
20 | bin/tests/system/lwresd/lwtest.c | 8 ++++++++ | ||
21 | 3 files changed, 24 insertions(+), 6 deletions(-) | ||
22 | |||
23 | Index: bind-9.10.2-P4/bin/named/lwdgrbn.c | ||
24 | =================================================================== | ||
25 | --- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c | ||
26 | +++ bind-9.10.2-P4/bin/named/lwdgrbn.c | ||
27 | @@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { | ||
28 | INSIST(client->lookup == NULL); | ||
29 | |||
30 | dns_fixedname_init(&absname); | ||
31 | - result = ns_lwsearchctx_current(&client->searchctx, | ||
32 | - dns_fixedname_name(&absname)); | ||
33 | + | ||
34 | /* | ||
35 | - * This will return failure if relative name + suffix is too long. | ||
36 | - * In this case, just go on to the next entry in the search path. | ||
37 | + * Perform search across all search domains until success | ||
38 | + * is returned. Return in case of failure. | ||
39 | */ | ||
40 | - if (result != ISC_R_SUCCESS) | ||
41 | - start_lookup(client); | ||
42 | + while (ns_lwsearchctx_current(&client->searchctx, | ||
43 | + dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { | ||
44 | + if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { | ||
45 | + ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); | ||
46 | + return; | ||
47 | + } | ||
48 | + } | ||
49 | |||
50 | result = dns_lookup_create(cm->mctx, | ||
51 | dns_fixedname_name(&absname), | ||
52 | Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c | ||
53 | =================================================================== | ||
54 | --- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c | ||
55 | +++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c | ||
56 | @@ -768,6 +768,14 @@ main(void) { | ||
57 | test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); | ||
58 | test_getrrsetbyname("", 1, 1, 0, 0, 0); | ||
59 | |||
60 | + test_getrrsetbyname("123456789.123456789.123456789.123456789." | ||
61 | + "123456789.123456789.123456789.123456789." | ||
62 | + "123456789.123456789.123456789.123456789." | ||
63 | + "123456789.123456789.123456789.123456789." | ||
64 | + "123456789.123456789.123456789.123456789." | ||
65 | + "123456789.123456789.123456789.123456789." | ||
66 | + "123456789", 1, 1, 0, 0, 0); | ||
67 | + | ||
68 | if (fails == 0) | ||
69 | printf("I:ok\n"); | ||
70 | return (fails); | ||
71 | Index: bind-9.10.2-P4/CHANGES | ||
72 | =================================================================== | ||
73 | --- bind-9.10.2-P4.orig/CHANGES | ||
74 | +++ bind-9.10.2-P4/CHANGES | ||
75 | @@ -1,3 +1,9 @@ | ||
76 | +4406. [bug] getrrsetbyname with a non absolute name could | ||
77 | + trigger a infinite recursion bug in lwresd | ||
78 | + and named with lwres configured if when combined | ||
79 | + with a search list entry the resulting name is | ||
80 | + too long. [RT #42694] | ||
81 | + | ||
82 | 4322. [security] Duplicate EDNS COOKIE options in a response could | ||
83 | trigger an assertion failure. (CVE-2016-2088) | ||
84 | [RT #41809] | ||