1 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
new file mode 100644
index 0000000000..be479cb00e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
+From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 20 Jun 2023 15:21:36 +1000
+Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
+Named and rndc do not need a lot of recursion so the depth is
+set to 10.
+Taken from BIND 9.16.44 change.
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
+CVE: CVE-2023-3341
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/isccc/cc.c                   | 38 +++++++++++++++++++++++---------
+ lib/isccc/include/isccc/result.h |  4 +++-
+ lib/isccc/result.c               |  4 +++-
+ 3 files changed, 34 insertions(+), 12 deletions(-)
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index e012685..8eac3d6 100644
+--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
+@@ -53,6 +53,10 @@
+ 
+ #define MAX_TAGS               256
+ #define DUP_LIFETIME           900
+#ifndef ISCCC_MAXDEPTH
+#define ISCCC_MAXDEPTH \
+       10 /* Big enough for rndc which just sends a string each way. */
+#endif
+ 
+ typedef isccc_sexpr_t *sexpr_ptr;
+ 
+@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-              uint32_t algorithm, isccc_sexpr_t **alistp);
+              uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+list_fromwire(isccc_region_t *source, unsigned int depth,
+             isccc_sexpr_t **listp);
+ 
+ static isc_result_t
+-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+value_fromwire(isccc_region_t *source, unsigned int depth,
+              isccc_sexpr_t **valuep) {
+        unsigned int msgtype;
+        uint32_t len;
+        isccc_sexpr_t *value;
+        isccc_region_t active;
+        isc_result_t result;
+ 
+       if (depth > ISCCC_MAXDEPTH) {
+               return (ISCCC_R_MAXDEPTH);
+       }
+
+        if (REGION_SIZE(*source) < 1 + 4)
+                return (ISC_R_UNEXPECTEDEND);
+        GET8(msgtype, source->rstart);
+@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+                } else
+                        result = ISC_R_NOMEMORY;
+        } else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+-               result = table_fromwire(&active, NULL, 0, valuep);
+               result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
+        else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+-               result = list_fromwire(&active, valuep);
+               result = list_fromwire(&active, depth + 1, valuep);
+        else
+                result = ISCCC_R_SYNTAX;
+ 
+@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-              uint32_t algorithm, isccc_sexpr_t **alistp)
+              uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
+ {
+        char key[256];
+        uint32_t len;
+@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ 
+        REQUIRE(alistp != NULL && *alistp == NULL);
+ 
+       if (depth > ISCCC_MAXDEPTH) {
+               return (ISCCC_R_MAXDEPTH);
+       }
+
+        checksum_rstart = NULL;
+        first_tag = true;
+        alist = isccc_alist_create();
+@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+                GET_MEM(key, len, source->rstart);
+                key[len] = '\0';        /* Ensure NUL termination. */
+                value = NULL;
+-               result = value_fromwire(source, &value);
+               result = value_fromwire(source, depth + 1, &value);
+                if (result != ISC_R_SUCCESS)
+                        goto bad;
+                if (isccc_alist_define(alist, key, value) == NULL) {
+@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ }
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
+list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
+        isccc_sexpr_t *list, *value;
+        isc_result_t result;
+ 
+       if (depth > ISCCC_MAXDEPTH) {
+               return (ISCCC_R_MAXDEPTH);
+       }
+
+        list = NULL;
+        while (!REGION_EMPTY(*source)) {
+                value = NULL;
+-               result = value_fromwire(source, &value);
+               result = value_fromwire(source, depth + 1, &value);
+                if (result != ISC_R_SUCCESS) {
+                        isccc_sexpr_free(&list);
+                        return (result);
+@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+        if (version != 1)
+                return (ISCCC_R_UNKNOWNVERSION);
+ 
+-       return (table_fromwire(source, secret, algorithm, alistp));
+       return (table_fromwire(source, secret, algorithm, 0, alistp));
+ }
+ 
+ static isc_result_t
+diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
+index 6c79dd7..a85861c 100644
+--- a/lib/isccc/include/isccc/result.h
+++ b/lib/isccc/include/isccc/result.h
+@@ -47,8 +47,10 @@
+ #define ISCCC_R_CLOCKSKEW              (ISC_RESULTCLASS_ISCCC + 4)
+ /*% Duplicate */
+ #define ISCCC_R_DUPLICATE              (ISC_RESULTCLASS_ISCCC + 5)
+/*% Maximum recursion depth */
+#define ISCCC_R_MAXDEPTH               (ISC_RESULTCLASS_ISCCC + 6)
+ 
+-#define ISCCC_R_NRESULTS               6       /*%< Number of results */
+#define ISCCC_R_NRESULTS               7       /*%< Number of results */
+ 
+ ISC_LANG_BEGINDECLS
+ 
+diff --git a/lib/isccc/result.c b/lib/isccc/result.c
+index 8419bbb..325200b 100644
+--- a/lib/isccc/result.c
+++ b/lib/isccc/result.c
+@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
+        "bad auth",                             /* 3 */
+        "expired",                              /* 4 */
+        "clock skew",                           /* 5 */
+-       "duplicate"                             /* 6 */
+       "duplicate",                            /* 6 */
+       "max depth",                            /* 7 */
+ };
+ 
+ static const char *ids[ISCCC_R_NRESULTS] = {
+@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
+        "ISCCC_R_EXPIRED",
+        "ISCCC_R_CLOCKSKEW",
+        "ISCCC_R_DUPLICATE",
+       "ISCCC_R_MAXDEPTH",
+ };
+ 
+ #define ISCCC_RESULT_RESULTSET                 2
+-- 
+2.25.1

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch new file mode 100644 index 0000000000..be479cb00e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
	1	From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
	2	From: Mark Andrews <marka@isc.org>
	3	Date: Tue, 20 Jun 2023 15:21:36 +1000
	4	Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
	5
	6	Named and rndc do not need a lot of recursion so the depth is
	7	set to 10.
	8
	9	Taken from BIND 9.16.44 change.
	10
	11	Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
	12	CVE: CVE-2023-3341
	13	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	14	---
	15	lib/isccc/cc.c \| 38 +++++++++++++++++++++++---------
	16	lib/isccc/include/isccc/result.h \| 4 +++-
	17	lib/isccc/result.c \| 4 +++-
	18	3 files changed, 34 insertions(+), 12 deletions(-)
	19
	20	diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
	21	index e012685..8eac3d6 100644
	22	--- a/lib/isccc/cc.c
	23	+++ b/lib/isccc/cc.c
	24	@@ -53,6 +53,10 @@
	25
	26	#define MAX_TAGS 256
	27	#define DUP_LIFETIME 900
	28	+#ifndef ISCCC_MAXDEPTH
	29	+#define ISCCC_MAXDEPTH \
	30	+ 10 /* Big enough for rndc which just sends a string each way. */
	31	+#endif
	32
	33	typedef isccc_sexpr_t *sexpr_ptr;
	34
	35	@@ -561,19 +565,25 @@ verify(isccc_sexpr_t alist, unsigned char data, unsigned int length,
	36
	37	static isc_result_t
	38	table_fromwire(isccc_region_t source, isccc_region_t secret,
	39	- uint32_t algorithm, isccc_sexpr_t **alistp);
	40	+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
	41
	42	static isc_result_t
	43	-list_fromwire(isccc_region_t source, isccc_sexpr_t *listp);
	44	+list_fromwire(isccc_region_t *source, unsigned int depth,
	45	+ isccc_sexpr_t **listp);
	46
	47	static isc_result_t
	48	-value_fromwire(isccc_region_t source, isccc_sexpr_t *valuep) {
	49	+value_fromwire(isccc_region_t *source, unsigned int depth,
	50	+ isccc_sexpr_t **valuep) {
	51	unsigned int msgtype;
	52	uint32_t len;
	53	isccc_sexpr_t *value;
	54	isccc_region_t active;
	55	isc_result_t result;
	56
	57	+ if (depth > ISCCC_MAXDEPTH) {
	58	+ return (ISCCC_R_MAXDEPTH);
	59	+ }
	60	+
	61	if (REGION_SIZE(*source) < 1 + 4)
	62	return (ISC_R_UNEXPECTEDEND);
	63	GET8(msgtype, source->rstart);
	64	@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t source, isccc_sexpr_t *valuep) {
	65	} else
	66	result = ISC_R_NOMEMORY;
	67	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
	68	- result = table_fromwire(&active, NULL, 0, valuep);
	69	+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
	70	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
	71	- result = list_fromwire(&active, valuep);
	72	+ result = list_fromwire(&active, depth + 1, valuep);
	73	else
	74	result = ISCCC_R_SYNTAX;
	75
	76	@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t source, isccc_sexpr_t *valuep) {
	77
	78	static isc_result_t
	79	table_fromwire(isccc_region_t source, isccc_region_t secret,
	80	- uint32_t algorithm, isccc_sexpr_t **alistp)
	81	+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
	82	{
	83	char key[256];
	84	uint32_t len;
	85	@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t source, isccc_region_t secret,
	86
	87	REQUIRE(alistp != NULL && *alistp == NULL);
	88
	89	+ if (depth > ISCCC_MAXDEPTH) {
	90	+ return (ISCCC_R_MAXDEPTH);
	91	+ }
	92	+
	93	checksum_rstart = NULL;
	94	first_tag = true;
	95	alist = isccc_alist_create();
	96	@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t source, isccc_region_t secret,
	97	GET_MEM(key, len, source->rstart);
	98	key[len] = '\0'; /* Ensure NUL termination. */
	99	value = NULL;
	100	- result = value_fromwire(source, &value);
	101	+ result = value_fromwire(source, depth + 1, &value);
	102	if (result != ISC_R_SUCCESS)
	103	goto bad;
	104	if (isccc_alist_define(alist, key, value) == NULL) {
	105	@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t source, isccc_region_t secret,
	106	}
	107
	108	static isc_result_t
	109	-list_fromwire(isccc_region_t source, isccc_sexpr_t *listp) {
	110	+list_fromwire(isccc_region_t source, unsigned int depth, isccc_sexpr_t *listp) {
	111	isccc_sexpr_t list, value;
	112	isc_result_t result;
	113
	114	+ if (depth > ISCCC_MAXDEPTH) {
	115	+ return (ISCCC_R_MAXDEPTH);
	116	+ }
	117	+
	118	list = NULL;
	119	while (!REGION_EMPTY(*source)) {
	120	value = NULL;
	121	- result = value_fromwire(source, &value);
	122	+ result = value_fromwire(source, depth + 1, &value);
	123	if (result != ISC_R_SUCCESS) {
	124	isccc_sexpr_free(&list);
	125	return (result);
	126	@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t source, isccc_sexpr_t *alistp,
	127	if (version != 1)
	128	return (ISCCC_R_UNKNOWNVERSION);
	129
	130	- return (table_fromwire(source, secret, algorithm, alistp));
	131	+ return (table_fromwire(source, secret, algorithm, 0, alistp));
	132	}
	133
	134	static isc_result_t
	135	diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
	136	index 6c79dd7..a85861c 100644
	137	--- a/lib/isccc/include/isccc/result.h
	138	+++ b/lib/isccc/include/isccc/result.h
	139	@@ -47,8 +47,10 @@
	140	#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
	141	/% Duplicate /
	142	#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
	143	+/% Maximum recursion depth /
	144	+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
	145
	146	-#define ISCCC_R_NRESULTS 6 /%< Number of results /
	147	+#define ISCCC_R_NRESULTS 7 /%< Number of results /
	148
	149	ISC_LANG_BEGINDECLS
	150
	151	diff --git a/lib/isccc/result.c b/lib/isccc/result.c
	152	index 8419bbb..325200b 100644
	153	--- a/lib/isccc/result.c
	154	+++ b/lib/isccc/result.c
	155	@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
	156	"bad auth", /* 3 */
	157	"expired", /* 4 */
	158	"clock skew", /* 5 */
	159	- "duplicate" /* 6 */
	160	+ "duplicate", /* 6 */
	161	+ "max depth", /* 7 */
	162	};
	163
	164	static const char *ids[ISCCC_R_NRESULTS] = {
	165	@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
	166	"ISCCC_R_EXPIRED",
	167	"ISCCC_R_CLOCKSKEW",
	168	"ISCCC_R_DUPLICATE",
	169	+ "ISCCC_R_MAXDEPTH",
	170	};
	171
	172	#define ISCCC_RESULT_RESULTSET 2
	173	--
	174	2.25.1
	175