diff options
Diffstat (limited to 'meta/recipes-connectivity/bind')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch | 67 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch | 31 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch | 33 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch | 166 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch | 175 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind_9.11.37.bb (renamed from meta/recipes-connectivity/bind/bind_9.11.22.bb) | 10 |
6 files changed, 480 insertions, 2 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch new file mode 100644 index 0000000000..940c6776d3 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> | ||
3 | Date: Thu, 8 Sep 2022 11:11:30 +0200 | ||
4 | Subject: [PATCH 1/3] Bound the amount of work performed for delegations | ||
5 | |||
6 | Limit the amount of database lookups that can be triggered in | ||
7 | fctx_getaddresses() (i.e. when determining the name server addresses to | ||
8 | query next) by setting a hard limit on the number of NS RRs processed | ||
9 | for any delegation encountered. Without any limit in place, named can | ||
10 | be forced to perform large amounts of database lookups per each query | ||
11 | received, which severely impacts resolver performance. | ||
12 | |||
13 | The limit used (20) is an arbitrary value that is considered to be big | ||
14 | enough for any sane DNS delegation. | ||
15 | |||
16 | (cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2022-2795 | ||
20 | Reference to upstream patch: | ||
21 | https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8 | ||
22 | |||
23 | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> | ||
24 | --- | ||
25 | lib/dns/resolver.c | 12 ++++++++++++ | ||
26 | 1 file changed, 12 insertions(+) | ||
27 | |||
28 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
29 | index 8ae9a993bbd7..ac9a9ef5d009 100644 | ||
30 | --- a/lib/dns/resolver.c | ||
31 | +++ b/lib/dns/resolver.c | ||
32 | @@ -180,6 +180,12 @@ | ||
33 | */ | ||
34 | #define NS_FAIL_LIMIT 4 | ||
35 | #define NS_RR_LIMIT 5 | ||
36 | +/* | ||
37 | + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in | ||
38 | + * any NS RRset encountered, to avoid excessive resource use while processing | ||
39 | + * large delegations. | ||
40 | + */ | ||
41 | +#define NS_PROCESSING_LIMIT 20 | ||
42 | |||
43 | /* Number of hash buckets for zone counters */ | ||
44 | #ifndef RES_DOMAIN_BUCKETS | ||
45 | @@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
46 | bool need_alternate = false; | ||
47 | bool all_spilled = true; | ||
48 | unsigned int no_addresses = 0; | ||
49 | + unsigned int ns_processed = 0; | ||
50 | |||
51 | FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); | ||
52 | |||
53 | @@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
54 | |||
55 | dns_rdata_reset(&rdata); | ||
56 | dns_rdata_freestruct(&ns); | ||
57 | + | ||
58 | + if (++ns_processed >= NS_PROCESSING_LIMIT) { | ||
59 | + result = ISC_R_NOMORE; | ||
60 | + break; | ||
61 | + } | ||
62 | } | ||
63 | if (result != ISC_R_NOMORE) { | ||
64 | return (result); | ||
65 | -- | ||
66 | 2.34.1 | ||
67 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch new file mode 100644 index 0000000000..0ef87fd260 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Thu, 11 Aug 2022 15:15:34 +1000 | ||
4 | Subject: [PATCH 2/3] Free eckey on siglen mismatch | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2022-38177 | ||
8 | Reference to upstream patch: | ||
9 | https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590 | ||
10 | |||
11 | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> | ||
12 | --- | ||
13 | lib/dns/opensslecdsa_link.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c | ||
17 | index 83b5b51cd78c..7576e04ac635 100644 | ||
18 | --- a/lib/dns/opensslecdsa_link.c | ||
19 | +++ b/lib/dns/opensslecdsa_link.c | ||
20 | @@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
21 | siglen = DNS_SIG_ECDSA384SIZE; | ||
22 | |||
23 | if (sig->length != siglen) | ||
24 | - return (DST_R_VERIFYFAILURE); | ||
25 | + DST_RET(DST_R_VERIFYFAILURE); | ||
26 | |||
27 | if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) | ||
28 | DST_RET (dst__openssl_toresult3(dctx->category, | ||
29 | -- | ||
30 | 2.34.1 | ||
31 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch new file mode 100644 index 0000000000..e0b398e24a --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Thu, 11 Aug 2022 15:28:13 +1000 | ||
4 | Subject: [PATCH 3/3] Free ctx on invalid siglen | ||
5 | |||
6 | (cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2022-38178 | ||
10 | Reference to upstream patch: | ||
11 | https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6 | ||
12 | |||
13 | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> | ||
14 | --- | ||
15 | lib/dns/openssleddsa_link.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c | ||
19 | index 8b115ec283f0..b4fcd607c131 100644 | ||
20 | --- a/lib/dns/openssleddsa_link.c | ||
21 | +++ b/lib/dns/openssleddsa_link.c | ||
22 | @@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
23 | siglen = DNS_SIG_ED448SIZE; | ||
24 | |||
25 | if (sig->length != siglen) | ||
26 | - return (DST_R_VERIFYFAILURE); | ||
27 | + DST_RET(ISC_R_NOTIMPLEMENTED); | ||
28 | |||
29 | isc_buffer_usedregion(buf, &tbsreg); | ||
30 | |||
31 | -- | ||
32 | 2.34.1 | ||
33 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch new file mode 100644 index 0000000000..6f6c104530 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch | |||
@@ -0,0 +1,166 @@ | |||
1 | |||
2 | Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz | ||
3 | Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch] | ||
4 | Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a | ||
5 | CVE: CVE-2023-2828 | ||
6 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
7 | |||
8 | --- | ||
9 | lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++----------------------- | ||
10 | 1 file changed, 63 insertions(+), 43 deletions(-) | ||
11 | |||
12 | diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c | ||
13 | index b1b928c..3165e26 100644 | ||
14 | --- a/lib/dns/rbtdb.c | ||
15 | +++ b/lib/dns/rbtdb.c | ||
16 | @@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, | ||
17 | static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, | ||
18 | bool tree_locked, expire_t reason); | ||
19 | static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, | ||
20 | - isc_stdtime_t now, bool tree_locked); | ||
21 | + size_t purgesize, bool tree_locked); | ||
22 | static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, | ||
23 | rdatasetheader_t *newheader); | ||
24 | static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, | ||
25 | @@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, | ||
26 | |||
27 | static dns_dbmethods_t zone_methods; | ||
28 | |||
29 | +static size_t | ||
30 | +rdataset_size(rdatasetheader_t *header) { | ||
31 | + if (!NONEXISTENT(header)) { | ||
32 | + return (dns_rdataslab_size((unsigned char *)header, | ||
33 | + sizeof(*header))); | ||
34 | + } | ||
35 | + | ||
36 | + return (sizeof(*header)); | ||
37 | +} | ||
38 | + | ||
39 | static isc_result_t | ||
40 | addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
41 | isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, | ||
42 | @@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
43 | } | ||
44 | |||
45 | if (cache_is_overmem) | ||
46 | - overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); | ||
47 | + overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), | ||
48 | + tree_locked); | ||
49 | |||
50 | NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, | ||
51 | isc_rwlocktype_write); | ||
52 | @@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
53 | cleanup_dead_nodes(rbtdb, rbtnode->locknum); | ||
54 | |||
55 | header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); | ||
56 | - if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) | ||
57 | - expire_header(rbtdb, header, tree_locked, | ||
58 | - expire_ttl); | ||
59 | + if (header != NULL) { | ||
60 | + dns_ttl_t rdh_ttl = header->rdh_ttl; | ||
61 | + | ||
62 | + if (rdh_ttl < now - RBTDB_VIRTUAL) { | ||
63 | + expire_header(rbtdb, header, tree_locked, | ||
64 | + expire_ttl); | ||
65 | + } | ||
66 | + } | ||
67 | |||
68 | /* | ||
69 | * If we've been holding a write lock on the tree just for | ||
70 | @@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, | ||
71 | ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); | ||
72 | } | ||
73 | |||
74 | +static size_t | ||
75 | +expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, | ||
76 | + bool tree_locked) { | ||
77 | + rdatasetheader_t *header, *header_prev; | ||
78 | + size_t purged = 0; | ||
79 | + | ||
80 | + for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); | ||
81 | + header != NULL && purged <= purgesize; header = header_prev) | ||
82 | + { | ||
83 | + header_prev = ISC_LIST_PREV(header, link); | ||
84 | + /* | ||
85 | + * Unlink the entry at this point to avoid checking it | ||
86 | + * again even if it's currently used someone else and | ||
87 | + * cannot be purged at this moment. This entry won't be | ||
88 | + * referenced any more (so unlinking is safe) since the | ||
89 | + * TTL was reset to 0. | ||
90 | + */ | ||
91 | + ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); | ||
92 | + size_t header_size = rdataset_size(header); | ||
93 | + expire_header(rbtdb, header, tree_locked, expire_lru); | ||
94 | + purged += header_size; | ||
95 | + } | ||
96 | + | ||
97 | + return (purged); | ||
98 | +} | ||
99 | + | ||
100 | /*% | ||
101 | - * Purge some expired and/or stale (i.e. unused for some period) cache entries | ||
102 | - * under an overmem condition. To recover from this condition quickly, up to | ||
103 | - * 2 entries will be purged. This process is triggered while adding a new | ||
104 | - * entry, and we specifically avoid purging entries in the same LRU bucket as | ||
105 | - * the one to which the new entry will belong. Otherwise, we might purge | ||
106 | - * entries of the same name of different RR types while adding RRsets from a | ||
107 | - * single response (consider the case where we're adding A and AAAA glue records | ||
108 | - * of the same NS name). | ||
109 | - */ | ||
110 | + * Purge some stale (i.e. unused for some period - LRU based cleaning) cache | ||
111 | + * entries under the overmem condition. To recover from this condition quickly, | ||
112 | + * we cleanup entries up to the size of newly added rdata (passed as purgesize). | ||
113 | + * | ||
114 | + * This process is triggered while adding a new entry, and we specifically avoid | ||
115 | + * purging entries in the same LRU bucket as the one to which the new entry will | ||
116 | + * belong. Otherwise, we might purge entries of the same name of different RR | ||
117 | + * types while adding RRsets from a single response (consider the case where | ||
118 | + * we're adding A and AAAA glue records of the same NS name). | ||
119 | +*/ | ||
120 | static void | ||
121 | -overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, | ||
122 | - isc_stdtime_t now, bool tree_locked) | ||
123 | +overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, | ||
124 | + bool tree_locked) | ||
125 | { | ||
126 | - rdatasetheader_t *header, *header_prev; | ||
127 | unsigned int locknum; | ||
128 | - int purgecount = 2; | ||
129 | + size_t purged = 0; | ||
130 | |||
131 | for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; | ||
132 | - locknum != locknum_start && purgecount > 0; | ||
133 | + locknum != locknum_start && purged <= purgesize; | ||
134 | locknum = (locknum + 1) % rbtdb->node_lock_count) { | ||
135 | NODE_LOCK(&rbtdb->node_locks[locknum].lock, | ||
136 | isc_rwlocktype_write); | ||
137 | |||
138 | - header = isc_heap_element(rbtdb->heaps[locknum], 1); | ||
139 | - if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) { | ||
140 | - expire_header(rbtdb, header, tree_locked, | ||
141 | - expire_ttl); | ||
142 | - purgecount--; | ||
143 | - } | ||
144 | - | ||
145 | - for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); | ||
146 | - header != NULL && purgecount > 0; | ||
147 | - header = header_prev) { | ||
148 | - header_prev = ISC_LIST_PREV(header, link); | ||
149 | - /* | ||
150 | - * Unlink the entry at this point to avoid checking it | ||
151 | - * again even if it's currently used someone else and | ||
152 | - * cannot be purged at this moment. This entry won't be | ||
153 | - * referenced any more (so unlinking is safe) since the | ||
154 | - * TTL was reset to 0. | ||
155 | - */ | ||
156 | - ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, | ||
157 | - link); | ||
158 | - expire_header(rbtdb, header, tree_locked, | ||
159 | - expire_lru); | ||
160 | - purgecount--; | ||
161 | - } | ||
162 | + purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, | ||
163 | + tree_locked); | ||
164 | |||
165 | NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, | ||
166 | isc_rwlocktype_write); | ||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch new file mode 100644 index 0000000000..be479cb00e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch | |||
@@ -0,0 +1,175 @@ | |||
1 | From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Tue, 20 Jun 2023 15:21:36 +1000 | ||
4 | Subject: [PATCH] Limit isccc_cc_fromwire recursion depth | ||
5 | |||
6 | Named and rndc do not need a lot of recursion so the depth is | ||
7 | set to 10. | ||
8 | |||
9 | Taken from BIND 9.16.44 change. | ||
10 | |||
11 | Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71] | ||
12 | CVE: CVE-2023-3341 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | lib/isccc/cc.c | 38 +++++++++++++++++++++++--------- | ||
16 | lib/isccc/include/isccc/result.h | 4 +++- | ||
17 | lib/isccc/result.c | 4 +++- | ||
18 | 3 files changed, 34 insertions(+), 12 deletions(-) | ||
19 | |||
20 | diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c | ||
21 | index e012685..8eac3d6 100644 | ||
22 | --- a/lib/isccc/cc.c | ||
23 | +++ b/lib/isccc/cc.c | ||
24 | @@ -53,6 +53,10 @@ | ||
25 | |||
26 | #define MAX_TAGS 256 | ||
27 | #define DUP_LIFETIME 900 | ||
28 | +#ifndef ISCCC_MAXDEPTH | ||
29 | +#define ISCCC_MAXDEPTH \ | ||
30 | + 10 /* Big enough for rndc which just sends a string each way. */ | ||
31 | +#endif | ||
32 | |||
33 | typedef isccc_sexpr_t *sexpr_ptr; | ||
34 | |||
35 | @@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, | ||
36 | |||
37 | static isc_result_t | ||
38 | table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
39 | - uint32_t algorithm, isccc_sexpr_t **alistp); | ||
40 | + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); | ||
41 | |||
42 | static isc_result_t | ||
43 | -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); | ||
44 | +list_fromwire(isccc_region_t *source, unsigned int depth, | ||
45 | + isccc_sexpr_t **listp); | ||
46 | |||
47 | static isc_result_t | ||
48 | -value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
49 | +value_fromwire(isccc_region_t *source, unsigned int depth, | ||
50 | + isccc_sexpr_t **valuep) { | ||
51 | unsigned int msgtype; | ||
52 | uint32_t len; | ||
53 | isccc_sexpr_t *value; | ||
54 | isccc_region_t active; | ||
55 | isc_result_t result; | ||
56 | |||
57 | + if (depth > ISCCC_MAXDEPTH) { | ||
58 | + return (ISCCC_R_MAXDEPTH); | ||
59 | + } | ||
60 | + | ||
61 | if (REGION_SIZE(*source) < 1 + 4) | ||
62 | return (ISC_R_UNEXPECTEDEND); | ||
63 | GET8(msgtype, source->rstart); | ||
64 | @@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
65 | } else | ||
66 | result = ISC_R_NOMEMORY; | ||
67 | } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) | ||
68 | - result = table_fromwire(&active, NULL, 0, valuep); | ||
69 | + result = table_fromwire(&active, NULL, 0, depth + 1, valuep); | ||
70 | else if (msgtype == ISCCC_CCMSGTYPE_LIST) | ||
71 | - result = list_fromwire(&active, valuep); | ||
72 | + result = list_fromwire(&active, depth + 1, valuep); | ||
73 | else | ||
74 | result = ISCCC_R_SYNTAX; | ||
75 | |||
76 | @@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
77 | |||
78 | static isc_result_t | ||
79 | table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
80 | - uint32_t algorithm, isccc_sexpr_t **alistp) | ||
81 | + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) | ||
82 | { | ||
83 | char key[256]; | ||
84 | uint32_t len; | ||
85 | @@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
86 | |||
87 | REQUIRE(alistp != NULL && *alistp == NULL); | ||
88 | |||
89 | + if (depth > ISCCC_MAXDEPTH) { | ||
90 | + return (ISCCC_R_MAXDEPTH); | ||
91 | + } | ||
92 | + | ||
93 | checksum_rstart = NULL; | ||
94 | first_tag = true; | ||
95 | alist = isccc_alist_create(); | ||
96 | @@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
97 | GET_MEM(key, len, source->rstart); | ||
98 | key[len] = '\0'; /* Ensure NUL termination. */ | ||
99 | value = NULL; | ||
100 | - result = value_fromwire(source, &value); | ||
101 | + result = value_fromwire(source, depth + 1, &value); | ||
102 | if (result != ISC_R_SUCCESS) | ||
103 | goto bad; | ||
104 | if (isccc_alist_define(alist, key, value) == NULL) { | ||
105 | @@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
106 | } | ||
107 | |||
108 | static isc_result_t | ||
109 | -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { | ||
110 | +list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) { | ||
111 | isccc_sexpr_t *list, *value; | ||
112 | isc_result_t result; | ||
113 | |||
114 | + if (depth > ISCCC_MAXDEPTH) { | ||
115 | + return (ISCCC_R_MAXDEPTH); | ||
116 | + } | ||
117 | + | ||
118 | list = NULL; | ||
119 | while (!REGION_EMPTY(*source)) { | ||
120 | value = NULL; | ||
121 | - result = value_fromwire(source, &value); | ||
122 | + result = value_fromwire(source, depth + 1, &value); | ||
123 | if (result != ISC_R_SUCCESS) { | ||
124 | isccc_sexpr_free(&list); | ||
125 | return (result); | ||
126 | @@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, | ||
127 | if (version != 1) | ||
128 | return (ISCCC_R_UNKNOWNVERSION); | ||
129 | |||
130 | - return (table_fromwire(source, secret, algorithm, alistp)); | ||
131 | + return (table_fromwire(source, secret, algorithm, 0, alistp)); | ||
132 | } | ||
133 | |||
134 | static isc_result_t | ||
135 | diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h | ||
136 | index 6c79dd7..a85861c 100644 | ||
137 | --- a/lib/isccc/include/isccc/result.h | ||
138 | +++ b/lib/isccc/include/isccc/result.h | ||
139 | @@ -47,8 +47,10 @@ | ||
140 | #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4) | ||
141 | /*% Duplicate */ | ||
142 | #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5) | ||
143 | +/*% Maximum recursion depth */ | ||
144 | +#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6) | ||
145 | |||
146 | -#define ISCCC_R_NRESULTS 6 /*%< Number of results */ | ||
147 | +#define ISCCC_R_NRESULTS 7 /*%< Number of results */ | ||
148 | |||
149 | ISC_LANG_BEGINDECLS | ||
150 | |||
151 | diff --git a/lib/isccc/result.c b/lib/isccc/result.c | ||
152 | index 8419bbb..325200b 100644 | ||
153 | --- a/lib/isccc/result.c | ||
154 | +++ b/lib/isccc/result.c | ||
155 | @@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = { | ||
156 | "bad auth", /* 3 */ | ||
157 | "expired", /* 4 */ | ||
158 | "clock skew", /* 5 */ | ||
159 | - "duplicate" /* 6 */ | ||
160 | + "duplicate", /* 6 */ | ||
161 | + "max depth", /* 7 */ | ||
162 | }; | ||
163 | |||
164 | static const char *ids[ISCCC_R_NRESULTS] = { | ||
165 | @@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = { | ||
166 | "ISCCC_R_EXPIRED", | ||
167 | "ISCCC_R_CLOCKSKEW", | ||
168 | "ISCCC_R_DUPLICATE", | ||
169 | + "ISCCC_R_MAXDEPTH", | ||
170 | }; | ||
171 | |||
172 | #define ISCCC_RESULT_RESULTSET 2 | ||
173 | -- | ||
174 | 2.25.1 | ||
175 | |||
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index 3b4a299b36..95bb5be005 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.22.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb | |||
@@ -1,9 +1,10 @@ | |||
1 | SUMMARY = "ISC Internet Domain Name Server" | 1 | SUMMARY = "ISC Internet Domain Name Server" |
2 | HOMEPAGE = "https://www.isc.org/bind/" | 2 | HOMEPAGE = "https://www.isc.org/bind/" |
3 | DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system" | ||
3 | SECTION = "console/network" | 4 | SECTION = "console/network" |
4 | 5 | ||
5 | LICENSE = "ISC & BSD" | 6 | LICENSE = "ISC & BSD" |
6 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45" | 7 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89a97ebbf713f7125fe5c02223d3ae95" |
7 | 8 | ||
8 | DEPENDS = "openssl libcap zlib" | 9 | DEPENDS = "openssl libcap zlib" |
9 | 10 | ||
@@ -18,9 +19,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
18 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ | 19 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ |
19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ | 20 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ |
20 | file://0001-avoid-start-failure-with-bind-user.patch \ | 21 | file://0001-avoid-start-failure-with-bind-user.patch \ |
22 | file://CVE-2022-2795.patch \ | ||
23 | file://CVE-2022-38177.patch \ | ||
24 | file://CVE-2022-38178.patch \ | ||
25 | file://CVE-2023-2828.patch \ | ||
26 | file://CVE-2023-3341.patch \ | ||
21 | " | 27 | " |
22 | 28 | ||
23 | SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9" | 29 | SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff" |
24 | 30 | ||
25 | UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" | 31 | UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" |
26 | # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 | 32 | # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 |