3 files changed, 215 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000000..5393063c56
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,90 @@
+From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 12 Oct 2016 19:52:59 +0900
+Subject: [PATCH]
+4406.   [security]      getrrsetbyname with a non absolute name could
+                        trigger an infinite recursion bug in lwresd
+                        and named with lwres configured if when combined
+                        with a search list entry the resulting name is
+                        too long. (CVE-2016-2775) [RT #42694]
+Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
+v9.11.0_patch branch.
+CVE: CVE-2016-2775
+Upstream-Status: Backport
+Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  9 ++++++++-
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index d2e3360..d0a9d12 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,9 @@
+4406.   [security]      getrrsetbyname with a non absolute name could
+                        trigger an infinite recursion bug in lwresd
+                        and named with lwres configured if when combined
+                        with a search list entry the resulting name is
+                        too long. (CVE-2016-2775) [RT #42694]
+
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]
+diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
+index 3e7b15b..e1e9adc 100644
+--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+        INSIST(client->lookup == NULL);
+ 
+        dns_fixedname_init(&absname);
+-       result = ns_lwsearchctx_current(&client->searchctx,
+-                                       dns_fixedname_name(&absname));
+
+        /*
+-        * This will return failure if relative name + suffix is too long.
+-        * In this case, just go on to the next entry in the search path.
+         * Perform search across all search domains until success
+         * is returned. Return in case of failure.
+         */
+-       if (result != ISC_R_SUCCESS)
+-               start_lookup(client);
+        while (ns_lwsearchctx_current(&client->searchctx,
+                        dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
+                if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
+                        ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+                        return;
+                }
+        }
+ 
+        result = dns_lookup_create(cm->mctx,
+                                   dns_fixedname_name(&absname),
+diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
+index ad9b551..3eb4a66 100644
+--- a/bin/tests/system/lwresd/lwtest.c
+++ b/bin/tests/system/lwresd/lwtest.c
+@@ -768,7 +768,14 @@ main(void) {
+        test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
+        test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+        test_getrrsetbyname("", 1, 1, 0, 0, 0);
+-
+        test_getrrsetbyname("123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789.123456789.123456789.123456789."
+                            "123456789", 1, 1, 0, 0, 0);
+ 
+        if (fails == 0)
+                printf("I:ok\n");
+        return (fails);
+-- 
+2.7.4
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 0000000000..738bf60058
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,123 @@
+From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 12 Oct 2016 20:36:52 +0900
+Subject: [PATCH] 
+4467.   [security]      It was possible to trigger an assertion when 
+                        rendering a message. (CVE-2016-2776) [RT #43139]
+Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
+v9.11.0_patch branch.
+CVE: CVE-2016-2776
+Upstream-Status: Backport
+Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ CHANGES           |  3 +++
+ lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
+ 2 files changed, 34 insertions(+), 11 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index d0a9d12..5c8c61a 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,6 @@
+4467.   [security]      It was possible to trigger an assertion when
+                        rendering a message. (CVE-2016-2776) [RT #43139]
+
+ 4406.   [security]      getrrsetbyname with a non absolute name could
+                         trigger an infinite recursion bug in lwresd
+                         and named with lwres configured if when combined
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 6b5b4bb..b74dc81 100644
+--- a/lib/dns/message.c
+++ b/lib/dns/message.c
+@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+        if (r.length < DNS_MESSAGE_HEADERLEN)
+                return (ISC_R_NOSPACE);
+ 
+-       if (r.length < msg->reserved)
+        if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+                return (ISC_R_NOSPACE);
+ 
+        /*
+@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
+ 
+        return (ISC_TRUE);
+ }
+-
+ #endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+         dns_compress_t *cctx, isc_buffer_t *target,
+         unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+       isc_result_t result;
+
+       /*
+        * Shrink the space in the buffer by the reserved amount.
+        */
+       if (target->length - target->used < reserved)
+               return (ISC_R_NOSPACE);
+
+       target->length -= reserved;
+       result = dns_rdataset_towire(rdataset, owner_name,
+                                    cctx, target, options, countp);
+       target->length += reserved;
+
+       return (result);
+}
+
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+                          unsigned int options)
+@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+        /*
+         * Shrink the space in the buffer by the reserved amount.
+         */
+        if (msg->buffer->length - msg->buffer->used < msg->reserved)
+                return (ISC_R_NOSPACE);
+        msg->buffer->length -= msg->reserved;
+ 
+        total = 0;
+@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
+                 * Render.
+                 */
+                count = 0;
+-               result = dns_rdataset_towire(msg->opt, dns_rootname,
+-                                            msg->cctx, msg->buffer, 0,
+-                                            &count);
+                result = renderset(msg->opt, dns_rootname, msg->cctx,
+                                   msg->buffer, msg->reserved, 0, &count);
+                msg->counts[DNS_SECTION_ADDITIONAL] += count;
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+                count = 0;
+-               result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-                                            msg->cctx, msg->buffer, 0,
+-                                            &count);
+                result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+                                   msg->buffer, msg->reserved, 0, &count);
+                msg->counts[DNS_SECTION_ADDITIONAL] += count;
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
+                 * the owner name of a SIG(0) is irrelevant, and will not
+                 * be set in a message being rendered.
+                 */
+-               result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-                                            msg->cctx, msg->buffer, 0,
+-                                            &count);
+                result = renderset(msg->sig0, dns_rootname, msg->cctx,
+                                   msg->buffer, msg->reserved, 0, &count);
+                msg->counts[DNS_SECTION_ADDITIONAL] += count;
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+-- 
+2.7.4
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index a99f0dd854..4e2e856b72 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://CVE-2016-1286_1.patch \
           file://CVE-2016-1286_2.patch \
           file://CVE-2016-2088.patch \
+           file://CVE-2016-2775.patch \
+           file://CVE-2016-2776.patch \
           "
 SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch new file mode 100644 index 0000000000..5393063c56 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,90 @@
		1	From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Wed, 12 Oct 2016 19:52:59 +0900
		4	Subject: [PATCH]
		5	4406. [security] getrrsetbyname with a non absolute name could
		6	trigger an infinite recursion bug in lwresd
		7	and named with lwres configured if when combined
		8	with a search list entry the resulting name is
		9	too long. (CVE-2016-2775) [RT #42694]
		10
		11	Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
		12	v9.11.0_patch branch.
		13
		14	CVE: CVE-2016-2775
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
		18
		19	---
		20	CHANGES \| 6 ++++++
		21	bin/named/lwdgrbn.c \| 16 ++++++++++------
		22	bin/tests/system/lwresd/lwtest.c \| 9 ++++++++-
		23	3 files changed, 24 insertions(+), 7 deletions(-)
		24
		25	diff --git a/CHANGES b/CHANGES
		26	index d2e3360..d0a9d12 100644
		27	--- a/CHANGES
		28	+++ b/CHANGES
		29	@@ -1,3 +1,9 @@
		30	+4406. [security] getrrsetbyname with a non absolute name could
		31	+ trigger an infinite recursion bug in lwresd
		32	+ and named with lwres configured if when combined
		33	+ with a search list entry the resulting name is
		34	+ too long. (CVE-2016-2775) [RT #42694]
		35	+
		36	4322. [security] Duplicate EDNS COOKIE options in a response could
		37	trigger an assertion failure. (CVE-2016-2088)
		38	[RT #41809]
		39	diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
		40	index 3e7b15b..e1e9adc 100644
		41	--- a/bin/named/lwdgrbn.c
		42	+++ b/bin/named/lwdgrbn.c
		43	@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
		44	INSIST(client->lookup == NULL);
		45
		46	dns_fixedname_init(&absname);
		47	- result = ns_lwsearchctx_current(&client->searchctx,
		48	- dns_fixedname_name(&absname));
		49	+
		50	/*
		51	- * This will return failure if relative name + suffix is too long.
		52	- * In this case, just go on to the next entry in the search path.
		53	+ * Perform search across all search domains until success
		54	+ * is returned. Return in case of failure.
		55	*/
		56	- if (result != ISC_R_SUCCESS)
		57	- start_lookup(client);
		58	+ while (ns_lwsearchctx_current(&client->searchctx,
		59	+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
		60	+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
		61	+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
		62	+ return;
		63	+ }
		64	+ }
		65
		66	result = dns_lookup_create(cm->mctx,
		67	dns_fixedname_name(&absname),
		68	diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
		69	index ad9b551..3eb4a66 100644
		70	--- a/bin/tests/system/lwresd/lwtest.c
		71	+++ b/bin/tests/system/lwresd/lwtest.c
		72	@@ -768,7 +768,14 @@ main(void) {
		73	test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
		74	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
		75	test_getrrsetbyname("", 1, 1, 0, 0, 0);
		76	-
		77	+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
		78	+ "123456789.123456789.123456789.123456789."
		79	+ "123456789.123456789.123456789.123456789."
		80	+ "123456789.123456789.123456789.123456789."
		81	+ "123456789.123456789.123456789.123456789."
		82	+ "123456789.123456789.123456789.123456789."
		83	+ "123456789", 1, 1, 0, 0, 0);
		84	+
		85	if (fails == 0)
		86	printf("I:ok\n");
		87	return (fails);
		88	--
		89	2.7.4
		90


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch new file mode 100644 index 0000000000..738bf60058 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,123 @@
		1	From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Wed, 12 Oct 2016 20:36:52 +0900
		4	Subject: [PATCH]
		5	4467. [security] It was possible to trigger an assertion when
		6	rendering a message. (CVE-2016-2776) [RT #43139]
		7
		8	Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
		9	v9.11.0_patch branch.
		10
		11	CVE: CVE-2016-2776
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
		15
		16	---
		17	CHANGES \| 3 +++
		18	lib/dns/message.c \| 42 +++++++++++++++++++++++++++++++-----------
		19	2 files changed, 34 insertions(+), 11 deletions(-)
		20
		21	diff --git a/CHANGES b/CHANGES
		22	index d0a9d12..5c8c61a 100644
		23	--- a/CHANGES
		24	+++ b/CHANGES
		25	@@ -1,3 +1,6 @@
		26	+4467. [security] It was possible to trigger an assertion when
		27	+ rendering a message. (CVE-2016-2776) [RT #43139]
		28	+
		29	4406. [security] getrrsetbyname with a non absolute name could
		30	trigger an infinite recursion bug in lwresd
		31	and named with lwres configured if when combined
		32	diff --git a/lib/dns/message.c b/lib/dns/message.c
		33	index 6b5b4bb..b74dc81 100644
		34	--- a/lib/dns/message.c
		35	+++ b/lib/dns/message.c
		36	@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t msg, dns_compress_t cctx,
		37	if (r.length < DNS_MESSAGE_HEADERLEN)
		38	return (ISC_R_NOSPACE);
		39
		40	- if (r.length < msg->reserved)
		41	+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
		42	return (ISC_R_NOSPACE);
		43
		44	/*
		45	@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
		46
		47	return (ISC_TRUE);
		48	}
		49	-
		50	#endif
		51	+
		52	+static isc_result_t
		53	+renderset(dns_rdataset_t rdataset, dns_name_t owner_name,
		54	+ dns_compress_t cctx, isc_buffer_t target,
		55	+ unsigned int reserved, unsigned int options, unsigned int *countp)
		56	+{
		57	+ isc_result_t result;
		58	+
		59	+ /*
		60	+ * Shrink the space in the buffer by the reserved amount.
		61	+ */
		62	+ if (target->length - target->used < reserved)
		63	+ return (ISC_R_NOSPACE);
		64	+
		65	+ target->length -= reserved;
		66	+ result = dns_rdataset_towire(rdataset, owner_name,
		67	+ cctx, target, options, countp);
		68	+ target->length += reserved;
		69	+
		70	+ return (result);
		71	+}
		72	+
		73	isc_result_t
		74	dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
		75	unsigned int options)
		76	@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
		77	/*
		78	* Shrink the space in the buffer by the reserved amount.
		79	*/
		80	+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
		81	+ return (ISC_R_NOSPACE);
		82	msg->buffer->length -= msg->reserved;
		83
		84	total = 0;
		85	@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
		86	* Render.
		87	*/
		88	count = 0;
		89	- result = dns_rdataset_towire(msg->opt, dns_rootname,
		90	- msg->cctx, msg->buffer, 0,
		91	- &count);
		92	+ result = renderset(msg->opt, dns_rootname, msg->cctx,
		93	+ msg->buffer, msg->reserved, 0, &count);
		94	msg->counts[DNS_SECTION_ADDITIONAL] += count;
		95	if (result != ISC_R_SUCCESS)
		96	return (result);
		97	@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
		98	if (result != ISC_R_SUCCESS)
		99	return (result);
		100	count = 0;
		101	- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
		102	- msg->cctx, msg->buffer, 0,
		103	- &count);
		104	+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
		105	+ msg->buffer, msg->reserved, 0, &count);
		106	msg->counts[DNS_SECTION_ADDITIONAL] += count;
		107	if (result != ISC_R_SUCCESS)
		108	return (result);
		109	@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
		110	* the owner name of a SIG(0) is irrelevant, and will not
		111	* be set in a message being rendered.
		112	*/
		113	- result = dns_rdataset_towire(msg->sig0, dns_rootname,
		114	- msg->cctx, msg->buffer, 0,
		115	- &count);
		116	+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
		117	+ msg->buffer, msg->reserved, 0, &count);
		118	msg->counts[DNS_SECTION_ADDITIONAL] += count;
		119	if (result != ISC_R_SUCCESS)
		120	return (result);
		121	--
		122	2.7.4
		123


diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb index a99f0dd854..4e2e856b72 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
25	file://CVE-2016-1286_1.patch \	25	file://CVE-2016-1286_1.patch \
26	file://CVE-2016-1286_2.patch \	26	file://CVE-2016-1286_2.patch \
27	file://CVE-2016-2088.patch \	27	file://CVE-2016-2088.patch \
		28	file://CVE-2016-2775.patch \
		29	file://CVE-2016-2776.patch \
28	"	30	"
29		31
30	SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"	32	SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"