summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/bind
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/bind')
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch90
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch123
-rw-r--r--meta/recipes-connectivity/bind/bind_9.10.3-P3.bb2
3 files changed, 215 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000000..5393063c56
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,90 @@
1From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Wed, 12 Oct 2016 19:52:59 +0900
4Subject: [PATCH]
54406. [security] getrrsetbyname with a non absolute name could
6 trigger an infinite recursion bug in lwresd
7 and named with lwres configured if when combined
8 with a search list entry the resulting name is
9 too long. (CVE-2016-2775) [RT #42694]
10
11Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
12v9.11.0_patch branch.
13
14CVE: CVE-2016-2775
15Upstream-Status: Backport
16
17Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
18
19---
20 CHANGES | 6 ++++++
21 bin/named/lwdgrbn.c | 16 ++++++++++------
22 bin/tests/system/lwresd/lwtest.c | 9 ++++++++-
23 3 files changed, 24 insertions(+), 7 deletions(-)
24
25diff --git a/CHANGES b/CHANGES
26index d2e3360..d0a9d12 100644
27--- a/CHANGES
28+++ b/CHANGES
29@@ -1,3 +1,9 @@
30+4406. [security] getrrsetbyname with a non absolute name could
31+ trigger an infinite recursion bug in lwresd
32+ and named with lwres configured if when combined
33+ with a search list entry the resulting name is
34+ too long. (CVE-2016-2775) [RT #42694]
35+
36 4322. [security] Duplicate EDNS COOKIE options in a response could
37 trigger an assertion failure. (CVE-2016-2088)
38 [RT #41809]
39diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
40index 3e7b15b..e1e9adc 100644
41--- a/bin/named/lwdgrbn.c
42+++ b/bin/named/lwdgrbn.c
43@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
44 INSIST(client->lookup == NULL);
45
46 dns_fixedname_init(&absname);
47- result = ns_lwsearchctx_current(&client->searchctx,
48- dns_fixedname_name(&absname));
49+
50 /*
51- * This will return failure if relative name + suffix is too long.
52- * In this case, just go on to the next entry in the search path.
53+ * Perform search across all search domains until success
54+ * is returned. Return in case of failure.
55 */
56- if (result != ISC_R_SUCCESS)
57- start_lookup(client);
58+ while (ns_lwsearchctx_current(&client->searchctx,
59+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
60+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
61+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
62+ return;
63+ }
64+ }
65
66 result = dns_lookup_create(cm->mctx,
67 dns_fixedname_name(&absname),
68diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
69index ad9b551..3eb4a66 100644
70--- a/bin/tests/system/lwresd/lwtest.c
71+++ b/bin/tests/system/lwresd/lwtest.c
72@@ -768,7 +768,14 @@ main(void) {
73 test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
74 test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
75 test_getrrsetbyname("", 1, 1, 0, 0, 0);
76-
77+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
78+ "123456789.123456789.123456789.123456789."
79+ "123456789.123456789.123456789.123456789."
80+ "123456789.123456789.123456789.123456789."
81+ "123456789.123456789.123456789.123456789."
82+ "123456789.123456789.123456789.123456789."
83+ "123456789", 1, 1, 0, 0, 0);
84+
85 if (fails == 0)
86 printf("I:ok\n");
87 return (fails);
88--
892.7.4
90
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 0000000000..738bf60058
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,123 @@
1From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Wed, 12 Oct 2016 20:36:52 +0900
4Subject: [PATCH]
54467. [security] It was possible to trigger an assertion when
6 rendering a message. (CVE-2016-2776) [RT #43139]
7
8Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
9v9.11.0_patch branch.
10
11CVE: CVE-2016-2776
12Upstream-Status: Backport
13
14Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
15
16---
17 CHANGES | 3 +++
18 lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
19 2 files changed, 34 insertions(+), 11 deletions(-)
20
21diff --git a/CHANGES b/CHANGES
22index d0a9d12..5c8c61a 100644
23--- a/CHANGES
24+++ b/CHANGES
25@@ -1,3 +1,6 @@
26+4467. [security] It was possible to trigger an assertion when
27+ rendering a message. (CVE-2016-2776) [RT #43139]
28+
29 4406. [security] getrrsetbyname with a non absolute name could
30 trigger an infinite recursion bug in lwresd
31 and named with lwres configured if when combined
32diff --git a/lib/dns/message.c b/lib/dns/message.c
33index 6b5b4bb..b74dc81 100644
34--- a/lib/dns/message.c
35+++ b/lib/dns/message.c
36@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
37 if (r.length < DNS_MESSAGE_HEADERLEN)
38 return (ISC_R_NOSPACE);
39
40- if (r.length < msg->reserved)
41+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
42 return (ISC_R_NOSPACE);
43
44 /*
45@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
46
47 return (ISC_TRUE);
48 }
49-
50 #endif
51+
52+static isc_result_t
53+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
54+ dns_compress_t *cctx, isc_buffer_t *target,
55+ unsigned int reserved, unsigned int options, unsigned int *countp)
56+{
57+ isc_result_t result;
58+
59+ /*
60+ * Shrink the space in the buffer by the reserved amount.
61+ */
62+ if (target->length - target->used < reserved)
63+ return (ISC_R_NOSPACE);
64+
65+ target->length -= reserved;
66+ result = dns_rdataset_towire(rdataset, owner_name,
67+ cctx, target, options, countp);
68+ target->length += reserved;
69+
70+ return (result);
71+}
72+
73 isc_result_t
74 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
75 unsigned int options)
76@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
77 /*
78 * Shrink the space in the buffer by the reserved amount.
79 */
80+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
81+ return (ISC_R_NOSPACE);
82 msg->buffer->length -= msg->reserved;
83
84 total = 0;
85@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
86 * Render.
87 */
88 count = 0;
89- result = dns_rdataset_towire(msg->opt, dns_rootname,
90- msg->cctx, msg->buffer, 0,
91- &count);
92+ result = renderset(msg->opt, dns_rootname, msg->cctx,
93+ msg->buffer, msg->reserved, 0, &count);
94 msg->counts[DNS_SECTION_ADDITIONAL] += count;
95 if (result != ISC_R_SUCCESS)
96 return (result);
97@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
98 if (result != ISC_R_SUCCESS)
99 return (result);
100 count = 0;
101- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
102- msg->cctx, msg->buffer, 0,
103- &count);
104+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
105+ msg->buffer, msg->reserved, 0, &count);
106 msg->counts[DNS_SECTION_ADDITIONAL] += count;
107 if (result != ISC_R_SUCCESS)
108 return (result);
109@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
110 * the owner name of a SIG(0) is irrelevant, and will not
111 * be set in a message being rendered.
112 */
113- result = dns_rdataset_towire(msg->sig0, dns_rootname,
114- msg->cctx, msg->buffer, 0,
115- &count);
116+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
117+ msg->buffer, msg->reserved, 0, &count);
118 msg->counts[DNS_SECTION_ADDITIONAL] += count;
119 if (result != ISC_R_SUCCESS)
120 return (result);
121--
1222.7.4
123
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index a99f0dd854..4e2e856b72 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
25 file://CVE-2016-1286_1.patch \ 25 file://CVE-2016-1286_1.patch \
26 file://CVE-2016-1286_2.patch \ 26 file://CVE-2016-1286_2.patch \
27 file://CVE-2016-2088.patch \ 27 file://CVE-2016-2088.patch \
28 file://CVE-2016-2775.patch \
29 file://CVE-2016-2776.patch \
28 " 30 "
29 31
30SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" 32SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"