diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch | 112 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind_9.10.2-P4.bb | 1 |
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch new file mode 100644 index 0000000000..d22945d885 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Fri, 9 Sep 2016 11:29:48 +1000 | ||
4 | Subject: [PATCH] 4467. [security] It was possible to trigger a | ||
5 | assertion when rendering a message. [RT #43139] | ||
6 | |||
7 | (cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12) | ||
8 | --- | ||
9 | CHANGES | 3 +++ | ||
10 | lib/dns/message.c | 42 +++++++++++++++++++++++++++++++----------- | ||
11 | 2 files changed, 34 insertions(+), 11 deletions(-) | ||
12 | |||
13 | Index: bind-9.10.2-P4/lib/dns/message.c | ||
14 | =================================================================== | ||
15 | --- bind-9.10.2-P4.orig/lib/dns/message.c | ||
16 | +++ bind-9.10.2-P4/lib/dns/message.c | ||
17 | @@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m | ||
18 | if (r.length < DNS_MESSAGE_HEADERLEN) | ||
19 | return (ISC_R_NOSPACE); | ||
20 | |||
21 | - if (r.length < msg->reserved) | ||
22 | + if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) | ||
23 | return (ISC_R_NOSPACE); | ||
24 | |||
25 | /* | ||
26 | @@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t * | ||
27 | |||
28 | return (ISC_TRUE); | ||
29 | } | ||
30 | - | ||
31 | #endif | ||
32 | + | ||
33 | +static isc_result_t | ||
34 | +renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, | ||
35 | + dns_compress_t *cctx, isc_buffer_t *target, | ||
36 | + unsigned int reserved, unsigned int options, unsigned int *countp) | ||
37 | +{ | ||
38 | + isc_result_t result; | ||
39 | + | ||
40 | + /* | ||
41 | + * Shrink the space in the buffer by the reserved amount. | ||
42 | + */ | ||
43 | + if (target->length - target->used < reserved) | ||
44 | + return (ISC_R_NOSPACE); | ||
45 | + | ||
46 | + target->length -= reserved; | ||
47 | + result = dns_rdataset_towire(rdataset, owner_name, | ||
48 | + cctx, target, options, countp); | ||
49 | + target->length += reserved; | ||
50 | + | ||
51 | + return (result); | ||
52 | +} | ||
53 | + | ||
54 | isc_result_t | ||
55 | dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, | ||
56 | unsigned int options) | ||
57 | @@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t | ||
58 | /* | ||
59 | * Shrink the space in the buffer by the reserved amount. | ||
60 | */ | ||
61 | + if (msg->buffer->length - msg->buffer->used < msg->reserved) | ||
62 | + return (ISC_R_NOSPACE); | ||
63 | msg->buffer->length -= msg->reserved; | ||
64 | |||
65 | total = 0; | ||
66 | @@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg | ||
67 | * Render. | ||
68 | */ | ||
69 | count = 0; | ||
70 | - result = dns_rdataset_towire(msg->opt, dns_rootname, | ||
71 | - msg->cctx, msg->buffer, 0, | ||
72 | - &count); | ||
73 | + result = renderset(msg->opt, dns_rootname, msg->cctx, | ||
74 | + msg->buffer, msg->reserved, 0, &count); | ||
75 | msg->counts[DNS_SECTION_ADDITIONAL] += count; | ||
76 | if (result != ISC_R_SUCCESS) | ||
77 | return (result); | ||
78 | @@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg | ||
79 | if (result != ISC_R_SUCCESS) | ||
80 | return (result); | ||
81 | count = 0; | ||
82 | - result = dns_rdataset_towire(msg->tsig, msg->tsigname, | ||
83 | - msg->cctx, msg->buffer, 0, | ||
84 | - &count); | ||
85 | + result = renderset(msg->tsig, msg->tsigname, msg->cctx, | ||
86 | + msg->buffer, msg->reserved, 0, &count); | ||
87 | msg->counts[DNS_SECTION_ADDITIONAL] += count; | ||
88 | if (result != ISC_R_SUCCESS) | ||
89 | return (result); | ||
90 | @@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg | ||
91 | * the owner name of a SIG(0) is irrelevant, and will not | ||
92 | * be set in a message being rendered. | ||
93 | */ | ||
94 | - result = dns_rdataset_towire(msg->sig0, dns_rootname, | ||
95 | - msg->cctx, msg->buffer, 0, | ||
96 | - &count); | ||
97 | + result = renderset(msg->sig0, dns_rootname, msg->cctx, | ||
98 | + msg->buffer, msg->reserved, 0, &count); | ||
99 | msg->counts[DNS_SECTION_ADDITIONAL] += count; | ||
100 | if (result != ISC_R_SUCCESS) | ||
101 | return (result); | ||
102 | Index: bind-9.10.2-P4/CHANGES | ||
103 | =================================================================== | ||
104 | --- bind-9.10.2-P4.orig/CHANGES | ||
105 | +++ bind-9.10.2-P4/CHANGES | ||
106 | @@ -1,3 +1,6 @@ | ||
107 | +4467. [security] It was possible to trigger a assertion when rendering | ||
108 | + a message. [RT #43139] | ||
109 | + | ||
110 | 4406. [bug] getrrsetbyname with a non absolute name could | ||
111 | trigger a infinite recursion bug in lwresd | ||
112 | and named with lwres configured if when combined | ||
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb index 80c7b44127..bc105d3fbc 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
30 | file://CVE-2016-1286_2.patch \ | 30 | file://CVE-2016-1286_2.patch \ |
31 | file://CVE-2016-2088.patch \ | 31 | file://CVE-2016-2088.patch \ |
32 | file://CVE-2016-2775.patch \ | 32 | file://CVE-2016-2775.patch \ |
33 | file://CVE-2016-2776.patch \ | ||
33 | " | 34 | " |
34 | 35 | ||
35 | SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7" | 36 | SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7" |