From a8f6e31bebc5a551fab1fec8d67489af80878f71 Mon Sep 17 00:00:00 2001
From: Kai Kang <kai.kang@windriver.com>
Date: Sun, 24 Nov 2019 15:50:20 -0800
Subject: bind: fix CVE-2019-6471 and CVE-2018-5743

Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind.
CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the
other 6 patches are for CVE-2018-5743. And backport one more patch to
fix compile error on arm caused by these 6 commits.

(From OE-Core rev: 3c39d4158677b97253df63f23b74c3a9dd5539f6)

(From OE-Core rev: 07a8d013383b622eabfcefec9378c857b5265c05)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../bind/bind/0001-bind-fix-CVE-2019-6471.patch    | 64 ++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch

(limited to 'meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch')

diff --git a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
new file mode 100644
index 0000000000..2fed99e1bb
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
@@ -0,0 +1,64 @@
+Backport patch to fix CVE-2019-6471.
+
+Ref:
+https://security-tracker.debian.org/tracker/CVE-2019-6471
+
+CVE: CVE-2019-6471
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 19 Mar 2019 14:14:21 +1100
+Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext()
+
+(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
+---
+ lib/dns/dispatch.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
+index 408beda367..3278db4a07 100644
+--- a/lib/dns/dispatch.c
++++ b/lib/dns/dispatch.c
+@@ -134,7 +134,7 @@ struct dns_dispentry {
+ 	isc_task_t		       *task;
+ 	isc_taskaction_t		action;
+ 	void			       *arg;
+-	bool			item_out;
++	bool				item_out;
+ 	dispsocket_t			*dispsocket;
+ 	ISC_LIST(dns_dispatchevent_t)	items;
+ 	ISC_LINK(dns_dispentry_t)	link;
+@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
+ 	disp = resp->disp;
+ 	REQUIRE(VALID_DISPATCH(disp));
+ 
+-	REQUIRE(resp->item_out == true);
+-	resp->item_out = false;
+-
+ 	ev = *sockevent;
+ 	*sockevent = NULL;
+ 
+ 	LOCK(&disp->lock);
++
++	REQUIRE(resp->item_out == true);
++	resp->item_out = false;
++
+ 	if (ev->buffer.base != NULL)
+ 		free_buffer(disp, ev->buffer.base, ev->buffer.length);
+ 	free_devent(disp, ev);
+@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
+ 		isc_task_send(disp->task[0], &disp->ctlevent);
+ }
+ 
++/*
++ * disp must be locked.
++ */
+ static void
+ do_cancel(dns_dispatch_t *disp) {
+ 	dns_dispatchevent_t *ev;
+-- 
+2.20.1
+
-- 
cgit v1.2.3-54-g00ecf