From 71129828ff4cfda3d66aa9378be3c5a53f2beb8b Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 7 Apr 2016 12:27:27 +0200 Subject: bind: CVE-2016-1285 CVE-2016-1286 CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure CVE-2016-1286 bind: malformed signature records for DNAME records can trigger assertion failure [YOCTO #9400] External References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286 References to the Upstream commits and Security Advisories: CVE-2016-1285: https://kb.isc.org/article/AA-01352 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=31e4657cf246e41d4c5c890315cb6cf89a0db25a CVE-2016-1286_1: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7 CVE-2016-1286_2: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=ce3cd91caee698cb144e1350c6c78292c6be6339 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea Signed-off-by: Sona Sarmadi --- .../bind/bind/CVE-2016-1286_1.patch | 78 ++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch (limited to 'meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch') diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch new file mode 100644 index 0000000000..4a2c15ffc7 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch @@ -0,0 +1,78 @@ +From 76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7 Mon Sep 17 00:00:00 2001 +From: Mukund Sivaraman +Date: Mon, 22 Feb 2016 12:22:43 +0530 +Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling + (CVE-2016-1286) (#41753) + +(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) +(cherry picked from commit 456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3) + +CVE: CVE-2016-1286 +Upstream-Status: Backport + +[Skipped CHANGES and doc/arm/notes.xml changes.] + +Signed-off-by: Sona Sarmadi +--- + CHANGES | 4 ++++ + doc/arm/notes.xml | 7 +++++++ + lib/dns/resolver.c | 33 ++++++++++++++++++--------------- + 3 files changed, 29 insertions(+), 15 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 735f7d2..0602070 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -6701,21 +6701,26 @@ answer_response(fetchctx_t *fctx) { + isc_boolean_t found_dname = ISC_FALSE; + dns_name_t *dname_name; + ++ /* ++ * Only pass DNAME or RRSIG(DNAME). ++ */ ++ if (rdataset->type != dns_rdatatype_dname && ++ (rdataset->type != dns_rdatatype_rrsig || ++ rdataset->covers != dns_rdatatype_dname)) ++ continue; ++ ++ /* ++ * If we're not chaining, then the DNAME and ++ * its signature should not be external. ++ */ ++ if (!chaining && external) { ++ log_formerr(fctx, "external DNAME"); ++ return (DNS_R_FORMERR); ++ } ++ + found = ISC_FALSE; + aflag = 0; + if (rdataset->type == dns_rdatatype_dname) { +- /* +- * We're looking for something else, +- * but we found a DNAME. +- * +- * If we're not chaining, then the +- * DNAME should not be external. +- */ +- if (!chaining && external) { +- log_formerr(fctx, +- "external DNAME"); +- return (DNS_R_FORMERR); +- } + found = ISC_TRUE; + want_chaining = ISC_TRUE; + POST(want_chaining); +@@ -6744,9 +6749,7 @@ answer_response(fetchctx_t *fctx) { + &fctx->domain)) { + return (DNS_R_SERVFAIL); + } +- } else if (rdataset->type == dns_rdatatype_rrsig +- && rdataset->covers == +- dns_rdatatype_dname) { ++ } else { + /* + * We've found a signature that + * covers the DNAME. +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf