bind: fix for CVE-2012-3817 Upstream-Status: Backport ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817 This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package. Signed-off-by: Ming Liu --- resolver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t goto cleanup; bad->type = type; bad->hashval = hashval; + bad->expire = *expire; isc_buffer_init(&buffer, bad + 1, name->length); dns_name_init(&bad->name, NULL); dns_name_copy(name, &bad->name, &buffer); @@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t if (resolver->badcount < resolver->badhash * 2 && resolver->badhash > DNS_BADCACHE_SIZE) resizehash(resolver, &now, ISC_FALSE); - } - bad->expire = *expire; + } else + bad->expire = *expire; cleanup: UNLOCK(&resolver->lock); }