Drop CVE patches that have been fixed in upstream poky/rocko

Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Martin Borg <martin.borg@enea.com> 2018-02-28 09:33:50 +0100
committer: Martin Borg <martin.borg@enea.com> 2018-02-28 09:33:50 +0100
commit: 495b231e8e0da5046b6b1803d372fe33d0b14be9 (patch)
tree: 63a15b7f1e71be9c3ab4f2ee829e9b59e2f0515f /recipes-connectivity
parent: 75578eccbe6c1de6b437e1599fe674e6b7ee2db1 (diff)
download: meta-el-common-495b231e8e0da5046b6b1803d372fe33d0b14be9.tar.gz
5 files changed, 0 insertions, 299 deletions
diff --git a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch b/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch
deleted file mode 100644
index a874469..0000000
--- a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 6bed6ea11b1880e0a078bd02c1d31d21f0540583 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Thu, 29 Dec 2016 10:48:46 +1100
-Subject: [PATCH] fix back port issue
-This patch is needed for CVE-2016-9444 fix.
-Upstream-Status: Backport [backport from v9_10_6_patch: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=6bed6ea11b1880e0a078bd02c1d31d21f0540583]
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- lib/dns/message.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/lib/dns/message.c b/lib/dns/message.c
-index fe8e5d0..5b8166a 100644
--- a/lib/dns/message.c
-+++ b/lib/dns/message.c
-@@ -1639,7 +1639,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-            ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
-            !preserve_order &&
-            !auth_signed(section)) 
-               DO_ERROR(DNS_R_FORMERR);
-+               DO_FORMERR;
- 
-        if (seen_problem)
-                return (DNS_R_RECOVERABLE);
-- 
-1.9.1
diff --git a/recipes-connectivity/bind/bind/CVE-2016-9444.patch b/recipes-connectivity/bind/bind/CVE-2016-9444.patch
deleted file mode 100644
index 2c1e125..0000000
--- a/recipes-connectivity/bind/bind/CVE-2016-9444.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-From 254d55749ccb1129e7d021a51d0c3b7d3da26ee1 Mon Sep 17 00:00:00 2001
-From: Sona Sarmadi <sona.sarmadi@enea.com>
-Date: Tue, 12 Sep 2017 14:13:28 +0200
-Subject: [PATCH] CVE-2016-9444
-An unusually-formed DS record response could cause an assertion failure
-CVE: CVE-2016-9444
-Upstream-Status: Backport [backport from remotes/origin/v9_10_6_patch
-https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=04c7ee66b1eda851737cc7582a2a88193a0b4118]
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- CHANGES            |  4 +++
- lib/dns/message.c  | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++---
- lib/dns/resolver.c | 21 ++++++---------
- 3 files changed, 85 insertions(+), 16 deletions(-)
-diff --git a/CHANGES b/CHANGES
-index 97d2e60..5760ca5 100644
--- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,7 @@
-+4517.  [security]      Named could mishandle authority sections that were
-+                       missing RRSIGs triggering an assertion failure.
-+                       (CVE-2016-9444) [RT # 43632]
-+
- 4504.  [security]      Allow the maximum number of records in a zone to
-                        be specified.  This provides a control for issues
-                        raised in CVE-2016-6170. [RT #42143]
-diff --git a/lib/dns/message.c b/lib/dns/message.c
-index 0dd4c77..2e37dac 100644
--- a/lib/dns/message.c
-+++ b/lib/dns/message.c
-@@ -1171,6 +1171,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
-        return (ISC_FALSE);
- }
- 
-+/*
-+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
-+ * covering RRSIGs.
-+ */
-+static isc_boolean_t
-+auth_signed(dns_namelist_t *section) {
-+       dns_name_t *name;
-+
-+       for (name = ISC_LIST_HEAD(*section);
-+            name != NULL;
-+            name = ISC_LIST_NEXT(name, link))
-+       {
-+               int auth_dnssec = 0, auth_rrsig = 0;
-+               dns_rdataset_t *rds;
-+
-+               for (rds = ISC_LIST_HEAD(name->list);
-+                    rds != NULL;
-+                    rds = ISC_LIST_NEXT(rds, link))
-+               {
-+                       switch (rds->type) {
-+                       case dns_rdatatype_ds:
-+                               auth_dnssec |= 0x1;
-+                               break;
-+                       case dns_rdatatype_nsec:
-+                               auth_dnssec |= 0x2;
-+                               break;
-+                       case dns_rdatatype_nsec3:
-+                               auth_dnssec |= 0x4;
-+                               break;
-+                       case dns_rdatatype_rrsig:
-+                               break;
-+                       default:
-+                               continue;
-+                       }
-+
-+                       switch (rds->covers) {
-+                       case dns_rdatatype_ds:
-+                               auth_rrsig |= 0x1;
-+                               break;
-+                       case dns_rdatatype_nsec:
-+                               auth_rrsig |= 0x2;
-+                               break;
-+                       case dns_rdatatype_nsec3:
-+                               auth_rrsig |= 0x4;
-+                               break;
-+                       default:
-+                               break;
-+                       }
-+               }
-+
-+               if (auth_dnssec != auth_rrsig)
-+                       return (ISC_FALSE);
-+       }
-+
-+       return (ISC_TRUE);
-+}
-+
- static isc_result_t
- getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-           dns_section_t sectionid, unsigned int options)
-@@ -1196,12 +1253,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-        best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
-        seen_problem = ISC_FALSE;
- 
-+       section = &msg->sections[sectionid];
-+
-        for (count = 0; count < msg->counts[sectionid]; count++) {
-                int recstart = source->current;
-                isc_boolean_t skip_name_search, skip_type_search;
- 
-               section = &msg->sections[sectionid];
-
-                skip_name_search = ISC_FALSE;
-                skip_type_search = ISC_FALSE;
-                free_rdataset = ISC_FALSE;
-@@ -1364,7 +1421,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-                        goto cleanup;
-                rdata->rdclass = rdclass;
-                issigzero = ISC_FALSE;
-               if (rdtype == dns_rdatatype_rrsig  &&
-+               if (rdtype == dns_rdatatype_rrsig &&
-                    rdata->flags == 0) {
-                        covers = dns_rdata_covers(rdata);
-                        if (covers == 0)
-@@ -1575,6 +1632,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-                INSIST(free_rdataset == ISC_FALSE);
-        }
- 
-+       /*
-+        * If any of DS, NSEC or NSEC3 appeared in the
-+        * authority section of a query response without
-+        * a covering RRSIG, FORMERR
-+        */
-+       if (sectionid == DNS_SECTION_AUTHORITY &&
-+           msg->opcode == dns_opcode_query &&
-+           ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
-+           ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
-+           !preserve_order &&
-+           !auth_signed(section)) 
-+               DO_ERROR(DNS_R_FORMERR);
-+
-        if (seen_problem)
-                return (DNS_R_RECOVERABLE);
-        return (ISC_R_SUCCESS);
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index b8fa6b3..017b4ba 100644
--- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -5435,16 +5435,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
-                                                              rdataset->type,
-                                                              &noqname);
-                                        if (tresult == ISC_R_SUCCESS &&
-                                           noqname != NULL) {
-                                               tresult =
-                                                    dns_rdataset_addnoqname(
-+                                           noqname != NULL)
-+                                               (void) dns_rdataset_addnoqname(
-                                                            rdataset, noqname);
-                                               RUNTIME_CHECK(tresult ==
-                                                             ISC_R_SUCCESS);
-                                       }
-                                }
-                               if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
-                                               options = DNS_DBADD_PREFETCH;
-+                               if ((fctx->options &
-+                                    DNS_FETCHOPT_PREFETCH) != 0)
-+                                       options = DNS_DBADD_PREFETCH;
-                                addedrdataset = ardataset;
-                                result = dns_db_addrdataset(fctx->cache, node,
-                                                            NULL, now, rdataset,
-@@ -5584,11 +5581,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
-                                tresult = findnoqname(fctx, name,
-                                                      rdataset->type, &noqname);
-                                if (tresult == ISC_R_SUCCESS &&
-                                   noqname != NULL) {
-                                       tresult = dns_rdataset_addnoqname(
-                                                           rdataset, noqname);
-                                       RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
-                               }
-+                                   noqname != NULL)
-+                                       (void) dns_rdataset_addnoqname(
-+                                                      rdataset, noqname);
-                        }
- 
-                        /*
-- 
-1.9.1
diff --git a/recipes-connectivity/bind/bind/CVE-2017-3135.patch b/recipes-connectivity/bind/bind/CVE-2017-3135.patch
deleted file mode 100644
index 8cb2340..0000000
--- a/recipes-connectivity/bind/bind/CVE-2017-3135.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 6106ed6841b253c78c6120be24c8722d6310a9b9 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 31 Jan 2017 11:20:03 +1100
-Subject: [PATCH] add a REQUIRE to catch the NULL pointer dereference that
- triggered CVE-2017-3135
-CVE: CVE-2017-3135
-Upstream-Status: Backport [backport from remotes/origin/v9_10]
-(cherry picked from commit 1d8995d226d8bca96b8ba286316018be4b7835f2)
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- lib/dns/rdataset.c | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
-index 1870394..79bcecb 100644
--- a/lib/dns/rdataset.c
-+++ b/lib/dns/rdataset.c
-@@ -338,6 +338,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
-         */
- 
-        REQUIRE(DNS_RDATASET_VALID(rdataset));
-+       REQUIRE(rdataset->methods != NULL);
-        REQUIRE(countp != NULL);
-        REQUIRE((order == NULL) == (order_arg == NULL));
-        REQUIRE(cctx != NULL && cctx->mctx != NULL);
-- 
-1.9.1
diff --git a/recipes-connectivity/bind/bind/CVE-2017-3136.patch b/recipes-connectivity/bind/bind/CVE-2017-3136.patch
deleted file mode 100644
index c47a6f7..0000000
--- a/recipes-connectivity/bind/bind/CVE-2017-3136.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From cdb44bbabefa96fceb9bca540f5112493756d593 Mon Sep 17 00:00:00 2001
-From: Sona Sarmadi <sona.sarmadi@enea.com>
-Date: Wed, 27 Sep 2017 09:45:10 +0200
-Subject: [PATCH] Dns64 with break-dnssec yes; can result in a assertion
- failure.
-From 764240ca07ab1b796226d5402ccd9fbfa77ec32a Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Wed, 15 Feb 2017 12:18:51 +1100
-(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac)
-CVE: CVE-2017-3136
-Upstream-Status: Backport [backport from remotes/origin/v9_10]
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- CHANGES           | 3 +++
- bin/named/query.c | 1 +
- 2 files changed, 4 insertions(+)
-diff --git a/CHANGES b/CHANGES
-index ec11967..ba27df0 100644
--- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,6 @@
-+4575.  [security]      Dns64 with break-dnssec yes; can result in a
-+                       assertion failure. (CVE-2017-3136) [RT #44653]
-+
- 4517.  [security]      Named could mishandle authority sections that were
-                        missing RRSIGs triggering an assertion failure.
-                        (CVE-2016-9444) [RT # 43632]
-diff --git a/bin/named/query.c b/bin/named/query.c
-index 1398776..48822ff 100644
--- a/bin/named/query.c
-+++ b/bin/named/query.c
-@@ -8149,6 +8149,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
-                        result = query_dns64(client, &fname, rdataset,
-                                             sigrdataset, dbuf,
-                                             DNS_SECTION_ANSWER);
-+                       noqname = NULL;
-                        dns_rdataset_disassociate(rdataset);
-                        dns_message_puttemprdataset(client->message, &rdataset);
-                        if (result == ISC_R_NOMORE) {
-- 
-1.9.1
diff --git a/recipes-connectivity/bind/bind_%.bbappend b/recipes-connectivity/bind/bind_%.bbappend
deleted file mode 100644
index 0461313..0000000
--- a/recipes-connectivity/bind/bind_%.bbappend
+++ /dev/null
@@ -1,7 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://CVE-2016-9444.patch \
-            file://0001-fix-back-port-issue.patch \
-            file://CVE-2017-3135.patch \
-            file://CVE-2017-3136.patch \
-           "
author	Martin Borg <martin.borg@enea.com>	2018-02-28 09:33:50 +0100
committer	Martin Borg <martin.borg@enea.com>	2018-02-28 09:33:50 +0100
commit	495b231e8e0da5046b6b1803d372fe33d0b14be9 (patch)
tree	63a15b7f1e71be9c3ab4f2ee829e9b59e2f0515f /recipes-connectivity
parent	75578eccbe6c1de6b437e1599fe674e6b7ee2db1 (diff)
download	meta-el-common-495b231e8e0da5046b6b1803d372fe33d0b14be9.tar.gz

diff --git a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch b/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch deleted file mode 100644 index a874469..0000000 --- a/recipes-connectivity/bind/bind/0001-fix-back-port-issue.patch +++ /dev/null
@@ -1,29 +0,0 @@
1	From 6bed6ea11b1880e0a078bd02c1d31d21f0540583 Mon Sep 17 00:00:00 2001
2	From: Mark Andrews <marka@isc.org>
3	Date: Thu, 29 Dec 2016 10:48:46 +1100
4	Subject: [PATCH] fix back port issue
5
6	This patch is needed for CVE-2016-9444 fix.
7	Upstream-Status: Backport [backport from v9_10_6_patch: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=6bed6ea11b1880e0a078bd02c1d31d21f0540583]
8
9	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
10	---
11	lib/dns/message.c \| 2 +-
12	1 file changed, 1 insertion(+), 1 deletion(-)
13
14	diff --git a/lib/dns/message.c b/lib/dns/message.c
15	index fe8e5d0..5b8166a 100644
16	--- a/lib/dns/message.c
17	+++ b/lib/dns/message.c
18	@@ -1639,7 +1639,7 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
19	((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
20	!preserve_order &&
21	!auth_signed(section))
22	- DO_ERROR(DNS_R_FORMERR);
23	+ DO_FORMERR;
24
25	if (seen_problem)
26	return (DNS_R_RECOVERABLE);
27	--
28	1.9.1
29


diff --git a/recipes-connectivity/bind/bind/CVE-2016-9444.patch b/recipes-connectivity/bind/bind/CVE-2016-9444.patch deleted file mode 100644 index 2c1e125..0000000 --- a/recipes-connectivity/bind/bind/CVE-2016-9444.patch +++ /dev/null
@@ -1,186 +0,0 @@
1	From 254d55749ccb1129e7d021a51d0c3b7d3da26ee1 Mon Sep 17 00:00:00 2001
2	From: Sona Sarmadi <sona.sarmadi@enea.com>
3	Date: Tue, 12 Sep 2017 14:13:28 +0200
4	Subject: [PATCH] CVE-2016-9444
5
6	An unusually-formed DS record response could cause an assertion failure
7
8	CVE: CVE-2016-9444
9	Upstream-Status: Backport [backport from remotes/origin/v9_10_6_patch
10	https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=04c7ee66b1eda851737cc7582a2a88193a0b4118]
11
12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13	---
14	CHANGES \| 4 +++
15	lib/dns/message.c \| 76 +++++++++++++++++++++++++++++++++++++++++++++++++++---
16	lib/dns/resolver.c \| 21 ++++++---------
17	3 files changed, 85 insertions(+), 16 deletions(-)
18
19	diff --git a/CHANGES b/CHANGES
20	index 97d2e60..5760ca5 100644
21	--- a/CHANGES
22	+++ b/CHANGES
23	@@ -1,3 +1,7 @@
24	+4517. [security] Named could mishandle authority sections that were
25	+ missing RRSIGs triggering an assertion failure.
26	+ (CVE-2016-9444) [RT # 43632]
27	+
28	4504. [security] Allow the maximum number of records in a zone to
29	be specified. This provides a control for issues
30	raised in CVE-2016-6170. [RT #42143]
31	diff --git a/lib/dns/message.c b/lib/dns/message.c
32	index 0dd4c77..2e37dac 100644
33	--- a/lib/dns/message.c
34	+++ b/lib/dns/message.c
35	@@ -1171,6 +1171,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
36	return (ISC_FALSE);
37	}
38
39	+/*
40	+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
41	+ * covering RRSIGs.
42	+ */
43	+static isc_boolean_t
44	+auth_signed(dns_namelist_t *section) {
45	+ dns_name_t *name;
46	+
47	+ for (name = ISC_LIST_HEAD(*section);
48	+ name != NULL;
49	+ name = ISC_LIST_NEXT(name, link))
50	+ {
51	+ int auth_dnssec = 0, auth_rrsig = 0;
52	+ dns_rdataset_t *rds;
53	+
54	+ for (rds = ISC_LIST_HEAD(name->list);
55	+ rds != NULL;
56	+ rds = ISC_LIST_NEXT(rds, link))
57	+ {
58	+ switch (rds->type) {
59	+ case dns_rdatatype_ds:
60	+ auth_dnssec \|= 0x1;
61	+ break;
62	+ case dns_rdatatype_nsec:
63	+ auth_dnssec \|= 0x2;
64	+ break;
65	+ case dns_rdatatype_nsec3:
66	+ auth_dnssec \|= 0x4;
67	+ break;
68	+ case dns_rdatatype_rrsig:
69	+ break;
70	+ default:
71	+ continue;
72	+ }
73	+
74	+ switch (rds->covers) {
75	+ case dns_rdatatype_ds:
76	+ auth_rrsig \|= 0x1;
77	+ break;
78	+ case dns_rdatatype_nsec:
79	+ auth_rrsig \|= 0x2;
80	+ break;
81	+ case dns_rdatatype_nsec3:
82	+ auth_rrsig \|= 0x4;
83	+ break;
84	+ default:
85	+ break;
86	+ }
87	+ }
88	+
89	+ if (auth_dnssec != auth_rrsig)
90	+ return (ISC_FALSE);
91	+ }
92	+
93	+ return (ISC_TRUE);
94	+}
95	+
96	static isc_result_t
97	getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
98	dns_section_t sectionid, unsigned int options)
99	@@ -1196,12 +1253,12 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
100	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
101	seen_problem = ISC_FALSE;
102
103	+ section = &msg->sections[sectionid];
104	+
105	for (count = 0; count < msg->counts[sectionid]; count++) {
106	int recstart = source->current;
107	isc_boolean_t skip_name_search, skip_type_search;
108
109	- section = &msg->sections[sectionid];
110	-
111	skip_name_search = ISC_FALSE;
112	skip_type_search = ISC_FALSE;
113	free_rdataset = ISC_FALSE;
114	@@ -1364,7 +1421,7 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
115	goto cleanup;
116	rdata->rdclass = rdclass;
117	issigzero = ISC_FALSE;
118	- if (rdtype == dns_rdatatype_rrsig &&
119	+ if (rdtype == dns_rdatatype_rrsig &&
120	rdata->flags == 0) {
121	covers = dns_rdata_covers(rdata);
122	if (covers == 0)
123	@@ -1575,6 +1632,19 @@ getsection(isc_buffer_t source, dns_message_t msg, dns_decompress_t *dctx,
124	INSIST(free_rdataset == ISC_FALSE);
125	}
126
127	+ /*
128	+ * If any of DS, NSEC or NSEC3 appeared in the
129	+ * authority section of a query response without
130	+ * a covering RRSIG, FORMERR
131	+ */
132	+ if (sectionid == DNS_SECTION_AUTHORITY &&
133	+ msg->opcode == dns_opcode_query &&
134	+ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
135	+ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
136	+ !preserve_order &&
137	+ !auth_signed(section))
138	+ DO_ERROR(DNS_R_FORMERR);
139	+
140	if (seen_problem)
141	return (DNS_R_RECOVERABLE);
142	return (ISC_R_SUCCESS);
143	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
144	index b8fa6b3..017b4ba 100644
145	--- a/lib/dns/resolver.c
146	+++ b/lib/dns/resolver.c
147	@@ -5435,16 +5435,13 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
148	rdataset->type,
149	&noqname);
150	if (tresult == ISC_R_SUCCESS &&
151	- noqname != NULL) {
152	- tresult =
153	- dns_rdataset_addnoqname(
154	+ noqname != NULL)
155	+ (void) dns_rdataset_addnoqname(
156	rdataset, noqname);
157	- RUNTIME_CHECK(tresult ==
158	- ISC_R_SUCCESS);
159	- }
160	}
161	- if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
162	- options = DNS_DBADD_PREFETCH;
163	+ if ((fctx->options &
164	+ DNS_FETCHOPT_PREFETCH) != 0)
165	+ options = DNS_DBADD_PREFETCH;
166	addedrdataset = ardataset;
167	result = dns_db_addrdataset(fctx->cache, node,
168	NULL, now, rdataset,
169	@@ -5584,11 +5581,9 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
170	tresult = findnoqname(fctx, name,
171	rdataset->type, &noqname);
172	if (tresult == ISC_R_SUCCESS &&
173	- noqname != NULL) {
174	- tresult = dns_rdataset_addnoqname(
175	- rdataset, noqname);
176	- RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
177	- }
178	+ noqname != NULL)
179	+ (void) dns_rdataset_addnoqname(
180	+ rdataset, noqname);
181	}
182
183	/*
184	--
185	1.9.1
186


diff --git a/recipes-connectivity/bind/bind/CVE-2017-3135.patch b/recipes-connectivity/bind/bind/CVE-2017-3135.patch deleted file mode 100644 index 8cb2340..0000000 --- a/recipes-connectivity/bind/bind/CVE-2017-3135.patch +++ /dev/null
@@ -1,30 +0,0 @@
1	From 6106ed6841b253c78c6120be24c8722d6310a9b9 Mon Sep 17 00:00:00 2001
2	From: Mark Andrews <marka@isc.org>
3	Date: Tue, 31 Jan 2017 11:20:03 +1100
4	Subject: [PATCH] add a REQUIRE to catch the NULL pointer dereference that
5	triggered CVE-2017-3135
6
7	CVE: CVE-2017-3135
8	Upstream-Status: Backport [backport from remotes/origin/v9_10]
9
10	(cherry picked from commit 1d8995d226d8bca96b8ba286316018be4b7835f2)
11	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
12	---
13	lib/dns/rdataset.c \| 1 +
14	1 file changed, 1 insertion(+)
15
16	diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
17	index 1870394..79bcecb 100644
18	--- a/lib/dns/rdataset.c
19	+++ b/lib/dns/rdataset.c
20	@@ -338,6 +338,7 @@ towiresorted(dns_rdataset_t rdataset, const dns_name_t owner_name,
21	*/
22
23	REQUIRE(DNS_RDATASET_VALID(rdataset));
24	+ REQUIRE(rdataset->methods != NULL);
25	REQUIRE(countp != NULL);
26	REQUIRE((order == NULL) == (order_arg == NULL));
27	REQUIRE(cctx != NULL && cctx->mctx != NULL);
28	--
29	1.9.1
30


diff --git a/recipes-connectivity/bind/bind/CVE-2017-3136.patch b/recipes-connectivity/bind/bind/CVE-2017-3136.patch deleted file mode 100644 index c47a6f7..0000000 --- a/recipes-connectivity/bind/bind/CVE-2017-3136.patch +++ /dev/null
@@ -1,47 +0,0 @@
1	From cdb44bbabefa96fceb9bca540f5112493756d593 Mon Sep 17 00:00:00 2001
2	From: Sona Sarmadi <sona.sarmadi@enea.com>
3	Date: Wed, 27 Sep 2017 09:45:10 +0200
4	Subject: [PATCH] Dns64 with break-dnssec yes; can result in a assertion
5	failure.
6
7	From 764240ca07ab1b796226d5402ccd9fbfa77ec32a Mon Sep 17 00:00:00 2001
8	From: Mark Andrews <marka@isc.org>
9	Date: Wed, 15 Feb 2017 12:18:51 +1100
10
11	(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac)
12
13	CVE: CVE-2017-3136
14	Upstream-Status: Backport [backport from remotes/origin/v9_10]
15
16	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
17	---
18	CHANGES \| 3 +++
19	bin/named/query.c \| 1 +
20	2 files changed, 4 insertions(+)
21
22	diff --git a/CHANGES b/CHANGES
23	index ec11967..ba27df0 100644
24	--- a/CHANGES
25	+++ b/CHANGES
26	@@ -1,3 +1,6 @@
27	+4575. [security] Dns64 with break-dnssec yes; can result in a
28	+ assertion failure. (CVE-2017-3136) [RT #44653]
29	+
30	4517. [security] Named could mishandle authority sections that were
31	missing RRSIGs triggering an assertion failure.
32	(CVE-2016-9444) [RT # 43632]
33	diff --git a/bin/named/query.c b/bin/named/query.c
34	index 1398776..48822ff 100644
35	--- a/bin/named/query.c
36	+++ b/bin/named/query.c
37	@@ -8149,6 +8149,7 @@ query_find(ns_client_t client, dns_fetchevent_t event, dns_rdatatype_t qtype)
38	result = query_dns64(client, &fname, rdataset,
39	sigrdataset, dbuf,
40	DNS_SECTION_ANSWER);
41	+ noqname = NULL;
42	dns_rdataset_disassociate(rdataset);
43	dns_message_puttemprdataset(client->message, &rdataset);
44	if (result == ISC_R_NOMORE) {
45	--
46	1.9.1
47


diff --git a/recipes-connectivity/bind/bind_%.bbappend b/recipes-connectivity/bind/bind_%.bbappend deleted file mode 100644 index 0461313..0000000 --- a/recipes-connectivity/bind/bind_%.bbappend +++ /dev/null
@@ -1,7 +0,0 @@
1	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
2
3	SRC_URI += "file://CVE-2016-9444.patch \
4	file://0001-fix-back-port-issue.patch \
5	file://CVE-2017-3135.patch \
6	file://CVE-2017-3136.patch \
7	"