diff options
| author | Armin Kuster <akuster@mvista.com> | 2015-09-12 15:17:26 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-19 11:53:16 +0100 |
| commit | 85f6cf736b5ecf3af6d1596b782dae81b9ac1f11 (patch) | |
| tree | d981404fb80ebec03bca8a611b23891085f4b35e | |
| parent | a01280b7ab323f415e91243ada46dc42b501116a (diff) | |
| download | poky-85f6cf736b5ecf3af6d1596b782dae81b9ac1f11.tar.gz | |
bind: CVE-2015-1349 CVE-2015-4620 CVE-2015-5722
three security fixes.
(From OE-Core rev: d3af844b05e566c2188fc3145e66a9826fed0ec8)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 589 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch new file mode 100644 index 0000000000..dea7aaef53 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch | |||
| @@ -0,0 +1,60 @@ | |||
| 1 | CVE-2015-1349 bind: issue in trust anchor management can cause named to crash | ||
| 2 | |||
| 3 | commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892 | ||
| 4 | Author: Evan Hunt <each@isc.org> | ||
| 5 | Date: Tue Feb 3 18:30:38 2015 -0800 | ||
| 6 | |||
| 7 | [v9_9_6_patch] avoid crash due to managed-key rollover | ||
| 8 | |||
| 9 | 4053. [security] Revoking a managed trust anchor and supplying | ||
| 10 | an untrusted replacement could cause named | ||
| 11 | to crash with an assertion failure. | ||
| 12 | (CVE-2015-1349) [RT #38344] | ||
| 13 | |||
| 14 | Upstream Status: Backport from Redhat | ||
| 15 | |||
| 16 | https://bugzilla.redhat.com/attachment.cgi?id=993045 | ||
| 17 | |||
| 18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 19 | |||
| 20 | Index: bind-9.9.5/CHANGES | ||
| 21 | =================================================================== | ||
| 22 | --- bind-9.9.5.orig/CHANGES | ||
| 23 | +++ bind-9.9.5/CHANGES | ||
| 24 | @@ -1,3 +1,10 @@ | ||
| 25 | + --- 9.9.6-P2 released --- | ||
| 26 | + | ||
| 27 | +4053. [security] Revoking a managed trust anchor and supplying | ||
| 28 | + an untrusted replacement could cause named | ||
| 29 | + to crash with an assertion failure. | ||
| 30 | + (CVE-2015-1349) [RT #38344] | ||
| 31 | + | ||
| 32 | --- 9.9.5 released --- | ||
| 33 | |||
| 34 | --- 9.9.5rc2 released --- | ||
| 35 | Index: bind-9.9.5/lib/dns/zone.c | ||
| 36 | =================================================================== | ||
| 37 | --- bind-9.9.5.orig/lib/dns/zone.c | ||
| 38 | +++ bind-9.9.5/lib/dns/zone.c | ||
| 39 | @@ -8496,6 +8496,12 @@ keyfetch_done(isc_task_t *task, isc_even | ||
| 40 | namebuf, tag); | ||
| 41 | trustkey = ISC_TRUE; | ||
| 42 | } | ||
| 43 | + } else { | ||
| 44 | + /* | ||
| 45 | + * No previously known key, and the key is not | ||
| 46 | + * secure, so skip it. | ||
| 47 | + */ | ||
| 48 | + continue; | ||
| 49 | } | ||
| 50 | |||
| 51 | /* Delete old version */ | ||
| 52 | @@ -8544,7 +8550,7 @@ keyfetch_done(isc_task_t *task, isc_even | ||
| 53 | trust_key(zone, keyname, &dnskey, mctx); | ||
| 54 | } | ||
| 55 | |||
| 56 | - if (!deletekey) | ||
| 57 | + if (secure && !deletekey) | ||
| 58 | set_refreshkeytimer(zone, &keydata, now); | ||
| 59 | } | ||
| 60 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch new file mode 100644 index 0000000000..1a5051e638 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch | |||
| @@ -0,0 +1,36 @@ | |||
| 1 | CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned() | ||
| 2 | |||
| 3 | issue introduced by git commit | ||
| 4 | |||
| 5 | https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=44f175a90a855326725439b2f1178f0dcca8f67d | ||
| 6 | |||
| 7 | which is in this version of bind. | ||
| 8 | |||
| 9 | Upstream Status: Backport from Redhat | ||
| 10 | |||
| 11 | https://bugzilla.redhat.com/attachment.cgi?id=1044719 | ||
| 12 | |||
| 13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 14 | |||
| 15 | Index: bind-9.9.5/lib/dns/validator.c | ||
| 16 | =================================================================== | ||
| 17 | --- bind-9.9.5.orig/lib/dns/validator.c | ||
| 18 | +++ bind-9.9.5/lib/dns/validator.c | ||
| 19 | @@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r | ||
| 20 | */ | ||
| 21 | static isc_boolean_t | ||
| 22 | isselfsigned(dns_validator_t *val) { | ||
| 23 | - dns_fixedname_t fixed; | ||
| 24 | dns_rdataset_t *rdataset, *sigrdataset; | ||
| 25 | dns_rdata_t rdata = DNS_RDATA_INIT; | ||
| 26 | dns_rdata_t sigrdata = DNS_RDATA_INIT; | ||
| 27 | @@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) { | ||
| 28 | result = dns_dnssec_verify3(name, rdataset, dstkey, | ||
| 29 | ISC_TRUE, | ||
| 30 | val->view->maxbits, | ||
| 31 | - mctx, &sigrdata, | ||
| 32 | - dns_fixedname_name(&fixed)); | ||
| 33 | + mctx, &sigrdata, NULL); | ||
| 34 | dst_key_free(&dstkey); | ||
| 35 | if (result != ISC_R_SUCCESS) | ||
| 36 | continue; | ||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch new file mode 100644 index 0000000000..af20d5c83f --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch | |||
| @@ -0,0 +1,490 @@ | |||
| 1 | CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service | ||
| 2 | |||
| 3 | Upstream Status: Backport from Redhat | ||
| 4 | |||
| 5 | https://bugzilla.redhat.com/attachment.cgi?id=1069245 | ||
| 6 | |||
| 7 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 8 | |||
| 9 | Index: bind-9.9.5/lib/dns/hmac_link.c | ||
| 10 | =================================================================== | ||
| 11 | --- bind-9.9.5.orig/lib/dns/hmac_link.c | ||
| 12 | +++ bind-9.9.5/lib/dns/hmac_link.c | ||
| 13 | @@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co | ||
| 14 | hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); | ||
| 15 | if (hmacmd5ctx == NULL) | ||
| 16 | return (ISC_R_NOMEMORY); | ||
| 17 | - isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH); | ||
| 18 | + isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH); | ||
| 19 | dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; | ||
| 20 | return (ISC_R_SUCCESS); | ||
| 21 | } | ||
| 22 | @@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c | ||
| 23 | else if (hkey1 == NULL || hkey2 == NULL) | ||
| 24 | return (ISC_FALSE); | ||
| 25 | |||
| 26 | - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) | ||
| 27 | + if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) | ||
| 28 | return (ISC_TRUE); | ||
| 29 | else | ||
| 30 | return (ISC_FALSE); | ||
| 31 | @@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse | ||
| 32 | isc_buffer_t b; | ||
| 33 | isc_result_t ret; | ||
| 34 | unsigned int bytes; | ||
| 35 | - unsigned char data[ISC_SHA1_BLOCK_LENGTH]; | ||
| 36 | + unsigned char data[ISC_MD5_BLOCK_LENGTH]; | ||
| 37 | |||
| 38 | UNUSED(callback); | ||
| 39 | |||
| 40 | bytes = (key->key_size + 7) / 8; | ||
| 41 | - if (bytes > ISC_SHA1_BLOCK_LENGTH) { | ||
| 42 | - bytes = ISC_SHA1_BLOCK_LENGTH; | ||
| 43 | - key->key_size = ISC_SHA1_BLOCK_LENGTH * 8; | ||
| 44 | + if (bytes > ISC_MD5_BLOCK_LENGTH) { | ||
| 45 | + bytes = ISC_MD5_BLOCK_LENGTH; | ||
| 46 | + key->key_size = ISC_MD5_BLOCK_LENGTH * 8; | ||
| 47 | } | ||
| 48 | |||
| 49 | - memset(data, 0, ISC_SHA1_BLOCK_LENGTH); | ||
| 50 | + memset(data, 0, ISC_MD5_BLOCK_LENGTH); | ||
| 51 | ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); | ||
| 52 | |||
| 53 | if (ret != ISC_R_SUCCESS) | ||
| 54 | @@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse | ||
| 55 | isc_buffer_init(&b, data, bytes); | ||
| 56 | isc_buffer_add(&b, bytes); | ||
| 57 | ret = hmacmd5_fromdns(key, &b); | ||
| 58 | - memset(data, 0, ISC_SHA1_BLOCK_LENGTH); | ||
| 59 | + memset(data, 0, ISC_MD5_BLOCK_LENGTH); | ||
| 60 | |||
| 61 | return (ret); | ||
| 62 | } | ||
| 63 | @@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff | ||
| 64 | |||
| 65 | memset(hkey->key, 0, sizeof(hkey->key)); | ||
| 66 | |||
| 67 | - if (r.length > ISC_SHA1_BLOCK_LENGTH) { | ||
| 68 | + if (r.length > ISC_MD5_BLOCK_LENGTH) { | ||
| 69 | isc_md5_init(&md5ctx); | ||
| 70 | isc_md5_update(&md5ctx, r.base, r.length); | ||
| 71 | isc_md5_final(&md5ctx, hkey->key); | ||
| 72 | @@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff | ||
| 73 | key->key_size = keylen * 8; | ||
| 74 | key->keydata.hmacmd5 = hkey; | ||
| 75 | |||
| 76 | + isc_buffer_forward(data, r.length); | ||
| 77 | + | ||
| 78 | return (ISC_R_SUCCESS); | ||
| 79 | } | ||
| 80 | |||
| 81 | @@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf | ||
| 82 | key->key_size = keylen * 8; | ||
| 83 | key->keydata.hmacsha1 = hkey; | ||
| 84 | |||
| 85 | + isc_buffer_forward(data, r.length); | ||
| 86 | + | ||
| 87 | return (ISC_R_SUCCESS); | ||
| 88 | } | ||
| 89 | |||
| 90 | @@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b | ||
| 91 | key->key_size = keylen * 8; | ||
| 92 | key->keydata.hmacsha224 = hkey; | ||
| 93 | |||
| 94 | + isc_buffer_forward(data, r.length); | ||
| 95 | + | ||
| 96 | return (ISC_R_SUCCESS); | ||
| 97 | } | ||
| 98 | |||
| 99 | @@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b | ||
| 100 | key->key_size = keylen * 8; | ||
| 101 | key->keydata.hmacsha256 = hkey; | ||
| 102 | |||
| 103 | + isc_buffer_forward(data, r.length); | ||
| 104 | + | ||
| 105 | return (ISC_R_SUCCESS); | ||
| 106 | } | ||
| 107 | |||
| 108 | @@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b | ||
| 109 | key->key_size = keylen * 8; | ||
| 110 | key->keydata.hmacsha384 = hkey; | ||
| 111 | |||
| 112 | + isc_buffer_forward(data, r.length); | ||
| 113 | + | ||
| 114 | return (ISC_R_SUCCESS); | ||
| 115 | } | ||
| 116 | |||
| 117 | @@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b | ||
| 118 | key->key_size = keylen * 8; | ||
| 119 | key->keydata.hmacsha512 = hkey; | ||
| 120 | |||
| 121 | + isc_buffer_forward(data, r.length); | ||
| 122 | + | ||
| 123 | return (ISC_R_SUCCESS); | ||
| 124 | } | ||
| 125 | |||
| 126 | Index: bind-9.9.5/lib/dns/include/dst/dst.h | ||
| 127 | =================================================================== | ||
| 128 | --- bind-9.9.5.orig/lib/dns/include/dst/dst.h | ||
| 129 | +++ bind-9.9.5/lib/dns/include/dst/dst.h | ||
| 130 | @@ -69,6 +69,7 @@ typedef struct dst_context dst_context_ | ||
| 131 | #define DST_ALG_HMACSHA256 163 /* XXXMPA */ | ||
| 132 | #define DST_ALG_HMACSHA384 164 /* XXXMPA */ | ||
| 133 | #define DST_ALG_HMACSHA512 165 /* XXXMPA */ | ||
| 134 | +#define DST_ALG_INDIRECT 252 | ||
| 135 | #define DST_ALG_PRIVATE 254 | ||
| 136 | #define DST_ALG_EXPAND 255 | ||
| 137 | #define DST_MAX_ALGS 255 | ||
| 138 | Index: bind-9.9.5/lib/dns/ncache.c | ||
| 139 | =================================================================== | ||
| 140 | --- bind-9.9.5.orig/lib/dns/ncache.c | ||
| 141 | +++ bind-9.9.5/lib/dns/ncache.c | ||
| 142 | @@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t | ||
| 143 | dns_name_fromregion(&tname, &remaining); | ||
| 144 | INSIST(remaining.length >= tname.length); | ||
| 145 | isc_buffer_forward(&source, tname.length); | ||
| 146 | - remaining.length -= tname.length; | ||
| 147 | - remaining.base += tname.length; | ||
| 148 | + isc_region_consume(&remaining, tname.length); | ||
| 149 | |||
| 150 | INSIST(remaining.length >= 2); | ||
| 151 | type = isc_buffer_getuint16(&source); | ||
| 152 | - remaining.length -= 2; | ||
| 153 | - remaining.base += 2; | ||
| 154 | + isc_region_consume(&remaining, 2); | ||
| 155 | |||
| 156 | if (type != dns_rdatatype_rrsig || | ||
| 157 | !dns_name_equal(&tname, name)) { | ||
| 158 | @@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t | ||
| 159 | INSIST(remaining.length >= 1); | ||
| 160 | trust = isc_buffer_getuint8(&source); | ||
| 161 | INSIST(trust <= dns_trust_ultimate); | ||
| 162 | - remaining.length -= 1; | ||
| 163 | - remaining.base += 1; | ||
| 164 | + isc_region_consume(&remaining, 1); | ||
| 165 | |||
| 166 | raw = remaining.base; | ||
| 167 | count = raw[0] * 256 + raw[1]; | ||
| 168 | Index: bind-9.9.5/lib/dns/openssldh_link.c | ||
| 169 | =================================================================== | ||
| 170 | --- bind-9.9.5.orig/lib/dns/openssldh_link.c | ||
| 171 | +++ bind-9.9.5/lib/dns/openssldh_link.c | ||
| 172 | @@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) { | ||
| 173 | |||
| 174 | static void | ||
| 175 | uint16_toregion(isc_uint16_t val, isc_region_t *region) { | ||
| 176 | - *region->base++ = (val & 0xff00) >> 8; | ||
| 177 | - *region->base++ = (val & 0x00ff); | ||
| 178 | + *region->base = (val & 0xff00) >> 8; | ||
| 179 | + isc_region_consume(region, 1); | ||
| 180 | + *region->base = (val & 0x00ff); | ||
| 181 | + isc_region_consume(region, 1); | ||
| 182 | } | ||
| 183 | |||
| 184 | static isc_uint16_t | ||
| 185 | @@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) | ||
| 186 | val = ((unsigned int)(cp[0])) << 8; | ||
| 187 | val |= ((unsigned int)(cp[1])); | ||
| 188 | |||
| 189 | - region->base += 2; | ||
| 190 | + isc_region_consume(region, 2); | ||
| 191 | + | ||
| 192 | return (val); | ||
| 193 | } | ||
| 194 | |||
| 195 | @@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is | ||
| 196 | } | ||
| 197 | else | ||
| 198 | BN_bn2bin(dh->p, r.base); | ||
| 199 | - r.base += plen; | ||
| 200 | + isc_region_consume(&r, plen); | ||
| 201 | |||
| 202 | uint16_toregion(glen, &r); | ||
| 203 | if (glen > 0) | ||
| 204 | BN_bn2bin(dh->g, r.base); | ||
| 205 | - r.base += glen; | ||
| 206 | + isc_region_consume(&r, glen); | ||
| 207 | |||
| 208 | uint16_toregion(publen, &r); | ||
| 209 | BN_bn2bin(dh->pub_key, r.base); | ||
| 210 | - r.base += publen; | ||
| 211 | + isc_region_consume(&r, publen); | ||
| 212 | |||
| 213 | isc_buffer_add(data, dnslen); | ||
| 214 | |||
| 215 | @@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu | ||
| 216 | return (DST_R_INVALIDPUBLICKEY); | ||
| 217 | } | ||
| 218 | if (plen == 1 || plen == 2) { | ||
| 219 | - if (plen == 1) | ||
| 220 | - special = *r.base++; | ||
| 221 | - else | ||
| 222 | + if (plen == 1) { | ||
| 223 | + special = *r.base; | ||
| 224 | + isc_region_consume(&r, 1); | ||
| 225 | + } else { | ||
| 226 | special = uint16_fromregion(&r); | ||
| 227 | + } | ||
| 228 | switch (special) { | ||
| 229 | case 1: | ||
| 230 | dh->p = &bn768; | ||
| 231 | @@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu | ||
| 232 | DH_free(dh); | ||
| 233 | return (DST_R_INVALIDPUBLICKEY); | ||
| 234 | } | ||
| 235 | - } | ||
| 236 | - else { | ||
| 237 | + } else { | ||
| 238 | dh->p = BN_bin2bn(r.base, plen, NULL); | ||
| 239 | - r.base += plen; | ||
| 240 | + isc_region_consume(&r, plen); | ||
| 241 | } | ||
| 242 | |||
| 243 | /* | ||
| 244 | @@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu | ||
| 245 | return (DST_R_INVALIDPUBLICKEY); | ||
| 246 | } | ||
| 247 | } | ||
| 248 | - } | ||
| 249 | - else { | ||
| 250 | + } else { | ||
| 251 | if (glen == 0) { | ||
| 252 | DH_free(dh); | ||
| 253 | return (DST_R_INVALIDPUBLICKEY); | ||
| 254 | } | ||
| 255 | dh->g = BN_bin2bn(r.base, glen, NULL); | ||
| 256 | } | ||
| 257 | - r.base += glen; | ||
| 258 | + isc_region_consume(&r, glen); | ||
| 259 | |||
| 260 | if (r.length < 2) { | ||
| 261 | DH_free(dh); | ||
| 262 | @@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu | ||
| 263 | return (DST_R_INVALIDPUBLICKEY); | ||
| 264 | } | ||
| 265 | dh->pub_key = BN_bin2bn(r.base, publen, NULL); | ||
| 266 | - r.base += publen; | ||
| 267 | + isc_region_consume(&r, publen); | ||
| 268 | |||
| 269 | key->key_size = BN_num_bits(dh->p); | ||
| 270 | |||
| 271 | Index: bind-9.9.5/lib/dns/openssldsa_link.c | ||
| 272 | =================================================================== | ||
| 273 | --- bind-9.9.5.orig/lib/dns/openssldsa_link.c | ||
| 274 | +++ bind-9.9.5/lib/dns/openssldsa_link.c | ||
| 275 | @@ -29,8 +29,6 @@ | ||
| 276 | * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
| 277 | */ | ||
| 278 | |||
| 279 | -/* $Id$ */ | ||
| 280 | - | ||
| 281 | #ifdef OPENSSL | ||
| 282 | #ifndef USE_EVP | ||
| 283 | #define USE_EVP 1 | ||
| 284 | @@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc | ||
| 285 | DSA *dsa = key->keydata.dsa; | ||
| 286 | isc_region_t r; | ||
| 287 | DSA_SIG *dsasig; | ||
| 288 | + unsigned int klen; | ||
| 289 | #if USE_EVP | ||
| 290 | EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; | ||
| 291 | EVP_PKEY *pkey; | ||
| 292 | @@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc | ||
| 293 | ISC_R_FAILURE)); | ||
| 294 | } | ||
| 295 | free(sigbuf); | ||
| 296 | + | ||
| 297 | #elif 0 | ||
| 298 | /* Only use EVP for the Digest */ | ||
| 299 | if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { | ||
| 300 | @@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc | ||
| 301 | "DSA_do_sign", | ||
| 302 | DST_R_SIGNFAILURE)); | ||
| 303 | #endif | ||
| 304 | - *r.base++ = (key->key_size - 512)/64; | ||
| 305 | + | ||
| 306 | + klen = (key->key_size - 512)/64; | ||
| 307 | + if (klen > 255) | ||
| 308 | + return (ISC_R_FAILURE); | ||
| 309 | + *r.base = klen; | ||
| 310 | + isc_region_consume(&r, 1); | ||
| 311 | + | ||
| 312 | BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); | ||
| 313 | - r.base += ISC_SHA1_DIGESTLENGTH; | ||
| 314 | + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); | ||
| 315 | BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); | ||
| 316 | - r.base += ISC_SHA1_DIGESTLENGTH; | ||
| 317 | + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); | ||
| 318 | DSA_SIG_free(dsasig); | ||
| 319 | isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); | ||
| 320 | |||
| 321 | @@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, i | ||
| 322 | if (r.length < (unsigned int) dnslen) | ||
| 323 | return (ISC_R_NOSPACE); | ||
| 324 | |||
| 325 | - *r.base++ = t; | ||
| 326 | + *r.base = t; | ||
| 327 | + isc_region_consume(&r, 1); | ||
| 328 | BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); | ||
| 329 | - r.base += ISC_SHA1_DIGESTLENGTH; | ||
| 330 | + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); | ||
| 331 | BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); | ||
| 332 | - r.base += p_bytes; | ||
| 333 | + isc_region_consume(&r, p_bytes); | ||
| 334 | BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); | ||
| 335 | - r.base += p_bytes; | ||
| 336 | + isc_region_consume(&r, p_bytes); | ||
| 337 | BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); | ||
| 338 | - r.base += p_bytes; | ||
| 339 | + isc_region_consume(&r, p_bytes); | ||
| 340 | |||
| 341 | isc_buffer_add(data, dnslen); | ||
| 342 | |||
| 343 | @@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b | ||
| 344 | return (ISC_R_NOMEMORY); | ||
| 345 | dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; | ||
| 346 | |||
| 347 | - t = (unsigned int) *r.base++; | ||
| 348 | + t = (unsigned int) *r.base; | ||
| 349 | + isc_region_consume(&r, 1); | ||
| 350 | if (t > 8) { | ||
| 351 | DSA_free(dsa); | ||
| 352 | return (DST_R_INVALIDPUBLICKEY); | ||
| 353 | } | ||
| 354 | p_bytes = 64 + 8 * t; | ||
| 355 | |||
| 356 | - if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { | ||
| 357 | + if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { | ||
| 358 | DSA_free(dsa); | ||
| 359 | return (DST_R_INVALIDPUBLICKEY); | ||
| 360 | } | ||
| 361 | |||
| 362 | dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); | ||
| 363 | - r.base += ISC_SHA1_DIGESTLENGTH; | ||
| 364 | + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); | ||
| 365 | |||
| 366 | dsa->p = BN_bin2bn(r.base, p_bytes, NULL); | ||
| 367 | - r.base += p_bytes; | ||
| 368 | + isc_region_consume(&r, p_bytes); | ||
| 369 | |||
| 370 | dsa->g = BN_bin2bn(r.base, p_bytes, NULL); | ||
| 371 | - r.base += p_bytes; | ||
| 372 | + isc_region_consume(&r, p_bytes); | ||
| 373 | |||
| 374 | dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); | ||
| 375 | - r.base += p_bytes; | ||
| 376 | + isc_region_consume(&r, p_bytes); | ||
| 377 | |||
| 378 | key->key_size = p_bytes * 8; | ||
| 379 | |||
| 380 | Index: bind-9.9.5/lib/dns/opensslecdsa_link.c | ||
| 381 | =================================================================== | ||
| 382 | --- bind-9.9.5.orig/lib/dns/opensslecdsa_link.c | ||
| 383 | +++ bind-9.9.5/lib/dns/opensslecdsa_link.c | ||
| 384 | @@ -14,8 +14,6 @@ | ||
| 385 | * PERFORMANCE OF THIS SOFTWARE. | ||
| 386 | */ | ||
| 387 | |||
| 388 | -/* $Id$ */ | ||
| 389 | - | ||
| 390 | #include <config.h> | ||
| 391 | |||
| 392 | #ifdef HAVE_OPENSSL_ECDSA | ||
| 393 | @@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, i | ||
| 394 | "ECDSA_do_sign", | ||
| 395 | DST_R_SIGNFAILURE)); | ||
| 396 | BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); | ||
| 397 | - r.base += siglen / 2; | ||
| 398 | + isc_region_consume(&r, siglen / 2); | ||
| 399 | BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); | ||
| 400 | - r.base += siglen / 2; | ||
| 401 | + isc_region_consume(&r, siglen / 2); | ||
| 402 | ECDSA_SIG_free(ecdsasig); | ||
| 403 | isc_buffer_add(sig, siglen); | ||
| 404 | ret = ISC_R_SUCCESS; | ||
| 405 | Index: bind-9.9.5/lib/dns/opensslrsa_link.c | ||
| 406 | =================================================================== | ||
| 407 | --- bind-9.9.5.orig/lib/dns/opensslrsa_link.c | ||
| 408 | +++ bind-9.9.5/lib/dns/opensslrsa_link.c | ||
| 409 | @@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b | ||
| 410 | RSA *rsa; | ||
| 411 | isc_region_t r; | ||
| 412 | unsigned int e_bytes; | ||
| 413 | + unsigned int length; | ||
| 414 | #if USE_EVP | ||
| 415 | EVP_PKEY *pkey; | ||
| 416 | #endif | ||
| 417 | @@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b | ||
| 418 | isc_buffer_remainingregion(data, &r); | ||
| 419 | if (r.length == 0) | ||
| 420 | return (ISC_R_SUCCESS); | ||
| 421 | + length = r.length; | ||
| 422 | |||
| 423 | rsa = RSA_new(); | ||
| 424 | if (rsa == NULL) | ||
| 425 | @@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b | ||
| 426 | RSA_free(rsa); | ||
| 427 | return (DST_R_INVALIDPUBLICKEY); | ||
| 428 | } | ||
| 429 | - e_bytes = *r.base++; | ||
| 430 | - r.length--; | ||
| 431 | + e_bytes = *r.base; | ||
| 432 | + isc_region_consume(&r, 1); | ||
| 433 | |||
| 434 | if (e_bytes == 0) { | ||
| 435 | if (r.length < 2) { | ||
| 436 | RSA_free(rsa); | ||
| 437 | return (DST_R_INVALIDPUBLICKEY); | ||
| 438 | } | ||
| 439 | - e_bytes = ((*r.base++) << 8); | ||
| 440 | - e_bytes += *r.base++; | ||
| 441 | - r.length -= 2; | ||
| 442 | + e_bytes = (*r.base) << 8; | ||
| 443 | + isc_region_consume(&r, 1); | ||
| 444 | + e_bytes += *r.base; | ||
| 445 | + isc_region_consume(&r, 1); | ||
| 446 | } | ||
| 447 | |||
| 448 | if (r.length < e_bytes) { | ||
| 449 | @@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b | ||
| 450 | return (DST_R_INVALIDPUBLICKEY); | ||
| 451 | } | ||
| 452 | rsa->e = BN_bin2bn(r.base, e_bytes, NULL); | ||
| 453 | - r.base += e_bytes; | ||
| 454 | - r.length -= e_bytes; | ||
| 455 | + isc_region_consume(&r, e_bytes); | ||
| 456 | |||
| 457 | rsa->n = BN_bin2bn(r.base, r.length, NULL); | ||
| 458 | |||
| 459 | key->key_size = BN_num_bits(rsa->n); | ||
| 460 | |||
| 461 | - isc_buffer_forward(data, r.length); | ||
| 462 | + isc_buffer_forward(data, length); | ||
| 463 | |||
| 464 | #if USE_EVP | ||
| 465 | pkey = EVP_PKEY_new(); | ||
| 466 | Index: bind-9.9.5/lib/dns/resolver.c | ||
| 467 | =================================================================== | ||
| 468 | --- bind-9.9.5.orig/lib/dns/resolver.c | ||
| 469 | +++ bind-9.9.5/lib/dns/resolver.c | ||
| 470 | @@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_res | ||
| 471 | |||
| 472 | REQUIRE(VALID_RESOLVER(resolver)); | ||
| 473 | |||
| 474 | + /* | ||
| 475 | + * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. | ||
| 476 | + */ | ||
| 477 | + if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) | ||
| 478 | + return (ISC_FALSE); | ||
| 479 | + | ||
| 480 | #if USE_ALGLOCK | ||
| 481 | RWLOCK(&resolver->alglock, isc_rwlocktype_read); | ||
| 482 | #endif | ||
| 483 | @@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_res | ||
| 484 | #endif | ||
| 485 | if (found) | ||
| 486 | return (ISC_FALSE); | ||
| 487 | + | ||
| 488 | return (dst_algorithm_supported(alg)); | ||
| 489 | } | ||
| 490 | |||
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb index e206cc45d8..ee940112f7 100644 --- a/meta/recipes-connectivity/bind/bind_9.9.5.bb +++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb | |||
| @@ -19,6 +19,9 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
| 19 | file://init.d-add-support-for-read-only-rootfs.patch \ | 19 | file://init.d-add-support-for-read-only-rootfs.patch \ |
| 20 | file://bind9_9_5-CVE-2014-8500.patch \ | 20 | file://bind9_9_5-CVE-2014-8500.patch \ |
| 21 | file://bind9_9_5-CVE-2015-5477.patch \ | 21 | file://bind9_9_5-CVE-2015-5477.patch \ |
| 22 | file://CVE-2015-1349.patch \ | ||
| 23 | file://CVE-2015-4620.patch \ | ||
| 24 | file://CVE-2015-5722.patch \ | ||
| 22 | " | 25 | " |
| 23 | 26 | ||
| 24 | SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" | 27 | SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" |