bind: Fix CVEs 2022-2795, 2022-38177, 2022-38178

(From OE-Core rev: 9632481dc14868c0f92572472834a2a0c4f46e2e) Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mathieu Dubois-Briand <mathieu.dubois-briand@hyprua.org> 2022-10-03 18:17:20 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-10-05 08:39:19 +0100
commit: 4d8f22bc239dbf7f89f5ef5031fced48599f564c (patch)
tree: a9600e460d08939cdd425104249cf3861e6356df
parent: 028971709f4b35719e4ebfcefb19f92f9dca82aa (diff)
download: poky-4d8f22bc239dbf7f89f5ef5031fced48599f564c.tar.gz
4 files changed, 134 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
new file mode 100644
index 0000000000..940c6776d3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
+From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH 1/3] Bound the amount of work performed for delegations
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+Upstream-Status: Backport
+CVE: CVE-2022-2795
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8ae9a993bbd7..ac9a9ef5d009 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -180,6 +180,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+        bool need_alternate = false;
+        bool all_spilled = true;
+        unsigned int no_addresses = 0;
+       unsigned int ns_processed = 0;
+ 
+        FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+                dns_rdata_reset(&rdata);
+                dns_rdata_freestruct(&ns);
+
+               if (++ns_processed >= NS_PROCESSING_LIMIT) {
+                       result = ISC_R_NOMORE;
+                       break;
+               }
+        }
+        if (result != ISC_R_NOMORE) {
+                return (result);
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
new file mode 100644
index 0000000000..0ef87fd260
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
@@ -0,0 +1,31 @@
+From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:15:34 +1000
+Subject: [PATCH 2/3] Free eckey on siglen mismatch
+Upstream-Status: Backport
+CVE: CVE-2022-38177
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 83b5b51cd78c..7576e04ac635 100644
+--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+                siglen = DNS_SIG_ECDSA384SIZE;
+ 
+        if (sig->length != siglen)
+-               return (DST_R_VERIFYFAILURE);
+               DST_RET(DST_R_VERIFYFAILURE);
+ 
+        if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+                DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
new file mode 100644
index 0000000000..e0b398e24a
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
@@ -0,0 +1,33 @@
+From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:28:13 +1000
+Subject: [PATCH 3/3] Free ctx on invalid siglen
+(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
+Upstream-Status: Backport
+CVE: CVE-2022-38178
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
+index 8b115ec283f0..b4fcd607c131 100644
+--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+                siglen = DNS_SIG_ED448SIZE;
+ 
+        if (sig->length != siglen)
+-               return (DST_R_VERIFYFAILURE);
+               DST_RET(ISC_R_NOTIMPLEMENTED);
+ 
+        isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb
index afc8cf0b3b..2fca28e684 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.37.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -19,6 +19,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
           file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2022-2795.patch \
+           file://CVE-2022-38177.patch \
+           file://CVE-2022-38178.patch \
           "
 SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
author	Mathieu Dubois-Briand <mathieu.dubois-briand@hyprua.org>	2022-10-03 18:17:20 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-10-05 08:39:19 +0100
commit	4d8f22bc239dbf7f89f5ef5031fced48599f564c (patch)
tree	a9600e460d08939cdd425104249cf3861e6356df
parent	028971709f4b35719e4ebfcefb19f92f9dca82aa (diff)
download	poky-4d8f22bc239dbf7f89f5ef5031fced48599f564c.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch new file mode 100644 index 0000000000..940c6776d3 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
		1	From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
		3	Date: Thu, 8 Sep 2022 11:11:30 +0200
		4	Subject: [PATCH 1/3] Bound the amount of work performed for delegations
		5
		6	Limit the amount of database lookups that can be triggered in
		7	fctx_getaddresses() (i.e. when determining the name server addresses to
		8	query next) by setting a hard limit on the number of NS RRs processed
		9	for any delegation encountered. Without any limit in place, named can
		10	be forced to perform large amounts of database lookups per each query
		11	received, which severely impacts resolver performance.
		12
		13	The limit used (20) is an arbitrary value that is considered to be big
		14	enough for any sane DNS delegation.
		15
		16	(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2022-2795
		20	Reference to upstream patch:
		21	https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
		22
		23	Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
		24	---
		25	lib/dns/resolver.c \| 12 ++++++++++++
		26	1 file changed, 12 insertions(+)
		27
		28	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
		29	index 8ae9a993bbd7..ac9a9ef5d009 100644
		30	--- a/lib/dns/resolver.c
		31	+++ b/lib/dns/resolver.c
		32	@@ -180,6 +180,12 @@
		33	*/
		34	#define NS_FAIL_LIMIT 4
		35	#define NS_RR_LIMIT 5
		36	+/*
		37	+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
		38	+ * any NS RRset encountered, to avoid excessive resource use while processing
		39	+ * large delegations.
		40	+ */
		41	+#define NS_PROCESSING_LIMIT 20
		42
		43	/* Number of hash buckets for zone counters */
		44	#ifndef RES_DOMAIN_BUCKETS
		45	@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
		46	bool need_alternate = false;
		47	bool all_spilled = true;
		48	unsigned int no_addresses = 0;
		49	+ unsigned int ns_processed = 0;
		50
		51	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
		52
		53	@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
		54
		55	dns_rdata_reset(&rdata);
		56	dns_rdata_freestruct(&ns);
		57	+
		58	+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
		59	+ result = ISC_R_NOMORE;
		60	+ break;
		61	+ }
		62	}
		63	if (result != ISC_R_NOMORE) {
		64	return (result);
		65	--
		66	2.34.1
		67


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch new file mode 100644 index 0000000000..0ef87fd260 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
@@ -0,0 +1,31 @@
		1	From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Thu, 11 Aug 2022 15:15:34 +1000
		4	Subject: [PATCH 2/3] Free eckey on siglen mismatch
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2022-38177
		8	Reference to upstream patch:
		9	https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
		10
		11	Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
		12	---
		13	lib/dns/opensslecdsa_link.c \| 2 +-
		14	1 file changed, 1 insertion(+), 1 deletion(-)
		15
		16	diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
		17	index 83b5b51cd78c..7576e04ac635 100644
		18	--- a/lib/dns/opensslecdsa_link.c
		19	+++ b/lib/dns/opensslecdsa_link.c
		20	@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t dctx, const isc_region_t sig) {
		21	siglen = DNS_SIG_ECDSA384SIZE;
		22
		23	if (sig->length != siglen)
		24	- return (DST_R_VERIFYFAILURE);
		25	+ DST_RET(DST_R_VERIFYFAILURE);
		26
		27	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
		28	DST_RET (dst__openssl_toresult3(dctx->category,
		29	--
		30	2.34.1
		31


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch new file mode 100644 index 0000000000..e0b398e24a --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
@@ -0,0 +1,33 @@
		1	From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Thu, 11 Aug 2022 15:28:13 +1000
		4	Subject: [PATCH 3/3] Free ctx on invalid siglen
		5
		6	(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
		7
		8	Upstream-Status: Backport
		9	CVE: CVE-2022-38178
		10	Reference to upstream patch:
		11	https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
		12
		13	Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
		14	---
		15	lib/dns/openssleddsa_link.c \| 2 +-
		16	1 file changed, 1 insertion(+), 1 deletion(-)
		17
		18	diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
		19	index 8b115ec283f0..b4fcd607c131 100644
		20	--- a/lib/dns/openssleddsa_link.c
		21	+++ b/lib/dns/openssleddsa_link.c
		22	@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t dctx, const isc_region_t sig) {
		23	siglen = DNS_SIG_ED448SIZE;
		24
		25	if (sig->length != siglen)
		26	- return (DST_R_VERIFYFAILURE);
		27	+ DST_RET(ISC_R_NOTIMPLEMENTED);
		28
		29	isc_buffer_usedregion(buf, &tbsreg);
		30
		31	--
		32	2.34.1
		33


diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index afc8cf0b3b..2fca28e684 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.37.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -19,6 +19,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
19	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \	19	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
20	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \	20	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
21	file://0001-avoid-start-failure-with-bind-user.patch \	21	file://0001-avoid-start-failure-with-bind-user.patch \
		22	file://CVE-2022-2795.patch \
		23	file://CVE-2022-38177.patch \
		24	file://CVE-2022-38178.patch \
22	"	25	"
23		26
24	SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"	27	SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"