2 files changed, 220 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
new file mode 100644
index 0000000000..b52d6800ff
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
@@ -0,0 +1,219 @@
+From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 21 Oct 2016 14:55:10 +1100
+Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
+ processing a response. (CVE-2016-8864) [RT #43465]
+(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
+Upstream-Status: Backport
+[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
+CVE: CVE-2016-8864
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ CHANGES            |  3 +++
+ lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 50 insertions(+), 22 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index 5c8c61a..41cfce5 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,6 @@
+4489.  [security]      It was possible to trigger assertions when processing
+                       a response. (CVE-2016-8864) [RT #43465]
+
+ 4467.   [security]      It was possible to trigger an assertion when
+                         rendering a message. (CVE-2016-2776) [RT #43139]
+ 
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index ba1ae23..13c8b44 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+        valarg->addrinfo = addrinfo;
+ 
+        if (!ISC_LIST_EMPTY(fctx->validators))
+-               INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+               valoptions |= DNS_VALIDATOR_DEFER;
+       else
+               valoptions &= ~DNS_VALIDATOR_DEFER;
+ 
+        result = dns_validator_create(fctx->res->view, name, type, rdataset,
+                                      sigrdataset, fctx->rmessage,
+@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                                           rdataset,
+                                                           sigrdataset,
+                                                           valoptions, task);
+-                                       /*
+-                                        * Defer any further validations.
+-                                        * This prevents multiple validators
+-                                        * from manipulating fctx->rmessage
+-                                        * simultaneously.
+-                                        */
+-                                       valoptions |= DNS_VALIDATOR_DEFER;
+                                }
+                        } else if (CHAINING(rdataset)) {
+                                if (rdataset->type == dns_rdatatype_cname)
+@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                       eresult == DNS_R_NCACHENXRRSET);
+                        }
+                        event->result = eresult;
+                       if (adbp != NULL && *adbp != NULL) {
+                               if (anodep != NULL && *anodep != NULL)
+                                       dns_db_detachnode(*adbp, anodep);
+                               dns_db_detach(adbp);
+                       }
+                        dns_db_attach(fctx->cache, adbp);
+                        dns_db_transfernode(fctx->cache, &node, anodep);
+                        clone_results(fctx);
+@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+                fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+                if (event != NULL) {
+                        event->result = eresult;
+                       if (adbp != NULL && *adbp != NULL) {
+                               if (anodep != NULL && *anodep != NULL)
+                                       dns_db_detachnode(*adbp, anodep);
+                               dns_db_detach(adbp);
+                       }
+                        dns_db_attach(fctx->cache, adbp);
+                        dns_db_transfernode(fctx->cache, &node, anodep);
+                        clone_results(fctx);
+@@ -6718,13 +6723,15 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+        isc_result_t result;
+        dns_message_t *message;
+-       dns_name_t *name, *dname, *qname, tname, *ns_name;
+       dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+       dns_name_t *cname = NULL;
+        dns_rdataset_t *rdataset, *ns_rdataset;
+        isc_boolean_t done, external, chaining, aa, found, want_chaining;
+-       isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+       isc_boolean_t have_answer, found_cname, found_dname, found_type;
+       isc_boolean_t wanted_chaining;
+        unsigned int aflag;
+        dns_rdatatype_t type;
+-       dns_fixedname_t fdname, fqname;
+       dns_fixedname_t fdname, fqname, fqdname;
+        dns_view_t *view;
+ 
+        FCTXTRACE("answer_response");
+@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
+ 
+        done = ISC_FALSE;
+        found_cname = ISC_FALSE;
+       found_dname = ISC_FALSE;
+        found_type = ISC_FALSE;
+        chaining = ISC_FALSE;
+        have_answer = ISC_FALSE;
+@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
+                aa = ISC_TRUE;
+        else
+                aa = ISC_FALSE;
+-       qname = &fctx->name;
+       dqname = qname = &fctx->name;
+        type = fctx->type;
+        view = fctx->res->view;
+       dns_fixedname_init(&fqdname);
+        result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+        while (!done && result == ISC_R_SUCCESS) {
+-               dns_namereln_t namereln;
+               dns_namereln_t namereln, dnamereln;
+                int order;
+                unsigned int nlabels;
+ 
+@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
+                dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+                external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+                namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+               dnamereln = dns_name_fullcompare(dqname, name, &order,
+                                                &nlabels);
+                if (namereln == dns_namereln_equal) {
+                        wanted_chaining = ISC_FALSE;
+                        for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
+                                        }
+                                } else if (rdataset->type == dns_rdatatype_rrsig
+                                           && rdataset->covers ==
+-                                          dns_rdatatype_cname
+                                             dns_rdatatype_cname
+                                           && !found_type) {
+                                        /*
+                                         * We're looking for something else,
+@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
+                                                 * a CNAME or DNAME).
+                                                 */
+                                                INSIST(!external);
+-                                               if (aflag ==
+-                                                   DNS_RDATASETATTR_ANSWER) {
+                                               if ((rdataset->type !=
+                                                    dns_rdatatype_cname) ||
+                                                   !found_dname ||
+                                                   (aflag ==
+                                                    DNS_RDATASETATTR_ANSWER))
+                                               {
+                                                        have_answer = ISC_TRUE;
+                                                       if (rdataset->type ==
+                                                           dns_rdatatype_cname)
+                                                               cname = name;
+                                                        name->attributes |=
+-                                                               DNS_NAMEATTR_ANSWER;
+                                                           DNS_NAMEATTR_ANSWER;
+                                                }
+                                                rdataset->attributes |= aflag;
+                                                if (aa)
+@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
+                                        return (DNS_R_FORMERR);
+                                }
+ 
+-                               if (namereln != dns_namereln_subdomain) {
+                               if (dnamereln != dns_namereln_subdomain) {
+                                        char qbuf[DNS_NAME_FORMATSIZE];
+                                        char obuf[DNS_NAME_FORMATSIZE];
+ 
+-                                       dns_name_format(qname, qbuf,
+                                       dns_name_format(dqname, qbuf,
+                                                        sizeof(qbuf));
+                                        dns_name_format(name, obuf,
+                                                        sizeof(obuf));
+@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
+                                        want_chaining = ISC_TRUE;
+                                        POST(want_chaining);
+                                        aflag = DNS_RDATASETATTR_ANSWER;
+-                                       result = dname_target(rdataset, qname,
+                                       result = dname_target(rdataset, dqname,
+                                                              nlabels, &fdname);
+                                        if (result == ISC_R_NOSPACE) {
+                                                /*
+@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
+ 
+                                        dname = dns_fixedname_name(&fdname);
+                                        if (!is_answertarget_allowed(view,
+-                                                       qname, rdataset->type,
+-                                                       dname, &fctx->domain)) {
+                                                    dqname, rdataset->type,
+                                                    dname, &fctx->domain))
+                                       {
+                                                return (DNS_R_SERVFAIL);
+                                        }
+                                       dqname = dns_fixedname_name(&fqdname);
+                                       dns_name_copy(dname, dqname, NULL);
+                                } else {
+                                        /*
+                                         * We've found a signature that
+@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
+                                        INSIST(!external);
+                                        if (aflag == DNS_RDATASETATTR_ANSWER) {
+                                                have_answer = ISC_TRUE;
+                                               found_dname = ISC_TRUE;
+                                               if (cname != NULL)
+                                                       cname->attributes &=
+                                                          ~DNS_NAMEATTR_ANSWER;
+                                                name->attributes |=
+                                                        DNS_NAMEATTR_ANSWER;
+                                        }
+-- 
+2.7.4
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 4e2e856b72..fa45809980 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -27,6 +27,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://CVE-2016-2088.patch \
           file://CVE-2016-2775.patch \
           file://CVE-2016-2776.patch \
+           file://CVE-2016-8864.patch \
           "
 SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch new file mode 100644 index 0000000000..b52d6800ff --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
@@ -0,0 +1,219 @@
		1	From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Fri, 21 Oct 2016 14:55:10 +1100
		4	Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
		5	processing a response. (CVE-2016-8864) [RT #43465]
		6
		7	(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
		8
		9	Upstream-Status: Backport
		10	[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
		11
		12	CVE: CVE-2016-8864
		13
		14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		15	---
		16	CHANGES \| 3 +++
		17	lib/dns/resolver.c \| 69 +++++++++++++++++++++++++++++++++++++-----------------
		18	2 files changed, 50 insertions(+), 22 deletions(-)
		19
		20	diff --git a/CHANGES b/CHANGES
		21	index 5c8c61a..41cfce5 100644
		22	--- a/CHANGES
		23	+++ b/CHANGES
		24	@@ -1,3 +1,6 @@
		25	+4489. [security] It was possible to trigger assertions when processing
		26	+ a response. (CVE-2016-8864) [RT #43465]
		27	+
		28	4467. [security] It was possible to trigger an assertion when
		29	rendering a message. (CVE-2016-2776) [RT #43139]
		30
		31	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
		32	index ba1ae23..13c8b44 100644
		33	--- a/lib/dns/resolver.c
		34	+++ b/lib/dns/resolver.c
		35	@@ -612,7 +612,9 @@ valcreate(fetchctx_t fctx, dns_adbaddrinfo_t addrinfo, dns_name_t *name,
		36	valarg->addrinfo = addrinfo;
		37
		38	if (!ISC_LIST_EMPTY(fctx->validators))
		39	- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
		40	+ valoptions \|= DNS_VALIDATOR_DEFER;
		41	+ else
		42	+ valoptions &= ~DNS_VALIDATOR_DEFER;
		43
		44	result = dns_validator_create(fctx->res->view, name, type, rdataset,
		45	sigrdataset, fctx->rmessage,
		46	@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
		47	rdataset,
		48	sigrdataset,
		49	valoptions, task);
		50	- /*
		51	- * Defer any further validations.
		52	- * This prevents multiple validators
		53	- * from manipulating fctx->rmessage
		54	- * simultaneously.
		55	- */
		56	- valoptions \|= DNS_VALIDATOR_DEFER;
		57	}
		58	} else if (CHAINING(rdataset)) {
		59	if (rdataset->type == dns_rdatatype_cname)
		60	@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t fctx, dns_name_t name, dns_adbaddrinfo_t *addrinfo,
		61	eresult == DNS_R_NCACHENXRRSET);
		62	}
		63	event->result = eresult;
		64	+ if (adbp != NULL && *adbp != NULL) {
		65	+ if (anodep != NULL && *anodep != NULL)
		66	+ dns_db_detachnode(*adbp, anodep);
		67	+ dns_db_detach(adbp);
		68	+ }
		69	dns_db_attach(fctx->cache, adbp);
		70	dns_db_transfernode(fctx->cache, &node, anodep);
		71	clone_results(fctx);
		72	@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t fctx, dns_adbaddrinfo_t addrinfo,
		73	fctx->attributes \|= FCTX_ATTR_HAVEANSWER;
		74	if (event != NULL) {
		75	event->result = eresult;
		76	+ if (adbp != NULL && *adbp != NULL) {
		77	+ if (anodep != NULL && *anodep != NULL)
		78	+ dns_db_detachnode(*adbp, anodep);
		79	+ dns_db_detach(adbp);
		80	+ }
		81	dns_db_attach(fctx->cache, adbp);
		82	dns_db_transfernode(fctx->cache, &node, anodep);
		83	clone_results(fctx);
		84	@@ -6718,13 +6723,15 @@ static isc_result_t
		85	answer_response(fetchctx_t *fctx) {
		86	isc_result_t result;
		87	dns_message_t *message;
		88	- dns_name_t name, dname, qname, tname, ns_name;
		89	+ dns_name_t name, dname = NULL, qname, dqname, tname, *ns_name;
		90	+ dns_name_t *cname = NULL;
		91	dns_rdataset_t rdataset, ns_rdataset;
		92	isc_boolean_t done, external, chaining, aa, found, want_chaining;
		93	- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
		94	+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
		95	+ isc_boolean_t wanted_chaining;
		96	unsigned int aflag;
		97	dns_rdatatype_t type;
		98	- dns_fixedname_t fdname, fqname;
		99	+ dns_fixedname_t fdname, fqname, fqdname;
		100	dns_view_t *view;
		101
		102	FCTXTRACE("answer_response");
		103	@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
		104
		105	done = ISC_FALSE;
		106	found_cname = ISC_FALSE;
		107	+ found_dname = ISC_FALSE;
		108	found_type = ISC_FALSE;
		109	chaining = ISC_FALSE;
		110	have_answer = ISC_FALSE;
		111	@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
		112	aa = ISC_TRUE;
		113	else
		114	aa = ISC_FALSE;
		115	- qname = &fctx->name;
		116	+ dqname = qname = &fctx->name;
		117	type = fctx->type;
		118	view = fctx->res->view;
		119	+ dns_fixedname_init(&fqdname);
		120	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
		121	while (!done && result == ISC_R_SUCCESS) {
		122	- dns_namereln_t namereln;
		123	+ dns_namereln_t namereln, dnamereln;
		124	int order;
		125	unsigned int nlabels;
		126
		127	@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
		128	dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
		129	external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
		130	namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
		131	+ dnamereln = dns_name_fullcompare(dqname, name, &order,
		132	+ &nlabels);
		133	if (namereln == dns_namereln_equal) {
		134	wanted_chaining = ISC_FALSE;
		135	for (rdataset = ISC_LIST_HEAD(name->list);
		136	@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
		137	}
		138	} else if (rdataset->type == dns_rdatatype_rrsig
		139	&& rdataset->covers ==
		140	- dns_rdatatype_cname
		141	+ dns_rdatatype_cname
		142	&& !found_type) {
		143	/*
		144	* We're looking for something else,
		145	@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
		146	* a CNAME or DNAME).
		147	*/
		148	INSIST(!external);
		149	- if (aflag ==
		150	- DNS_RDATASETATTR_ANSWER) {
		151	+ if ((rdataset->type !=
		152	+ dns_rdatatype_cname) \|\|
		153	+ !found_dname \|\|
		154	+ (aflag ==
		155	+ DNS_RDATASETATTR_ANSWER))
		156	+ {
		157	have_answer = ISC_TRUE;
		158	+ if (rdataset->type ==
		159	+ dns_rdatatype_cname)
		160	+ cname = name;
		161	name->attributes \|=
		162	- DNS_NAMEATTR_ANSWER;
		163	+ DNS_NAMEATTR_ANSWER;
		164	}
		165	rdataset->attributes \|= aflag;
		166	if (aa)
		167	@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
		168	return (DNS_R_FORMERR);
		169	}
		170
		171	- if (namereln != dns_namereln_subdomain) {
		172	+ if (dnamereln != dns_namereln_subdomain) {
		173	char qbuf[DNS_NAME_FORMATSIZE];
		174	char obuf[DNS_NAME_FORMATSIZE];
		175
		176	- dns_name_format(qname, qbuf,
		177	+ dns_name_format(dqname, qbuf,
		178	sizeof(qbuf));
		179	dns_name_format(name, obuf,
		180	sizeof(obuf));
		181	@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
		182	want_chaining = ISC_TRUE;
		183	POST(want_chaining);
		184	aflag = DNS_RDATASETATTR_ANSWER;
		185	- result = dname_target(rdataset, qname,
		186	+ result = dname_target(rdataset, dqname,
		187	nlabels, &fdname);
		188	if (result == ISC_R_NOSPACE) {
		189	/*
		190	@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
		191
		192	dname = dns_fixedname_name(&fdname);
		193	if (!is_answertarget_allowed(view,
		194	- qname, rdataset->type,
		195	- dname, &fctx->domain)) {
		196	+ dqname, rdataset->type,
		197	+ dname, &fctx->domain))
		198	+ {
		199	return (DNS_R_SERVFAIL);
		200	}
		201	+ dqname = dns_fixedname_name(&fqdname);
		202	+ dns_name_copy(dname, dqname, NULL);
		203	} else {
		204	/*
		205	* We've found a signature that
		206	@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
		207	INSIST(!external);
		208	if (aflag == DNS_RDATASETATTR_ANSWER) {
		209	have_answer = ISC_TRUE;
		210	+ found_dname = ISC_TRUE;
		211	+ if (cname != NULL)
		212	+ cname->attributes &=
		213	+ ~DNS_NAMEATTR_ANSWER;
		214	name->attributes \|=
		215	DNS_NAMEATTR_ANSWER;
		216	}
		217	--
		218	2.7.4
		219


diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb index 4e2e856b72..fa45809980 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -27,6 +27,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
27	file://CVE-2016-2088.patch \	27	file://CVE-2016-2088.patch \
28	file://CVE-2016-2775.patch \	28	file://CVE-2016-2775.patch \
29	file://CVE-2016-2776.patch \	29	file://CVE-2016-2776.patch \
		30	file://CVE-2016-8864.patch \
30	"	31	"
31		32
32	SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"	33	SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"