diff --git a/bind-9.11-CVE-2020-8622.patch b/bind-9.11-CVE-2020-8622.patch new file mode 100644 index 0000000000000000000000000000000000000000..74e8225e90cbf8523c9f61d15891dc9e7c3c9076 --- /dev/null +++ b/bind-9.11-CVE-2020-8622.patch @@ -0,0 +1,57 @@ +From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 18 Aug 2020 10:53:33 +0200 +Subject: [PATCH] Fix CVE-2020-8622 + +5476. [security] It was possible to trigger an assertion failure when + verifying the response to a TSIG-signed request. + (CVE-2020-8622) [GL #2028] +--- + lib/dns/message.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/lib/dns/message.c b/lib/dns/message.c +index d9e341a..7c813a5 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + msg->header_ok = 0; + msg->question_ok = 0; + ++ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { ++ isc_buffer_usedregion(&origsource, &msg->saved); ++ } else { ++ msg->saved.length = isc_buffer_usedlength(&origsource); ++ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); ++ if (msg->saved.base == NULL) { ++ return (ISC_R_NOMEMORY); ++ } ++ memmove(msg->saved.base, isc_buffer_base(&origsource), ++ msg->saved.length); ++ msg->free_saved = 1; ++ } ++ + isc_buffer_remainingregion(source, &r); + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_UNEXPECTEDEND); +@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + } + + truncated: +- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) +- isc_buffer_usedregion(&origsource, &msg->saved); +- else { +- msg->saved.length = isc_buffer_usedlength(&origsource); +- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); +- if (msg->saved.base == NULL) +- return (ISC_R_NOMEMORY); +- memmove(msg->saved.base, isc_buffer_base(&origsource), +- msg->saved.length); +- msg->free_saved = 1; +- } + + if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) + return (DNS_R_RECOVERABLE); +-- +2.26.2 + diff --git a/bind-9.11-CVE-2020-8623.patch b/bind-9.11-CVE-2020-8623.patch new file mode 100644 index 0000000000000000000000000000000000000000..c076b0a45f6b9b6b9d82e0b5818aa0e415190001 --- /dev/null +++ b/bind-9.11-CVE-2020-8623.patch @@ -0,0 +1,399 @@ +From df11c6cb80238fb43c4a5994161cc2e70521ffb4 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 18 Aug 2020 10:54:39 +0200 +Subject: [PATCH] Fix CVE-2020-8623 + +5480. [security] When BIND 9 was compiled with native PKCS#11 support, it + was possible to trigger an assertion failure in code + determining the number of bits in the PKCS#11 RSA public + key with a specially crafted packet. (CVE-2020-8623) + [GL #2037] +--- + lib/dns/pkcs11dh_link.c | 15 ++++++- + lib/dns/pkcs11dsa_link.c | 8 +++- + lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++-------- + lib/isc/include/pk11/internal.h | 3 +- + lib/isc/pk11.c | 60 ++++++++++++++++--------- + 5 files changed, 121 insertions(+), 44 deletions(-) + +diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c +index c192b53..49ff58d 100644 +--- a/lib/dns/pkcs11dh_link.c ++++ b/lib/dns/pkcs11dh_link.c +@@ -747,6 +747,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; + CK_ATTRIBUTE *attr; + int special = 0; ++ unsigned int bits; + isc_result_t result; + + isc_buffer_remainingregion(data, &r); +@@ -851,7 +852,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + pub = r.base; + isc_region_consume(&r, publen); + +- key->key_size = pk11_numbits(prime, plen_); ++ result = pk11_numbits(prime, plen_, &bits); ++ if (result != ISC_R_SUCCESS) { ++ goto cleanup; ++ } ++ key->key_size = bits; + + dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); + if (dh->repr == NULL) +@@ -1011,6 +1016,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dh = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx; +@@ -1081,7 +1087,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dh, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c +index 8d0fc62..3a8a0bb 100644 +--- a/lib/dns/pkcs11dsa_link.c ++++ b/lib/dns/pkcs11dsa_link.c +@@ -982,6 +982,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dsa = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; +@@ -1071,7 +1072,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dsa, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c +index af6008d..9a736dd 100644 +--- a/lib/dns/pkcs11rsa_link.c ++++ b/lib/dns/pkcs11rsa_link.c +@@ -333,6 +333,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + key->key_alg == DST_ALG_RSASHA256 || + key->key_alg == DST_ALG_RSASHA512); + #endif ++ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); + + /* + * Reject incorrect RSA key lengths. +@@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + for (attr = pk11_attribute_first(rsa); + attr != NULL; + attr = pk11_attribute_next(rsa, attr)) ++ { + switch (attr->type) { + case CKA_MODULUS: + INSIST(keyTemplate[5].type == attr->type); +@@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) > maxbits && +- maxbits != 0) ++ unsigned int bits; ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || ++ (bits > maxbits && maxbits != 0)) { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } ++ } + pk11_ctx->object = CK_INVALID_HANDLE; + pk11_ctx->ontoken = ISC_FALSE; + PK11_RET(pkcs_C_CreateObject, +@@ -1075,6 +1081,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + keyTemplate[5].ulValueLen = attr->ulValueLen; + break; + case CKA_PUBLIC_EXPONENT: ++ unsigned int bits; + INSIST(keyTemplate[6].type == attr->type); + keyTemplate[6].pValue = isc_mem_get(dctx->mctx, + attr->ulValueLen); +@@ -1083,10 +1090,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) +- > RSA_MAX_PUBEXP_BITS) ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) ++ { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } + pk11_ctx->object = CK_INVALID_HANDLE; +@@ -1463,6 +1472,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *exponent = NULL, *modulus = NULL; + CK_ATTRIBUTE *attr; + unsigned int length; ++ unsigned int bits; ++ isc_result_t ret = ISC_R_SUCCESS; + + isc_buffer_remainingregion(data, &r); + if (r.length == 0) +@@ -1480,9 +1491,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + if (e_bytes == 0) { + if (r.length < 2) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + e_bytes = (*r.base) << 8; + isc_region_consume(&r, 1); +@@ -1491,16 +1500,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + } + + if (r.length < e_bytes) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + exponent = r.base; + isc_region_consume(&r, e_bytes); + modulus = r.base; + mod_bytes = r.length; + +- key->key_size = pk11_numbits(modulus, mod_bytes); ++ ret = pk11_numbits(modulus, mod_bytes, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + isc_buffer_forward(data, length); + +@@ -1550,9 +1561,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + rsa->repr, + rsa->attrcnt * sizeof(*attr)); + } ++ ret = ISC_R_NOMEMORY; ++ ++ err: + isc_safe_memwipe(rsa, sizeof(*rsa)); + isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (ISC_R_NOMEMORY); ++ return (ret); + } + + static isc_result_t +@@ -1731,6 +1745,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + pk11_object_t *pubrsa; + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; ++ unsigned int bits; + + if (label == NULL) + return (DST_R_NOENGINE); +@@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +@@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; + const char *engine = NULL, *label = NULL; ++ unsigned int bits; + + /* read private key file */ + ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); +@@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + dst__privstruct_free(&priv, mctx); + isc_safe_memwipe(&priv, sizeof(priv)); +@@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; + unsigned int i; ++ unsigned int bits; + + UNUSED(pin); + +@@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + pk11_return_session(pk11_ctx); + isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); +diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h +index 603712a..b9680bc 100644 +--- a/lib/isc/include/pk11/internal.h ++++ b/lib/isc/include/pk11/internal.h +@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size); + + CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); + +-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); + + CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); + +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index 48e1031..792b2e3 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -985,13 +985,15 @@ pk11_get_best_token(pk11_optype_t optype) { + return (token->slotid); + } + +-unsigned int +-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { + unsigned int bitcnt, i; + CK_BYTE top; + +- if (bytecnt == 0) +- return (0); ++ if (bytecnt == 0) { ++ *bits = 0; ++ return (ISC_R_SUCCESS); ++ } + bitcnt = bytecnt * 8; + for (i = 0; i < bytecnt; i++) { + top = data[i]; +@@ -999,25 +1001,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { + bitcnt -= 8; + continue; + } +- if (top & 0x80) +- return (bitcnt); +- if (top & 0x40) +- return (bitcnt - 1); +- if (top & 0x20) +- return (bitcnt - 2); +- if (top & 0x10) +- return (bitcnt - 3); +- if (top & 0x08) +- return (bitcnt - 4); +- if (top & 0x04) +- return (bitcnt - 5); +- if (top & 0x02) +- return (bitcnt - 6); +- if (top & 0x01) +- return (bitcnt - 7); ++ if (top & 0x80) { ++ *bits = bitcnt; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x40) { ++ *bits = bitcnt - 1; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x20) { ++ *bits = bitcnt - 2; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x10) { ++ *bits = bitcnt - 3; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x08) { ++ *bits = bitcnt - 4; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x04) { ++ *bits = bitcnt - 5; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x02) { ++ *bits = bitcnt - 6; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x01) { ++ *bits = bitcnt - 7; ++ return (ISC_R_SUCCESS); ++ } + break; + } +- INSIST(0); ++ return (ISC_R_RANGE); + } + + CK_ATTRIBUTE * +-- +2.26.2 + diff --git a/bind-9.11-CVE-2020-8624.patch b/bind-9.11-CVE-2020-8624.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff70e8106a7888032a3805a3d4d8e00566a4e1bf --- /dev/null +++ b/bind-9.11-CVE-2020-8624.patch @@ -0,0 +1,32 @@ +From ba28f7a158f7b7f3f16a75270cee0b71059e7e79 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 18 Aug 2020 10:55:50 +0200 +Subject: [PATCH] Fix CVE-2020-8624 + +5481. [security] "update-policy" rules of type "subdomain" were + incorrectly treated as "zonesub" rules, which allowed + keys used in "subdomain" rules to update names outside + of the specified subdomains. The problem was fixed by + making sure "subdomain" rules are again processed as + described in the ARM. (CVE-2020-8624) [GL #2055] +--- + bin/named/zoneconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 9bf5bfe..3aee3d2 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -234,7 +234,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, + + str = cfg_obj_asstring(matchtype); + CHECK(dns_ssu_mtypefromstring(str, &mtype)); +- if (mtype == dns_ssumatchtype_subdomain) { ++ if (mtype == dns_ssumatchtype_subdomain && ++ strcasecmp(str, "zonesub") == 0) { + usezone = ISC_TRUE; + } + +-- +2.26.2 + diff --git a/bind-9.11-CVE-2020-8625.patch b/bind-9.11-CVE-2020-8625.patch new file mode 100644 index 0000000000000000000000000000000000000000..75c150654fe43595a12b9aa86515377601863994 --- /dev/null +++ b/bind-9.11-CVE-2020-8625.patch @@ -0,0 +1,27 @@ +From 9f331a945071365ccc0cfba24241c4af6919af30 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 15 Feb 2021 12:18:14 +0100 +Subject: [PATCH] CVE-2020-8625 + +5562. [security] Fix off-by-one bug in ISC SPNEGO implementation. + (CVE-2020-8625) [GL #2354] +--- + lib/dns/spnego.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c +index dea108b..13cf15d 100644 +--- a/lib/dns/spnego.c ++++ b/lib/dns/spnego.c +@@ -877,7 +877,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) { + return (ASN1_OVERRUN); + } + +- data->components = malloc(len * sizeof(*data->components)); ++ data->components = malloc((len + 1) * sizeof(*data->components)); + if (data->components == NULL) { + return (ENOMEM); + } +-- +2.26.2 + diff --git a/bind-9.11-CVE-2021-25214.patch b/bind-9.11-CVE-2021-25214.patch new file mode 100644 index 0000000000000000000000000000000000000000..83f445bd3a2c13f8fcf48c8af9cc0aeb98492354 --- /dev/null +++ b/bind-9.11-CVE-2021-25214.patch @@ -0,0 +1,44 @@ +From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 3 Feb 2021 11:10:20 +1100 +Subject: [PATCH] Check SOA owner names in zone transfers + +An IXFR containing SOA records with owner names different than the +transferred zone's origin can result in named serving a version of that +zone without an SOA record at the apex. This causes a RUNTIME_CHECK +assertion failure the next time such a zone is refreshed. Fix by +immediately rejecting a zone transfer (either an incremental or +non-incremental one) upon detecting an SOA record not placed at the apex +of the transferred zone. +--- + lib/dns/xfrin.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c +index 3a3f407289..0ba82e4974 100644 +--- a/lib/dns/xfrin.c ++++ b/lib/dns/xfrin.c +@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl, + dns_rdatatype_ismeta(rdata->type)) + FAIL(DNS_R_FORMERR); + ++ /* ++ * Immediately reject the entire transfer if the RR that is currently ++ * being processed is an SOA record that is not placed at the zone ++ * apex. ++ */ ++ if (rdata->type == dns_rdatatype_soa && ++ !dns_name_equal(&xfr->name, name)) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(name, namebuf, sizeof(namebuf)); ++ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'", ++ namebuf); ++ FAIL(DNS_R_NOTZONETOP); ++ } ++ + redo: + switch (xfr->state) { + case XFRST_SOAQUERY: +-- +2.26.3 + diff --git a/bind-9.11-CVE-2021-25215.patch b/bind-9.11-CVE-2021-25215.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f62a10425ce4d61543a6a603115a102288e9ee9 --- /dev/null +++ b/bind-9.11-CVE-2021-25215.patch @@ -0,0 +1,40 @@ +From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 27 Apr 2021 10:56:12 +0200 +Subject: [PATCH 2/2] CVE-2021-25215 + +5616. [security] named crashed when a DNAME record placed in the ANSWER + section during DNAME chasing turned out to be the final + answer to a client query. (CVE-2021-25215) [GL #2540] +--- + bin/named/query.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/bin/named/query.c b/bin/named/query.c +index a95f5ad..11a888e 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + if (noqname != NULL) + query_addnoqnameproof(client, noqname); + /* +- * We shouldn't ever fail to add 'rdataset' +- * because it's already in the answer. ++ * 'rdataset' will only be non-NULL here if the ANSWER section ++ * of the message to be sent to the client already contains an ++ * RRset with the same owner name and the same type as ++ * 'rdataset'. This should never happen, with one exception: ++ * when chasing DNAME records, one of the DNAME records placed ++ * in the ANSWER section may turn out to be the final answer to ++ * the client's query, but we have no way of knowing that until ++ * now. In such a case, 'rdataset' will be freed later, so we ++ * do not need to free it here. + */ +- INSIST(rdataset == NULL); ++ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname); + } + + addauth: +-- +2.26.3 + diff --git a/bind-9.11-rh1889902.patch b/bind-9.11-rh1889902.patch new file mode 100644 index 0000000000000000000000000000000000000000..390e68565588c39054a6c04aa3178ee4c1680519 --- /dev/null +++ b/bind-9.11-rh1889902.patch @@ -0,0 +1,512 @@ +commit 0f835f7eff5bbd45461b9b43276267ff3c953ece +Author: Tomas Korbar +Date: Fri Nov 13 10:23:42 2020 +0100 + + Fix inline resigning + +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index 564c084..5cd0b05 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -69,6 +69,8 @@ LWTEST=$TOP/bin/tests/system/lwresd/lwtest + MAKEJOURNAL=$TOP/bin/tests/makejournal + PIPEQUERIES=$TOP/bin/tests/system/pipelined/pipequeries + SAMPLEUPDATE=$TOP/lib/samples/sample-update ++DEFAULT_ALGORITHM=ECDSAP256SHA256 ++DEFAULT_BITS=256 + + # we don't want a KRB5_CONFIG setting breaking the tests + KRB5_CONFIG=/dev/null +@@ -364,3 +366,5 @@ export SAMPLEUPDATE + export SIGNER + export SUBDIRS + export TESTSOCK6 ++export DEFAULT_ALGORITHM ++export DEFAULT_BITS +diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in +new file mode 100644 +index 0000000..eb39aa7 +--- /dev/null ++++ b/bin/tests/system/inline/ns8/example.com.db.in +@@ -0,0 +1,19 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns8 . ( ++ 2000042407 ; serial ++ 20 ; refresh (20 seconds) ++ 20 ; retry (20 seconds) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns8 ++ns8 A 10.53.0.8 +diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in +new file mode 100644 +index 0000000..ea4876b +--- /dev/null ++++ b/bin/tests/system/inline/ns8/named.conf.in +@@ -0,0 +1,146 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++// NS8 ++ ++include "../../common/rndc.key"; ++ ++controls { ++ inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++options { ++ query-source address 10.53.0.8; ++ notify-source 10.53.0.8; ++ transfer-source 10.53.0.8; ++ port @PORT@; ++ pid-file "named.pid"; ++ session-keyfile "session.key"; ++ listen-on { 10.53.0.8; }; ++ listen-on-v6 { none; }; ++ recursion no; ++ notify yes; ++ try-tcp-refresh no; ++ notify-delay 0; ++ allow-new-zones yes; ++}; ++ ++zone "example01.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example01.com.db"; ++}; ++ ++zone "example02.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example02.com.db"; ++}; ++ ++zone "example03.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example03.com.db"; ++}; ++ ++zone "example04.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example04.com.db"; ++}; ++ ++zone "example05.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example05.com.db"; ++}; ++ ++zone "example06.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example06.com.db"; ++}; ++ ++zone "example07.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example07.com.db"; ++}; ++ ++zone "example08.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example08.com.db"; ++}; ++ ++zone "example09.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example09.com.db"; ++}; ++ ++zone "example10.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example10.com.db"; ++}; ++ ++zone "example11.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example11.com.db"; ++}; ++ ++zone "example12.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example12.com.db"; ++}; ++ ++zone "example13.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example13.com.db"; ++}; ++ ++zone "example14.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example14.com.db"; ++}; ++ ++zone "example15.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example15.com.db"; ++}; ++ ++zone "example16.com" { ++ type master; ++ inline-signing yes; ++ auto-dnssec maintain; ++ file "example16.com.db"; ++}; +diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh +new file mode 100644 +index 0000000..5d36cb9 +--- /dev/null ++++ b/bin/tests/system/inline/ns8/sign.sh +@@ -0,0 +1,26 @@ ++#!/bin/sh -e ++# ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++SYSTEMTESTTOP=../.. ++. $SYSTEMTESTTOP/conf.sh ++ ++for zone in example01.com example02.com example03.com example04.com \ ++ example05.com example06.com example07.com example08.com \ ++ example09.com example10.com example11.com example12.com \ ++ example13.com example14.com example15.com example16.com ++do ++ rm -f K${zone}.+*+*.key ++ rm -f K${zone}.+*+*.private ++ keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` ++ keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone` ++ cp example.com.db.in ${zone}.db ++ $SIGNER -S -T 3600 -O raw -o ${zone} ${zone}.db > /dev/null 2>&1 ++done +diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh +index 4dd4dd0..13dd6c7 100644 +--- a/bin/tests/system/inline/setup.sh ++++ b/bin/tests/system/inline/setup.sh +@@ -49,7 +49,9 @@ copy_setports ns4/named.conf.in ns4/named.conf + copy_setports ns5/named.conf.pre ns5/named.conf + copy_setports ns6/named.conf.in ns6/named.conf + copy_setports ns7/named.conf.in ns7/named.conf ++copy_setports ns8/named.conf.in ns8/named.conf + + (cd ns3; $SHELL -e sign.sh) + (cd ns1; $SHELL -e sign.sh) + (cd ns7; $SHELL -e sign.sh) ++(cd ns8; $SHELL -e sign.sh) +diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh +index b517138..22fc1af 100755 +--- a/bin/tests/system/inline/tests.sh ++++ b/bin/tests/system/inline/tests.sh +@@ -1342,5 +1342,24 @@ grep "type: slave" rndc.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++n=`expr $n + 1` ++echo_i "checking reload of touched inline zones ($n)" ++echo_ic "pre-reload 'next key event'" ++nextpart ns8/named.run > nextpart.pre$n.out ++count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l` ++echo_ic "found: $count/16" ++[ $count -eq 16 ] || ret=1 ++echo_ic "touch and reload" ++touch ns8/example??.com.db ++$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 5 ++echo_ic "post-reload 'next key event'" ++nextpart ns8/named.run > nextpart.post$n.out ++count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l` ++echo_ic "found: $count/16" ++[ $count -eq 16 ] || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 96c98d5..42a1811 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -3611,6 +3611,8 @@ set_resigntime(dns_zone_t *zone) { + isc_uint32_t nanosecs; + dns_db_t *db = NULL; + ++ INSIST(LOCKED_ZONE(zone)); ++ + /* We only re-sign zones that can be dynamically updated */ + if (zone->update_disabled) + return; +@@ -4958,6 +4960,14 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, + DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED)) + { + DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING); ++ /* ++ * Re-start zone maintenance if it had been stalled ++ * due to DNS_ZONEFLG_LOADPENDING being set when ++ * zone_maintenance was called. ++ */ ++ if (zone->secure->task != NULL) { ++ zone_settimer(zone->secure, &now); ++ } + } + + return (result); +@@ -6672,14 +6682,15 @@ zone_resigninc(dns_zone_t *zone) { + if (version != NULL) { + dns_db_closeversion(db, &version, ISC_FALSE); + dns_db_detach(&db); +- } else if (db != NULL) ++ } else if (db != NULL) { + dns_db_detach(&db); ++ } ++ ++ LOCK_ZONE(zone); + if (result == ISC_R_SUCCESS) { + set_resigntime(zone); +- LOCK_ZONE(zone); + zone_needdump(zone, DNS_DUMP_DELAY); + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); +- UNLOCK_ZONE(zone); + } else { + /* + * Something failed. Retry in 5 minutes. +@@ -6688,6 +6699,7 @@ zone_resigninc(dns_zone_t *zone) { + isc_interval_set(&ival, 300, 0); + isc_time_nowplusinterval(&zone->resigntime, &ival); + } ++ UNLOCK_ZONE(zone); + + INSIST(version == NULL); + } +@@ -8177,7 +8189,9 @@ zone_nsec3chain(dns_zone_t *zone) { + nsec3chain = ISC_LIST_HEAD(cleanup); + } + ++ LOCK_ZONE(zone); + set_resigntime(zone); ++ UNLOCK_ZONE(zone); + + failure: + if (result != ISC_R_SUCCESS) +@@ -8841,14 +8855,14 @@ zone_sign(dns_zone_t *zone) { + signing = ISC_LIST_HEAD(cleanup); + } + ++ LOCK_ZONE(zone); + set_resigntime(zone); + + if (commit) { +- LOCK_ZONE(zone); + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); + zone_needdump(zone, DNS_DUMP_DELAY); +- UNLOCK_ZONE(zone); + } ++ UNLOCK_ZONE(zone); + + failure: + /* +@@ -8885,6 +8899,7 @@ zone_sign(dns_zone_t *zone) { + } else if (db != NULL) + dns_db_detach(&db); + ++ LOCK_ZONE(zone); + if (ISC_LIST_HEAD(zone->signing) != NULL) { + isc_interval_t interval; + if (zone->update_disabled || result != ISC_R_SUCCESS) +@@ -8892,8 +8907,10 @@ zone_sign(dns_zone_t *zone) { + else + isc_interval_set(&interval, 0, 10000000); /* 10 ms */ + isc_time_nowplusinterval(&zone->signingtime, &interval); +- } else ++ } else { + isc_time_settoepoch(&zone->signingtime); ++ } ++ UNLOCK_ZONE(zone); + + INSIST(version == NULL); + } +@@ -9983,7 +10000,7 @@ zone_maintenance(dns_zone_t *zone) { + const char me[] = "zone_maintenance"; + isc_time_t now; + isc_result_t result; +- isc_boolean_t dumping; ++ isc_boolean_t dumping, viewok; + + REQUIRE(DNS_ZONE_VALID(zone)); + ENTER; +@@ -10001,8 +10018,12 @@ zone_maintenance(dns_zone_t *zone) { + * adb or resolver will be NULL, and we had better not try + * to do further maintenance on it. + */ +- if (zone->view == NULL || zone->view->adb == NULL) ++ LOCK_ZONE(zone); ++ viewok = (zone->view != NULL && zone->view->adb != NULL); ++ UNLOCK_ZONE(zone); ++ if (!viewok) { + return; ++ } + + TIME_NOW(&now); + +@@ -10195,8 +10216,14 @@ dns_zone_markdirty(dns_zone_t *zone) { + } + + /* XXXMPA make separate call back */ +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS) { + set_resigntime(zone); ++ if (zone->task != NULL) { ++ isc_time_t now; ++ TIME_NOW(&now); ++ zone_settimer(zone, &now); ++ } ++ } + } + if (secure != NULL) + UNLOCK_ZONE(secure); +@@ -14418,6 +14445,11 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) { + zone->sourceserialset = ISC_TRUE; + zone_needdump(zone, DNS_DUMP_DELAY); + ++ /* ++ * Set resign time to make sure it is set to the earliest ++ * signature expiration. ++ */ ++ set_resigntime(zone); + TIME_NOW(&timenow); + zone_settimer(zone, &timenow); + UNLOCK_ZONE(zone); +@@ -14436,9 +14468,15 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) { + + if (zone->rss_raw != NULL) + dns_zone_detach(&zone->rss_raw); +- if (result != ISC_R_SUCCESS) ++ if (result != ISC_R_SUCCESS) { ++ LOCK_ZONE(zone); ++ set_resigntime(zone); ++ TIME_NOW(&timenow); ++ zone_settimer(zone, &timenow); ++ UNLOCK_ZONE(zone); + dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_serial: %s", + dns_result_totext(result)); ++ } + if (tuple != NULL) + dns_difftuple_free(&tuple); + if (soatuple != NULL) +@@ -18096,10 +18134,11 @@ zone_rekey(dns_zone_t *zone) { + + dns_db_closeversion(db, &ver, ISC_TRUE); + ++ LOCK_ZONE(zone); ++ + if (commit) { + dns_difftuple_t *tuple; + +- LOCK_ZONE(zone); + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); + + zone_needdump(zone, DNS_DUMP_DELAY); +@@ -18217,7 +18256,6 @@ zone_rekey(dns_zone_t *zone) { + * Schedule the next resigning event + */ + set_resigntime(zone); +- UNLOCK_ZONE(zone); + } + + isc_time_settoepoch(&zone->refreshkeytime); +@@ -18231,11 +18269,9 @@ zone_rekey(dns_zone_t *zone) { + isc_time_t timethen; + isc_stdtime_t then; + +- LOCK_ZONE(zone); + DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval, + &timethen); + zone->refreshkeytime = timethen; +- UNLOCK_ZONE(zone); + + for (key = ISC_LIST_HEAD(dnskeys); + key != NULL; +@@ -18246,12 +18282,10 @@ zone_rekey(dns_zone_t *zone) { + continue; + + DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen); +- LOCK_ZONE(zone); + if (isc_time_compare(&timethen, + &zone->refreshkeytime) < 0) { + zone->refreshkeytime = timethen; + } +- UNLOCK_ZONE(zone); + } + + zone_settimer(zone, &timenow); +@@ -18259,6 +18293,7 @@ zone_rekey(dns_zone_t *zone) { + isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); + dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); + } ++ UNLOCK_ZONE(zone); + + done: + dns_diff_clear(&diff); +@@ -18293,8 +18328,10 @@ zone_rekey(dns_zone_t *zone) { + * Something went wrong; try again in ten minutes or + * after a key refresh interval, whichever is shorter. + */ ++ LOCK_ZONE(zone); + isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0); + isc_time_nowplusinterval(&zone->refreshkeytime, &ival); ++ UNLOCK_ZONE(zone); + goto done; + } + diff --git a/bind.spec b/bind.spec index 7aad09a8728acfe287910c53d7bb76c600a4c340..9a6521677e91ea0db58d19bf83c9429ec065994f 100644 --- a/bind.spec +++ b/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.7 Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -172,6 +172,15 @@ Patch185: bind-9.11-CVE-2020-8616-test.patch Patch186: bind-9.11-CVE-2020-8617-test.patch Patch187: bind-9.11-rh1832812.patch Patch188: bind-9.11-edns512-tcp-loops.patch +Patch189: bind-9.11-CVE-2020-8622.patch +Patch190: bind-9.11-CVE-2020-8623.patch +Patch191: bind-9.11-CVE-2020-8624.patch +Patch192: bind98-rh1769876.patch +Patch193: bind-9.11-rh1889902.patch +Patch194: bind-9.11-CVE-2020-8625.patch +Patch195: bind-9.11-CVE-2021-25215.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf +Patch196: bind-9.11-CVE-2021-25214.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -537,6 +546,14 @@ are used for building ISC DHCP. %patch186 -p1 -b .CVE-2020-8616-test %patch187 -p1 -b .rh1832812 %patch188 -p1 -b .edns512-loops +%patch189 -p1 -b .CVE-2020-8622 +%patch190 -p1 -b .CVE-2020-8623 +%patch191 -p1 -b .CVE-2020-8624 +%patch192 -p1 -b .rh1769876 +%patch193 -p1 -b .rh1889902 +%patch194 -p1 -b .CVE-2020-8625 +%patch195 -p1 -b .CVE-2021-25215 +%patch196 -p1 -b .CVE-2021-25214 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1518,6 +1535,29 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Tue Jul 13 2021 Petr Menšík - 32:9.11.4-26.P2.7 +- Apply again patch 172, got removed by mistake + +* Mon May 17 2021 Petr Menšík - 32:9.11.4-26.P2.6 +- Insufficient IXFR checks could lead to assertion failure (CVE-2021-25214) + +* Tue Apr 27 2021 Petr Menšík - 32:9.11.4-26.P2.5 +- Possible assertion failure on DNAME processing (CVE-2021-25215) + +* Mon Feb 15 2021 Petr Menšík - 32:9.11.4-26.P2.4 +- Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625) + +* Fri Nov 06 2020 Tomas Korbar - 32:9.11.4-26.P2.3 +- Fix inline re-signing (#rh1889902) + +* Fri Oct 02 2020 Tomas Korbar - 32:9.11.4-26.P2.2 +- Fix unsupported algorithms validation (#rh1769876) + +* Wed Aug 26 2020 Petr Menšík - 32:9.11.4-26.P2.1 +- Fix tsig-request verify (CVE-2020-8622) +- Prevent PKCS11 daemon crash on crafted packet (CVE-2020-8623) +- Correct update-policy type subdomain to match documentation (CVE-2020-8624) + * Fri May 29 2020 Artem Egorenkov - 32:9.11.4-26.P2 - Fix EDNS512 loops on broken servers diff --git a/bind98-rh1769876.patch b/bind98-rh1769876.patch new file mode 100644 index 0000000000000000000000000000000000000000..00c6a577dbcde367b8bc906fe383ff1d93357a3b --- /dev/null +++ b/bind98-rh1769876.patch @@ -0,0 +1,64 @@ +From 02b8356a19b119d895d611c9ce17f24a207faa6d Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 23 Jun 2020 10:26:01 +1000 +Subject: [PATCH] The validator could fail when select_signing_key/get_dst_key + failed + +to select the signing key because the algorithm was not supported +and the loop was prematurely aborted. + +(cherry picked from commit d475f3aeedbb0dff940ff5bd25c71fcfc3a71f95) +--- + lib/dns/validator.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +diff --git a/lib/dns/validator.c b/lib/dns/validator.c +index 864301ba1b..092de65172 100644 +--- a/lib/dns/validator.c ++++ b/lib/dns/validator.c +@@ -1651,26 +1651,25 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, + INSIST(val->key == NULL); + result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b, + val->view->mctx, &val->key); +- if (result != ISC_R_SUCCESS) +- goto failure; +- if (siginfo->algorithm == +- (dns_secalg_t)dst_key_alg(val->key) && +- siginfo->keyid == +- (dns_keytag_t)dst_key_id(val->key) && +- dst_key_iszonekey(val->key)) +- { +- if (foundold) +- /* +- * This is the key we're looking for. +- */ +- return (ISC_R_SUCCESS); +- else if (dst_key_compare(oldkey, val->key) == ISC_TRUE) ++ if (result == ISC_R_SUCCESS) { ++ if (siginfo->algorithm == ++ (dns_secalg_t)dst_key_alg(val->key) && ++ siginfo->keyid == ++ (dns_keytag_t)dst_key_id(val->key) && ++ dst_key_iszonekey(val->key)) + { +- foundold = ISC_TRUE; +- dst_key_free(&oldkey); ++ if (foundold) { ++ /* ++ * This is the key we're looking for. ++ */ ++ return (ISC_R_SUCCESS); ++ } else if (dst_key_compare(oldkey, val->key)) { ++ foundold = ISC_TRUE; ++ dst_key_free(&oldkey); ++ } + } ++ dst_key_free(&val->key); + } +- dst_key_free(&val->key); + dns_rdata_reset(&rdata); + result = dns_rdataset_next(rdataset); + } while (result == ISC_R_SUCCESS); +-- +2.26.2 +