diff --git a/0001-CVE-2023-3341.patch b/0001-CVE-2023-3341.patch new file mode 100644 index 0000000000000000000000000000000000000000..a5d4f44bb31d143eabd6151a1951330e95bb4e73 --- /dev/null +++ b/0001-CVE-2023-3341.patch @@ -0,0 +1,151 @@ +diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h +index 14146986f0..a43772e941 100644 +--- a/lib/isc/include/isc/result.h ++++ b/lib/isc/include/isc/result.h +@@ -270,8 +270,9 @@ + ISCCC_R_EXPIRED, + ISCCC_R_CLOCKSKEW, + ISCCC_R_DUPLICATE, ++ ISCCC_R_MAXDEPTH, + +- ISC_R_NRESULTS = ISCCC_R_DUPLICATE + 1, /*% The number of results. */ ++ ISC_R_NRESULTS = ISCCC_R_MAXDEPTH + 1, /*% The number of results. */ + ISC_R_MAKE_ENUM_32BIT = INT32_MAX, + } isc_result_t; + +diff --git a/lib/isc/result.c b/lib/isc/result.c +index b8a0c0da43..edbc8fd518 100644 +--- a/lib/isc/result.c ++++ b/lib/isc/result.c +@@ -268,6 +268,7 @@ static const char *description[ISC_R_NRESULTS] = { + [ISCCC_R_EXPIRED] = "expired", + [ISCCC_R_CLOCKSKEW] = "clock skew", + [ISCCC_R_DUPLICATE] = "duplicate", ++ [ISCCC_R_MAXDEPTH] = "max depth", + }; + + static const char *identifier[ISC_R_NRESULTS] = { +@@ -517,6 +518,7 @@ static const char *identifier[ISC_R_NRESULTS] = { + [ISCCC_R_EXPIRED] = "ISCCC_R_EXPIRED", + [ISCCC_R_CLOCKSKEW] = "ISCCC_R_CLOCKSKEW", + [ISCCC_R_DUPLICATE] = "ISCCC_R_DUPLICATE", ++ [ISCCC_R_MAXDEPTH] = "ISCCC_R_MAXDEPTH", + }; + + STATIC_ASSERT((DNS_R_SERVFAIL - DNS_R_NOERROR == 2), +diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c +index 52914ed5ae..cbd9badd3a 100644 +--- a/lib/isccc/cc.c ++++ b/lib/isccc/cc.c +@@ -52,6 +52,10 @@ + + #define MAX_TAGS 256 + #define DUP_LIFETIME 900 ++#ifndef ISCCC_MAXDEPTH ++#define ISCCC_MAXDEPTH \ ++ 10 /* Big enough for rndc which just sends a string each way. */ ++#endif + + typedef isccc_sexpr_t *sexpr_ptr; + +@@ -484,19 +488,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp); ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); ++list_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **listp); + + static isc_result_t +-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { ++value_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **valuep) { + unsigned int msgtype; + uint32_t len; + isccc_sexpr_t *value; + isccc_region_t active; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + if (REGION_SIZE(*source) < 1 + 4) { + return (ISC_R_UNEXPECTEDEND); + } +@@ -517,9 +527,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { + result = ISC_R_NOMEMORY; + } + } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) { +- result = table_fromwire(&active, NULL, 0, valuep); ++ result = table_fromwire(&active, NULL, 0, depth + 1, valuep); + } else if (msgtype == ISCCC_CCMSGTYPE_LIST) { +- result = list_fromwire(&active, valuep); ++ result = list_fromwire(&active, depth + 1, valuep); + } else { + result = ISCCC_R_SYNTAX; + } +@@ -529,7 +539,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp) { ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) { + char key[256]; + uint32_t len; + isc_result_t result; +@@ -539,6 +549,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + + REQUIRE(alistp != NULL && *alistp == NULL); + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + checksum_rstart = NULL; + first_tag = true; + alist = isccc_alist_create(); +@@ -555,7 +569,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + GET_MEM(key, len, source->rstart); + key[len] = '\0'; /* Ensure NUL termination. */ + value = NULL; +- result = value_fromwire(source, &value); ++ result = value_fromwire(source, depth + 1, &value); + if (result != ISC_R_SUCCESS) { + goto bad; + } +@@ -593,14 +607,19 @@ bad: + } + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { ++list_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **listp) { + isccc_sexpr_t *list, *value; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + list = NULL; + while (!REGION_EMPTY(*source)) { + value = NULL; +- result = value_fromwire(source, &value); ++ result = value_fromwire(source, depth + 1, &value); + if (result != ISC_R_SUCCESS) { + isccc_sexpr_free(&list); + return (result); +@@ -632,7 +651,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, + return (ISCCC_R_UNKNOWNVERSION); + } + +- return (table_fromwire(source, secret, algorithm, alistp)); ++ return (table_fromwire(source, secret, algorithm, 0, alistp)); + } + + static isc_result_t diff --git a/0002-CVE-2023-4236.patch b/0002-CVE-2023-4236.patch new file mode 100644 index 0000000000000000000000000000000000000000..55e7dd85e63b51c49757c005faae141356d317b1 --- /dev/null +++ b/0002-CVE-2023-4236.patch @@ -0,0 +1,17 @@ +diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c +index 52c72e0fca..4af4289be3 100644 +--- a/lib/isc/netmgr/tlsdns.c ++++ b/lib/isc/netmgr/tlsdns.c +@@ -1866,9 +1866,11 @@ tlsdns_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) { + } + + result = tls_cycle(sock); ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } + + requeue: +- + tlsdns_send_enqueue(sock, req); + + return (result); diff --git a/bind.spec b/bind.spec index 4ca5e8aa39b68400fa51071f70e96d2ee1332e82..9593edcd79d2775598b4aad4a51dad3082f68bfe 100644 --- a/bind.spec +++ b/bind.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 # bcond_without is built by default, unless --without X is passed # bcond_with is built only when --with X is passed to build %bcond_with SYSTEMTEST @@ -62,6 +62,9 @@ Source46: named-setup-rndc.service Source48: setup-named-softhsm.sh Source49: named-chroot.files +Patch0: 0001-CVE-2023-3341.patch +Patch1: 0002-CVE-2023-4236.patch + %{?systemd_ordering} Requires: coreutils Requires(pre): shadow-utils @@ -843,6 +846,9 @@ fi; %doc %{_pkgdocdir}/Bv9ARM.pdf %changelog +* Wed Dec 27 2023 Caspar Zhang - 32:9.18.16-2 +- Fix CVE-2023-3341 and CVE-2023-4236 + * Thu Jun 22 2023 Funda Wang - 32:9.18.16-1 - New version 9.18.16