diff --git a/0001-fix-cve-CVE-2024-11187.patch b/0001-fix-cve-CVE-2024-11187.patch new file mode 100644 index 0000000000000000000000000000000000000000..2e5f450e373d8daad57dc5cc2baa636cad0a8113 --- /dev/null +++ b/0001-fix-cve-CVE-2024-11187.patch @@ -0,0 +1,139 @@ +From 4ff1d68a34523e986aabe177d0f660bc3ae4eb7c Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Fri, 14 Mar 2025 15:29:43 +0800 +Subject: [PATCH] fix cve CVE-2024-11187 + +--- + bin/named/query.c | 11 ++++++----- + bin/tests/system/additional/tests.sh | 2 +- + lib/dns/include/dns/rdataset.h | 12 ++++++++++++ + lib/dns/rdataset.c | 12 ++++++++++++ + 4 files changed, 31 insertions(+), 6 deletions(-) + +diff --git a/bin/named/query.c b/bin/named/query.c +index 5fb06f6..9b1f143 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -1781,9 +1781,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { + * section, it's helpful if we add the SRV additional data + * as well. + */ +- eresult = dns_rdataset_additionaldata(trdataset, ++ eresult = dns_rdataset_additionaldata2(trdataset, + query_addadditional, +- client); ++ client, ++ DNS_RDATASET_MAXADDITIONAL); + } + + cleanup: +@@ -2378,7 +2379,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, + rdataset->rdclass); + rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; + +- if (NOADDITIONAL(client)) ++ if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any) + return; + + /* +@@ -2388,8 +2389,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, + */ + additionalctx.client = client; + additionalctx.rdataset = rdataset; +- (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, +- &additionalctx); ++ (void)dns_rdataset_additionaldata2(rdataset, query_addadditional2, ++ &additionalctx, DNS_RDATASET_MAXADDITIONAL); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done"); + } + +diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh +index 692af54..e9ccd55 100644 +--- a/bin/tests/system/additional/tests.sh ++++ b/bin/tests/system/additional/tests.sh +@@ -229,7 +229,7 @@ n=`expr $n + 1` + echo_i "testing with 'minimal-any no;' ($n)" + ret=0 + $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 +-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 ++grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i " failed"; status=1 + fi +diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h +index 9f8d7aa..14c699d 100644 +--- a/lib/dns/include/dns/rdataset.h ++++ b/lib/dns/include/dns/rdataset.h +@@ -50,6 +50,8 @@ + #include + #include + ++#define DNS_RDATASET_MAXADDITIONAL 13 ++ + ISC_LANG_BEGINDECLS + + typedef enum { +@@ -487,13 +489,23 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + *\li If a call to dns_rdata_additionaldata() is not successful, the + * result returned will be the result of dns_rdataset_additionaldata(). + * ++ *\li If 'limit' is non-zero and the number of the rdatasets is larger ++ * than 'limit', no additional data will be processed. ++ * + * Returns: + * + *\li #ISC_R_SUCCESS + * ++ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit' ++ * + *\li Any error that dns_rdata_additionaldata() can return. + */ + ++isc_result_t ++dns_rdataset_additionaldata2(dns_rdataset_t *rdataset, ++ dns_additionaldatafunc_t add, void *arg, ++ size_t limit); ++ + isc_result_t + dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, + dns_rdataset_t *neg, dns_rdataset_t *negsig); +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c +index 30d1d35..91b5c97 100644 +--- a/lib/dns/rdataset.c ++++ b/lib/dns/rdataset.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + static const char *trustnames[] = { + "none", +@@ -607,6 +608,13 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, + isc_result_t + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + dns_additionaldatafunc_t add, void *arg) ++{ ++ return dns_rdataset_additionaldata2(rdataset, add, arg, 0); ++} ++ ++isc_result_t ++dns_rdataset_additionaldata2(dns_rdataset_t *rdataset, ++ dns_additionaldatafunc_t add, void *arg, size_t limit) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; +@@ -619,6 +627,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); + ++ if (limit != 0 && dns_rdataset_count(rdataset) > limit) { ++ return DNS_R_TOOMANYRECORDS; ++ } ++ + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) + return (result); +-- +2.39.3 + diff --git a/bind.spec b/bind.spec index f657edea63554d1955bc5cb24893e0615a014b03..f0bf8bbcbeb28a63e630ba3c21fbd9479ec71410 100644 --- a/bind.spec +++ b/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.17 +Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.18 Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -206,6 +206,9 @@ Patch12: bind-9.10-sdb.patch Patch17: bind-9.3.2b1-fix_sdb_ldap.patch Patch18: bind-9.11-zone2ldap.patch +# add by uos +Patch19: 0001-fix-cve-CVE-2024-11187.patch + Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -634,7 +637,7 @@ cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools %patch133 -p1 -b .rh640538 %patch134 -p1 -b .rh669163 - +%patch19 -p1 -b .fix-cve-CVE-2024-11187 # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x for i in bin/named{,-sdb}/{,unix}/Makefile.in; do @@ -1567,6 +1570,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Mon Mar 10 2025 zhuhongbo - 32:9.11.4-26.P2.18 +- cve: fix cve CVE-2024-11187 + * Mon Sep 09 2024 pangqing - 32:9.11.4-26.P2.17 - CVE-2024-1975 and CVE-2024-1737