diff --git a/5-bugfix-for-CVE-2025-8677.patch b/5-bugfix-for-CVE-2025-8677.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c21ec33de8757bd0d15eb38cc93d6dd43b16a3f --- /dev/null +++ b/5-bugfix-for-CVE-2025-8677.patch @@ -0,0 +1,85 @@ +From 7c5b8ef055900224f0424c341927562c5a9ebe19 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 22 Jul 2025 08:07:02 +0200 +Subject: [PATCH] Fail the DNSSEC validation if matching but invalid DNSKEY is + found + +If a matching but cryptographically invalid key was encountered during +the DNSSEC validation, the key would be just skipped and not counted +towards validation failures. Treat such DNSSEC keys as hard failures +and fail the DNSSEC validation immediatelly instead of continuing the +DNSSEC validation with the next DNSKEYs in the RRset. + +Co-authored-by: Matthijs Mekking + +(cherry picked from commit f00117a4226be90d1bc865aff19bddf114242914) +--- + lib/dns/validator.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/lib/dns/validator.c b/lib/dns/validator.c +index 55138d25906..6c21d35e640 100644 +--- a/lib/dns/validator.c ++++ b/lib/dns/validator.c +@@ -435,6 +435,8 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) { + result = select_signing_key(val, rdataset); + if (result == ISC_R_SUCCESS) { + val->keyset = &val->frdataset; ++ } else { ++ val->failed = true; + } + } + result = validate_answer(val, true); +@@ -1174,6 +1176,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) { + goto done; + } + dst_key_free(&val->key); ++ } else { ++ break; + } + dns_rdata_reset(&rdata); + result = dns_rdataset_next(rdataset); +@@ -1291,13 +1295,15 @@ seek_dnskey(dns_validator_t *val) { + "keyset with trust %s", + dns_trust_totext(val->frdataset.trust)); + result = select_signing_key(val, val->keyset); +- if (result != ISC_R_SUCCESS) { ++ if (result == ISC_R_NOTFOUND) { + /* +- * Either the key we're looking for is not +- * in the rrset, or something bad happened. +- * Give up. ++ * The key we're looking for is not ++ * in the rrset + */ + result = DNS_R_CONTINUE; ++ } else if (result != ISC_R_SUCCESS) { ++ /* Something bad happened. Give up. */ ++ break; + } + } + break; +@@ -1417,7 +1423,7 @@ selfsigned_dnskey(dns_validator_t *val) { + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, + &dstkey); + if (result != ISC_R_SUCCESS) { +- continue; ++ return result; + } + + /* +@@ -1688,10 +1694,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid, + val->event->name, keyrdata, val->view->mctx, + &dstkey); + if (result != ISC_R_SUCCESS) { +- /* +- * This really shouldn't happen, but... +- */ +- continue; ++ return result; + } + } + result = verify(val, dstkey, &rdata, sig.keyid); +-- +GitLab + diff --git a/bind.spec b/bind.spec index 327c2d2e868ea22f5e4d4d7a2210b1eac4f4d4b6..1e455c6342f86247b2cc5501223919bb3f586fae 100644 --- a/bind.spec +++ b/bind.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %bcond_with SYSTEMTEST %bcond_without GSSTSIG @@ -46,6 +46,9 @@ Patch1: 1-bugfix-for-CVE-2025-40780.patch Patch2: 2-bugfix-for-CVE-2025-40778.patch Patch3: 3-bugfix-for-CVE-2025-40778.patch Patch4: 4-bugfix-for-CVE-2025-40778.patch + +# https://gitlab.isc.org/isc-projects/bind9/-/commit/7c5b8ef055900224f0424c341927562c5a9ebe19.patch +Patch5: 5-bugfix-for-CVE-2025-8677.patch # Refresh by command: dig @a.root-servers.net. +tcp +norec # or from URL Source17: https://www.internic.net/domain/named.root @@ -873,6 +876,9 @@ fi; %endif %changelog +* Wed Nov 12 2025 tomcruiseqi - 32:9.18.34-4 +- Fix CVE-2025-8677 + * Mon Nov 03 2025 tomcruiseqi - 32:9.18.34-3 - Fix CVE-2025-40778