From e68c9ad7c4b58394bab65916e108e8b377ac3a7f Mon Sep 17 00:00:00 2001
From: zhangxianting <zhangxianting@uniontech.com>
Date: Thu, 25 Jul 2024 17:23:10 +0800
Subject: [PATCH] fix CVE-2024-1975

---
 backport-CVE-2024-1975-1.patch | 153 +++++++++++++++++++++++++++++++++
 backport-CVE-2024-1975-2.patch | 104 ++++++++++++++++++++++
 backport-CVE-2024-1975-3.patch |  69 +++++++++++++++
 backport-CVE-2024-1975-4.patch |  48 +++++++++++
 backport-CVE-2024-1975-5.patch |  24 ++++++
 bind.spec                      |  16 +++-
 6 files changed, 412 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2024-1975-1.patch
 create mode 100644 backport-CVE-2024-1975-2.patch
 create mode 100644 backport-CVE-2024-1975-3.patch
 create mode 100644 backport-CVE-2024-1975-4.patch
 create mode 100644 backport-CVE-2024-1975-5.patch

diff --git a/backport-CVE-2024-1975-1.patch b/backport-CVE-2024-1975-1.patch
new file mode 100644
index 0000000..ebfde05
--- /dev/null
+++ b/backport-CVE-2024-1975-1.patch
@@ -0,0 +1,153 @@
+From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Thu, 16 May 2024 12:10:41 +0200
+Subject: [PATCH] Remove support for SIG(0) message verification
+https://github.com/isc-projects/bind9/commit/bef3d2cca3552100bbe44790c8c1a4f5bef06798
+
+---
+ lib/dns/message.c | 98 +++--------------------------------------------
+ lib/ns/client.c   |  7 ++++
+ 2 files changed, 13 insertions(+), 92 deletions(-)
+
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 500705e..f7a7972 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -3331,110 +3331,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+ 
+ isc_result_t
+ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+-	isc_buffer_t b, msgb;
++	isc_buffer_t msgb;
+ 
+ 	REQUIRE(DNS_MESSAGE_VALID(msg));
+ 
+-	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) {
++	if (msg->tsigkey == NULL && msg->tsig == NULL) {
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
+ 	INSIST(msg->saved.base != NULL);
+ 	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
+ 	isc_buffer_add(&msgb, msg->saved.length);
+-	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+ #ifdef SKAN_MSG_DEBUG
+-		dns_message_dumpsig(msg, "dns_message_checksig#1");
++	dns_message_dumpsig(msg, "dns_message_checksig#1");
+ #endif /* ifdef SKAN_MSG_DEBUG */
+-		if (view != NULL) {
+-			return (dns_view_checksig(view, &msgb, msg));
+-		} else {
+-			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+-		}
++	if (view != NULL) {
++		return (dns_view_checksig(view, &msgb, msg));
+ 	} else {
+-		dns_rdata_t rdata = DNS_RDATA_INIT;
+-		dns_rdata_sig_t sig;
+-		dns_rdataset_t keyset;
+-		isc_result_t result;
+-
+-		result = dns_rdataset_first(msg->sig0);
+-		INSIST(result == ISC_R_SUCCESS);
+-		dns_rdataset_current(msg->sig0, &rdata);
+-
+-		/*
+-		 * This can occur when the message is a dynamic update, since
+-		 * the rdata length checking is relaxed.  This should not
+-		 * happen in a well-formed message, since the SIG(0) is only
+-		 * looked for in the additional section, and the dynamic update
+-		 * meta-records are in the prerequisite and update sections.
+-		 */
+-		if (rdata.length == 0) {
+-			return (ISC_R_UNEXPECTEDEND);
+-		}
+-
+-		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
+-		if (result != ISC_R_SUCCESS) {
+-			return (result);
+-		}
+-
+-		dns_rdataset_init(&keyset);
+-		if (view == NULL) {
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		}
+-		result = dns_view_simplefind(view, &sig.signer,
+-					     dns_rdatatype_key /* SIG(0) */, 0,
+-					     0, false, &keyset, NULL);
+-
+-		if (result != ISC_R_SUCCESS) {
+-			/* XXXBEW Should possibly create a fetch here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		} else if (keyset.trust < dns_trust_secure) {
+-			/* XXXBEW Should call a validator here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		}
+-		result = dns_rdataset_first(&keyset);
+-		INSIST(result == ISC_R_SUCCESS);
+-		for (; result == ISC_R_SUCCESS;
+-		     result = dns_rdataset_next(&keyset)) {
+-			dst_key_t *key = NULL;
+-
+-			dns_rdata_reset(&rdata);
+-			dns_rdataset_current(&keyset, &rdata);
+-			isc_buffer_init(&b, rdata.data, rdata.length);
+-			isc_buffer_add(&b, rdata.length);
+-
+-			result = dst_key_fromdns(&sig.signer, rdata.rdclass, &b,
+-						 view->mctx, &key);
+-			if (result != ISC_R_SUCCESS) {
+-				continue;
+-			}
+-			if (dst_key_alg(key) != sig.algorithm ||
+-			    dst_key_id(key) != sig.keyid ||
+-			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+-			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+-			{
+-				dst_key_free(&key);
+-				continue;
+-			}
+-			result = dns_dnssec_verifymessage(&msgb, msg, key);
+-			dst_key_free(&key);
+-			if (result == ISC_R_SUCCESS) {
+-				break;
+-			}
+-		}
+-		if (result == ISC_R_NOMORE) {
+-			result = DNS_R_KEYUNAUTHORIZED;
+-		}
+-
+-	freesig:
+-		if (dns_rdataset_isassociated(&keyset)) {
+-			dns_rdataset_disassociate(&keyset);
+-		}
+-		dns_rdata_freestruct(&sig);
+-		return (result);
++		return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+ 	}
+ }
+ 
+diff --git a/lib/ns/client.c b/lib/ns/client.c
+index 264d11d..0f8eb94 100644
+--- a/lib/ns/client.c
++++ b/lib/ns/client.c
+@@ -2063,6 +2063,13 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
+ 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ 			      "request is signed by a nonauthoritative key");
++	} else if (result == DNS_R_NOTVERIFIEDYET &&
++		   client->message->sig0 != NULL)
++	{
++		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
++			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
++			      "request has a SIG(0) signature but its support "
++			      "was removed (CVE-2024-1975)");
+ 	} else {
+ 		char tsigrcode[64];
+ 		isc_buffer_t b;
+-- 
+2.33.0
+
diff --git a/backport-CVE-2024-1975-2.patch b/backport-CVE-2024-1975-2.patch
new file mode 100644
index 0000000..9e4fbf0
--- /dev/null
+++ b/backport-CVE-2024-1975-2.patch
@@ -0,0 +1,104 @@
+From 33007e302d2e5b4550fa8c9d5cd1bffaaffb6819 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Thu, 16 May 2024 12:15:23 +0200
+Subject: [PATCH] Document SIG(0) verification removal
+https://github.com/isc-projects/bind9/commit/33007e302d2e5b4550fa8c9d5cd1bffaaffb6819
+
+---
+ doc/arm/advanced.rst  | 16 ++--------------
+ doc/arm/general.rst   |  6 ++----
+ doc/arm/reference.rst |  4 ++--
+ doc/arm/security.rst  |  4 ++--
+ 4 files changed, 8 insertions(+), 22 deletions(-)
+
+diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst
+index 134025a..fdb45df 100644
+--- a/doc/arm/advanced.rst
++++ b/doc/arm/advanced.rst
+@@ -554,20 +554,8 @@ deletion" mode.
+ SIG(0)
+ ------
+ 
+-BIND partially supports DNSSEC SIG(0) transaction signatures as
+-specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
+-authenticate messages. Access control is performed in the same manner as with
+-TSIG keys; privileges can be granted or denied in ACL directives based
+-on the key name.
+-
+-When a SIG(0) signed message is received, it is only verified if
+-the key is known and trusted by the server. The server does not attempt
+-to recursively fetch or validate the key.
+-
+-SIG(0) signing of multiple-message TCP streams is not supported.
+-
+-The only tool shipped with BIND 9 that generates SIG(0) signed messages
+-is ``nsupdate``.
++Support for DNSSEC SIG(0) transaction signatures has been removed.
++This is a countermeasure for CVE-2024-1975.
+ 
+ .. _DNSSEC:
+ 
+diff --git a/doc/arm/general.rst b/doc/arm/general.rst
+index 225576b..0766dfe 100644
+--- a/doc/arm/general.rst
++++ b/doc/arm/general.rst
+@@ -534,10 +534,8 @@ than a non-authoritative response. This is considered a feature.
+ [2] CLASS ANY queries are not supported. This is considered a
+ feature.
+ 
+-[3] When receiving a query signed with a SIG(0), the server is
+-only able to verify the signature if it has the key in its local
+-authoritative data; it cannot do recursion or validation to
+-retrieve unknown keys.
++[3] Support for SIG(0) message verification was removed
++as part of the mitigation of CVE-2024-1975.
+ 
+ [4] Compliance is with loading and serving of A6 records only. A6 records were moved
+ to the experimental category by :rfc:`3363`.
+diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
+index d4ee9d2..727b09e 100644
+--- a/doc/arm/reference.rst
++++ b/doc/arm/reference.rst
+@@ -5789,7 +5789,7 @@ The ``update-policy`` clause allows more fine-grained control over which
+ updates are allowed. It specifies a set of rules, in which each rule
+ either grants or denies permission for one or more names in the zone to
+ be updated by one or more identities. Identity is determined by the key
+-that signed the update request, using either TSIG or SIG(0). In most
++that signed the update request, using TSIG. In most
+ cases, ``update-policy`` rules only apply to key-based identities. There
+ is no way to specify update permissions based on the client source address.
+ 
+@@ -5846,7 +5846,7 @@ field), and the type of the record to be updated matches the ``types``
+ field. Details for each rule type are described below.
+ 
+ The ``identity`` field must be set to a fully qualified domain name. In
+-most cases, this represents the name of the TSIG or SIG(0) key that
++most cases, this represents the name of the TSIG key that
+ must be used to sign the update request. If the specified name is a
+ wildcard, it is subject to DNS wildcard expansion, and the rule may
+ apply to multiple identities. When a TKEY exchange has been used to
+diff --git a/doc/arm/security.rst b/doc/arm/security.rst
+index f7c8bd3..e3abfd1 100644
+--- a/doc/arm/security.rst
++++ b/doc/arm/security.rst
+@@ -32,7 +32,7 @@ Limiting access to the server by outside parties can help prevent
+ spoofing and denial of service (DoS) attacks against the server.
+ 
+ ACLs match clients on the basis of up to three characteristics: 1) The
+-client's IP address; 2) the TSIG or SIG(0) key that was used to sign the
++client's IP address; 2) the TSIG key that was used to sign the
+ request, if any; and 3) an address prefix encoded in an EDNS
+ Client-Subnet option, if any.
+ 
+@@ -73,7 +73,7 @@ and no queries at all from the networks specified in ``bogusnets``.
+ 
+ In addition to network addresses and prefixes, which are matched against
+ the source address of the DNS request, ACLs may include ``key``
+-elements, which specify the name of a TSIG or SIG(0) key.
++elements, which specify the name of a TSIG key.
+ 
+ When BIND 9 is built with GeoIP support, ACLs can also be used for
+ geographic access restrictions. This is done by specifying an ACL
+-- 
+2.33.0
+
diff --git a/backport-CVE-2024-1975-3.patch b/backport-CVE-2024-1975-3.patch
new file mode 100644
index 0000000..68b622e
--- /dev/null
+++ b/backport-CVE-2024-1975-3.patch
@@ -0,0 +1,69 @@
+From 02dffb63a84662b19da4e0efda26e061676f85a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Fri, 17 May 2024 12:23:05 +0200
+Subject: [PATCH] Adapt the tsiggss test to the SIG(0) removal
+https://github.com/isc-projects/bind9/commit/02dffb63a84662b19da4e0efda26e061676f85a8
+
+Test that SIG(0) signer is NOT sent to the external socket for
+authorization. It MUST NOT be considered a valid signature by
+any chance.
+
+Also check that the signer's name does not appear in authsock.pl
+output.
+---
+ bin/tests/system/tsiggss/authsock.pl |  1 +
+ bin/tests/system/tsiggss/tests.sh    | 12 +++++++-----
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
+index ab3833d..4556ae2 100644
+--- a/bin/tests/system/tsiggss/authsock.pl
++++ b/bin/tests/system/tsiggss/authsock.pl
+@@ -53,6 +53,7 @@ if ($timeout != 0) {
+ }
+ 
+ while (my $client = $server->accept()) {
++	printf("accept()\n");
+ 	$client->recv(my $buf, 8, 0);
+ 	my ($version, $req_len) = unpack('N N', $buf);
+ 
+diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
+index 632bb87..7977e49 100644
+--- a/bin/tests/system/tsiggss/tests.sh
++++ b/bin/tests/system/tsiggss/tests.sh
+@@ -116,7 +116,7 @@ status=$((status+ret))
+ 
+ echo_i "testing external update policy (CNAME) with auth sock ($n)"
+ ret=0
+-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
++$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > authsock.log 2>&1 &
+ sleep 1
+ test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
+ n=$((n+1))
+@@ -130,17 +130,19 @@ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ 
+-echo_i "testing external policy with SIG(0) key ($n)"
++echo_i "testing external policy with unsupported SIG(0) key ($n)"
+ ret=0
+-$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
++$NSUPDATE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
++debug
+ server 10.53.0.1 ${PORT}
+ zone example.nil
+ update add fred.example.nil 120 cname foo.bar.
+ send
+ END
+ output=`$DIG $DIGOPTS +short cname fred.example.nil.`
+-[ -n "$output" ] || ret=1
+-[ $ret -eq 0 ] || echo_i "failed"
++# update must have failed - SIG(0) signer is not supported
++[ -n "$output" ] && ret=1
++grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
+ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+-- 
+2.33.0
+
diff --git a/backport-CVE-2024-1975-4.patch b/backport-CVE-2024-1975-4.patch
new file mode 100644
index 0000000..563fa1f
--- /dev/null
+++ b/backport-CVE-2024-1975-4.patch
@@ -0,0 +1,48 @@
+From 227f9aa0646cdf521e0db0d472f8bcc1e2bd6154 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Tue, 21 May 2024 09:29:35 +0000
+Subject: [PATCH] Adapt the upforwd test to the SIG(0) removal
+https://github.com/isc-projects/bind9/commit/227f9aa0646cdf521e0db0d472f8bcc1e2bd6154
+
+Change the check so that update with SIG(0) is expected to fail.
+---
+ bin/tests/system/upforwd/tests.sh | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index 8062d68..9306bec 100644
+--- a/bin/tests/system/upforwd/tests.sh
++++ b/bin/tests/system/upforwd/tests.sh
+@@ -221,18 +221,21 @@ fi
+ 
+ if test -f keyname
+ then
+-	echo_i "checking update forwarding to with sig0 ($n)"
++	echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
+ 	ret=0
+ 	keyname=`cat keyname`
+-	$NSUPDATE -k $keyname.private -- - <<EOF
+-	server 10.53.0.3 ${PORT}
+-	zone example2
+-	update add unsigned.example2. 600 A 10.10.10.1
+-	update add unsigned.example2. 600 TXT Foo
+-	send
++	# SIG(0) is removed, update is expected to fail.
++	{
++		$NSUPDATE -k $keyname.private -- - <<EOF
++		server 10.53.0.3 ${PORT}
++		zone example2
++		update add unsigned.example2. 600 A 10.10.10.1
++		update add unsigned.example2. 600 TXT Foo
++		send
+ EOF
++	} >nsupdate.out.$n 2>&1 && ret=1
+ 	$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
+-	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
++	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
+ 	if [ $ret != 0 ] ; then echo_i "failed"; fi
+ 	status=`expr $status + $ret`
+ 	n=`expr $n + 1`
+-- 
+2.33.0
+
diff --git a/backport-CVE-2024-1975-5.patch b/backport-CVE-2024-1975-5.patch
new file mode 100644
index 0000000..2e127fd
--- /dev/null
+++ b/backport-CVE-2024-1975-5.patch
@@ -0,0 +1,24 @@
+From 8acd71b9cc3d46618319f8c2195d857a8f79744b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Thu, 6 Jun 2024 17:43:20 +0200
+Subject: [PATCH] Add CHANGES note for [GL #4480]
+https://github.com/isc-projects/bind9/commit/8acd71b9cc3d46618319f8c2195d857a8f79744b
+
+---
+ CHANGES | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/CHANGES b/CHANGES
+index 2b12128..5c67369 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,4 +1,6 @@
+ 	--- 9.16.23 released ---
++5753.   [security]      Remove SIG(0) support from named as a countermeasure
++                        for CVE-2024-1975. [GL #4480]
+ 
+ 5752.	[bug]		Fix an assertion failure caused by missing member zones
+ 			during a reload of a catalog zone. [GL #2308]
+-- 
+2.33.0
+
diff --git a/bind.spec b/bind.spec
index 48b20c4..0b0f85f 100644
--- a/bind.spec
+++ b/bind.spec
@@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  22
+Release:  23
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -241,6 +241,12 @@ Patch6157:backport-CVE-2023-50387-CVE-2023-50868.patch
 Patch6158:backport-Replace-netievent-lock-free-queue-with-simple-locked.patch
 
 Patch9000:bugfix-limit-numbers-of-test-threads.patch
+# fix CVE-2024-1975
+patch9001:backport-CVE-2024-1975-1.patch
+patch9002:backport-CVE-2024-1975-2.patch
+patch9003:backport-CVE-2024-1975-3.patch
+patch9004:backport-CVE-2024-1975-4.patch
+patch9005:backport-CVE-2024-1975-5.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -1248,6 +1254,12 @@ fi;
 %endif
 
 %changelog
+* Thu Jul 25 2024 zhangxianting <zhangxianting@uniontech.com> - 32:9.16.23-23
+- Type:CVE
+- CVE:CVE-2024-1975
+- SUG:NA
+- DESC:fix CVE-2024-1975
+
 * Thu Mar 21 2024 chengyechun <chengyechun1@huaweic.om> - 32:9.16.23-22
 - Type:bugfix
 - CVE:
@@ -1314,7 +1326,7 @@ Fix view's zones reverting bug during reconfiguration
 - SUG:NA
 - DESC:fix CVE-2022-3736 CVE-2022-3924 CVE-2022-3094
 
-* Wed Jan 4 2023 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-13
+* Wed Dec 28 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-13
 - Type:bugfix
 - CVE:NA
 - SUG:NA
-- 
Gitee