From dc7604a506bf430c11714b9f3cf74e3ae459fa51 Mon Sep 17 00:00:00 2001 From: zhangpan Date: Thu, 20 Mar 2025 11:49:36 +0000 Subject: [PATCH] fix CVE-2023-3341 CVE-2024-11187 --- backport-CVE-2023-3341.patch | 175 ++++++++++++++++++++++++ backport-CVE-2024-11187.patch | 244 ++++++++++++++++++++++++++++++++++ dhcp.spec | 10 +- 3 files changed, 428 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-3341.patch create mode 100644 backport-CVE-2024-11187.patch diff --git a/backport-CVE-2023-3341.patch b/backport-CVE-2023-3341.patch new file mode 100644 index 0000000..ed1b02e --- /dev/null +++ b/backport-CVE-2023-3341.patch @@ -0,0 +1,175 @@ +From 820b0cceef0b67b041973da4041ea53d5e276363 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 20 Jun 2023 15:21:36 +1000 +Subject: [PATCH] Limit isccc_cc_fromwire recursion depth + +Named and rndc do not need a lot of recursion so the depth is +set to 10. + +Conflict: adapt context +Reference: https://downloads.isc.org/isc/bind9/9.16.44/patches/0001-CVE-2023-3341.patch +--- + lib/isccc/cc.c | 41 +++++++++++++++++++++++--------- + lib/isccc/include/isccc/result.h | 4 +++- + lib/isccc/result.c | 4 +++- + 3 files changed, 36 insertions(+), 13 deletions(-) + +diff --git a/bind/bind-9.11.14/lib/isccc/cc.c b/bind/bind-9.11.14/lib/isccc/cc.c +index c314d76..54ff3c6 100644 +--- a/bind/bind-9.11.14/lib/isccc/cc.c ++++ b/bind/bind-9.11.14/lib/isccc/cc.c +@@ -54,6 +54,11 @@ + #define MAX_TAGS 256 + #define DUP_LIFETIME 900 + ++#ifndef ISCCC_MAXDEPTH ++#define ISCCC_MAXDEPTH \ ++ 10 /* Big enough for rndc which just sends a string each way. */ ++#endif ++ + typedef isccc_sexpr_t *sexpr_ptr; + + #ifndef PK11_MD5_DISABLE +@@ -561,19 +566,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp); ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); ++list_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **listp); + + static isc_result_t +-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { ++value_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **valuep) { + unsigned int msgtype; + uint32_t len; + isccc_sexpr_t *value; + isccc_region_t active; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + if (REGION_SIZE(*source) < 1 + 4) + return (ISC_R_UNEXPECTEDEND); + GET8(msgtype, source->rstart); +@@ -591,9 +602,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { + } else + result = ISC_R_NOMEMORY; + } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) +- result = table_fromwire(&active, NULL, 0, valuep); ++ result = table_fromwire(&active, NULL, 0, depth + 1, valuep); + else if (msgtype == ISCCC_CCMSGTYPE_LIST) +- result = list_fromwire(&active, valuep); ++ result = list_fromwire(&active, depth + 1, valuep); + else + result = ISCCC_R_SYNTAX; + +@@ -602,8 +613,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp) +-{ ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) { + char key[256]; + uint32_t len; + isc_result_t result; +@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + + REQUIRE(alistp != NULL && *alistp == NULL); + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + checksum_rstart = NULL; + first_tag = true; + alist = isccc_alist_create(); +@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + GET_MEM(key, len, source->rstart); + key[len] = '\0'; /* Ensure NUL termination. */ + value = NULL; +- result = value_fromwire(source, &value); ++ result = value_fromwire(source, depth + 1, &value); + if (result != ISC_R_SUCCESS) + goto bad; + if (isccc_alist_define(alist, key, value) == NULL) { +@@ -661,14 +675,19 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + } + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { ++list_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **listp) { + isccc_sexpr_t *list, *value; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + list = NULL; + while (!REGION_EMPTY(*source)) { + value = NULL; +- result = value_fromwire(source, &value); ++ result = value_fromwire(source, depth + 1, &value); + if (result != ISC_R_SUCCESS) { + isccc_sexpr_free(&list); + return (result); +@@ -699,7 +718,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, + if (version != 1) + return (ISCCC_R_UNKNOWNVERSION); + +- return (table_fromwire(source, secret, algorithm, alistp)); ++ return (table_fromwire(source, secret, algorithm, 0, alistp)); + } + + static isc_result_t +diff --git a/bind/bind-9.11.14/lib/isccc/include/isccc/result.h b/bind/bind-9.11.14/lib/isccc/include/isccc/result.h +index 6ff81ad..ef2cfe0 100644 +--- a/bind/bind-9.11.14/lib/isccc/include/isccc/result.h ++++ b/bind/bind-9.11.14/lib/isccc/include/isccc/result.h +@@ -47,8 +47,10 @@ + #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4) + /*% Duplicate */ + #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5) ++/*% Maximum recursion depth */ ++#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6) + +-#define ISCCC_R_NRESULTS 6 /*%< Number of results */ ++#define ISCCC_R_NRESULTS 7 /*%< Number of results */ + + ISC_LANG_BEGINDECLS + +diff --git a/bind/bind-9.11.14/lib/isccc/result.c b/bind/bind-9.11.14/lib/isccc/result.c +index 75f5ade..7d88fbc 100644 +--- a/bind/bind-9.11.14/lib/isccc/result.c ++++ b/bind/bind-9.11.14/lib/isccc/result.c +@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = { + "bad auth", /* 3 */ + "expired", /* 4 */ + "clock skew", /* 5 */ +- "duplicate" /* 6 */ ++ "duplicate", /* 6 */ ++ "max depth" /* 7 */ + }; + + static const char *ids[ISCCC_R_NRESULTS] = { +@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = { + "ISCCC_R_EXPIRED", + "ISCCC_R_CLOCKSKEW", + "ISCCC_R_DUPLICATE", ++ "ISCCC_R_MAXDEPTH" + }; + + #define ISCCC_RESULT_RESULTSET 2 +-- +2.27.0 + diff --git a/backport-CVE-2024-11187.patch b/backport-CVE-2024-11187.patch new file mode 100644 index 0000000..9a539e3 --- /dev/null +++ b/backport-CVE-2024-11187.patch @@ -0,0 +1,244 @@ +From fa7b7973e36056440dd688c7f312c89600d4f8cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Thu, 14 Nov 2024 10:37:29 +0100 +Subject: [PATCH] Limit the additional processing for large RDATA sets + +When answering queries, don't add data to the additional section if +the answer has more than 13 names in the RDATA. This limits the +number of lookups into the database(s) during a single client query, +reducing query processing load. + +Also, don't append any additional data to type=ANY queries. The +answer to ANY is already big enough. + +(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408) + +Conflict:Context adaptation +Reference:https://downloads.isc.org/isc/bind9/9.18.33/patches/0001-CVE-2024-11187.patch + +--- + bind/bind-9.11.14/bin/named/query.c | 7 ++++--- + .../bin/tests/system/additional/tests.sh | 2 +- + .../bin/tests/system/resolver/ns4/named.noaa | 5 ----- + bind/bind-9.11.14/bin/tests/system/resolver/tests.sh | 8 ++++++++ + bind/bind-9.11.14/lib/dns/include/dns/rdataset.h | 10 +++++++++- + bind/bind-9.11.14/lib/dns/rdataset.c | 8 +++++++- + bind/bind-9.11.14/lib/dns/resolver.c | 12 ++++++------ + 7 files changed, 35 insertions(+), 17 deletions(-) + delete mode 100644 bind/bind-9.11.14/bin/tests/system/resolver/ns4/named.noaa + +diff --git a/bind/bind-9.11.14/bin/named/query.c b/bind/bind-9.11.14/bin/named/query.c +index 06e8fdf..70869e0 100644 +--- a/bind/bind-9.11.14/bin/named/query.c ++++ b/bind/bind-9.11.14/bin/named/query.c +@@ -1803,7 +1803,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { + */ + eresult = dns_rdataset_additionaldata(trdataset, + query_addadditional, +- client); ++ client, DNS_RDATASET_MAXADDITIONAL); + } + + cleanup: +@@ -2409,7 +2409,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, + additionalctx.client = client; + additionalctx.rdataset = rdataset; + (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, +- &additionalctx); ++ &additionalctx, DNS_RDATASET_MAXADDITIONAL); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done"); + } + +@@ -2746,7 +2746,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, + * To the current response for 'client', add the answer RRset + * '*rdatasetp' and an optional signature set '*sigrdatasetp', with + * owner name '*namep', to section 'section', unless they are +- * already there. Also add any pertinent additional data. ++ * already there. Also add any pertinent additional data, unless ++ * the query was for type ANY. + * + * If 'dbuf' is not NULL, then '*namep' is the name whose data is + * stored in 'dbuf'. In this case, query_addrrset() guarantees that +diff --git a/bind/bind-9.11.14/bin/tests/system/additional/tests.sh b/bind/bind-9.11.14/bin/tests/system/additional/tests.sh +index dc537cc..a860137 100644 +--- a/bind/bind-9.11.14/bin/tests/system/additional/tests.sh ++++ b/bind/bind-9.11.14/bin/tests/system/additional/tests.sh +@@ -261,7 +261,7 @@ n=`expr $n + 1` + echo_i "testing with 'minimal-any no;' ($n)" + ret=0 + $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 +-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 ++grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i " failed"; status=1 + fi +diff --git a/bind/bind-9.11.14/bin/tests/system/resolver/ns4/named.noaa b/bind/bind-9.11.14/bin/tests/system/resolver/ns4/named.noaa +deleted file mode 100644 +index 0f215fc..0000000 +--- a/bind/bind-9.11.14/bin/tests/system/resolver/ns4/named.noaa ++++ /dev/null +@@ -1,5 +0,0 @@ +-Copyright (C) Internet Systems Consortium, Inc. ("ISC") +- +-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. +- +-Add -T noaa. +diff --git a/bind/bind-9.11.14/bin/tests/system/resolver/tests.sh b/bind/bind-9.11.14/bin/tests/system/resolver/tests.sh +index 45ac58c..089a1ff 100755 +--- a/bind/bind-9.11.14/bin/tests/system/resolver/tests.sh ++++ b/bind/bind-9.11.14/bin/tests/system/resolver/tests.sh +@@ -247,6 +247,10 @@ if [ -x ${RESOLVE} ] ; then + status=`expr $status + $ret` + fi + ++stop_server ns4 ++touch ns4/named.noaa ++start_server --noclean --restart --port ${PORT} ns4 || ret=1 ++ + n=`expr $n + 1` + echo_i "RT21594 regression test check setup ($n)" + ret=0 +@@ -283,6 +287,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++stop_server ns4 ++rm ns4/named.noaa ++start_server --noclean --restart --port ${PORT} ns4 || ret=1 ++ + n=`expr $n + 1` + echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" + ret=0 +diff --git a/bind/bind-9.11.14/lib/dns/include/dns/rdataset.h b/bind/bind-9.11.14/lib/dns/include/dns/rdataset.h +index 5295d8e..50995da 100644 +--- a/bind/bind-9.11.14/lib/dns/include/dns/rdataset.h ++++ b/bind/bind-9.11.14/lib/dns/include/dns/rdataset.h +@@ -53,6 +53,8 @@ + #include + #include + ++#define DNS_RDATASET_MAXADDITIONAL 13 ++ + ISC_LANG_BEGINDECLS + + typedef enum { +@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset, + + isc_result_t + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, +- dns_additionaldatafunc_t add, void *arg); ++ dns_additionaldatafunc_t add, void *arg, ++ size_t limit); + /*%< + * For each rdata in rdataset, call 'add' for each name and type in the + * rdata which is subject to additional section processing. +@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + *\li If a call to dns_rdata_additionaldata() is not successful, the + * result returned will be the result of dns_rdataset_additionaldata(). + * ++ *\li If 'limit' is non-zero and the number of the rdatasets is larger ++ * than 'limit', no additional data will be processed. ++ * + * Returns: + * + *\li #ISC_R_SUCCESS + * ++ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit' ++ * + *\li Any error that dns_rdata_additionaldata() can return. + */ + +diff --git a/bind/bind-9.11.14/lib/dns/rdataset.c b/bind/bind-9.11.14/lib/dns/rdataset.c +index a2ac36f..0acb45a 100644 +--- a/bind/bind-9.11.14/lib/dns/rdataset.c ++++ b/bind/bind-9.11.14/lib/dns/rdataset.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + static const char *trustnames[] = { + "none", +@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, + + isc_result_t + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, +- dns_additionaldatafunc_t add, void *arg) ++ dns_additionaldatafunc_t add, void *arg, ++ size_t limit) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; +@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); + ++ if (limit != 0 && dns_rdataset_count(rdataset) > limit) { ++ return DNS_R_TOOMANYRECORDS; ++ } ++ + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) + return (result); +diff --git a/bind/bind-9.11.14/lib/dns/resolver.c b/bind/bind-9.11.14/lib/dns/resolver.c +index 8334005..c594630 100644 +--- a/bind/bind-9.11.14/lib/dns/resolver.c ++++ b/bind/bind-9.11.14/lib/dns/resolver.c +@@ -6406,7 +6406,7 @@ chase_additional(fetchctx_t *fctx) { + rdataset->attributes &= ~DNS_RDATASETATTR_CHASE; + (void)dns_rdataset_additionaldata(rdataset, + check_related, +- fctx); ++ fctx, 0); + rescan = true; + } + } +@@ -7034,7 +7034,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, + INSIST(ns_rdataset != NULL); + FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING); + (void)dns_rdataset_additionaldata(ns_rdataset, check_related, +- fctx); ++ fctx, 0); + #if CHECK_FOR_GLUE_IN_ANSWER + /* + * Look in the answer section for "glue" that is incorrectly +@@ -7047,7 +7047,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, + (fctx->type == dns_rdatatype_aaaa || + fctx->type == dns_rdatatype_a)) + (void)dns_rdataset_additionaldata(ns_rdataset, +- check_answer, fctx); ++ check_answer, fctx, 0); + #endif + FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING); + /* +@@ -7286,7 +7286,7 @@ answer_response(fetchctx_t *fctx) { + rdataset->trust = trust; + (void)dns_rdataset_additionaldata(rdataset, + check_related, +- fctx); ++ fctx, 0); + } + } else if (aname != NULL) { + if (!validinanswer(ardataset, fctx)) +@@ -7311,7 +7311,7 @@ answer_response(fetchctx_t *fctx) { + ardataset->attributes |= DNS_RDATASETATTR_CACHE; + ardataset->trust = trust; + (void)dns_rdataset_additionaldata(ardataset, check_related, +- fctx); ++ fctx, 0); + for (sigrdataset = ISC_LIST_HEAD(aname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { +@@ -7471,7 +7471,7 @@ answer_response(fetchctx_t *fctx) { + (void)dns_rdataset_additionaldata( + rdataset, + check_related, +- fctx); ++ fctx, 0); + done = true; + } + } +-- +2.27.0 + diff --git a/dhcp.spec b/dhcp.spec index c39b51f..27be458 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -3,7 +3,7 @@ Name: dhcp Version: 4.4.2 -Release: 13 +Release: 14 Summary: Dynamic host configuration protocol software #Please don't change the epoch on this package Epoch: 12 @@ -71,6 +71,8 @@ Patch50: backport-0001-CVE-2024-1737.patch Patch51: backport-0002-CVE-2024-1737.patch Patch52: backport-0003-CVE-2024-1737.patch Patch53: backport-0004-CVE-2024-1737.patch +Patch54: backport-CVE-2023-3341.patch +Patch55: backport-CVE-2024-11187.patch BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel bind-export-devel @@ -313,6 +315,12 @@ exit 0 %{_mandir}/man3/omapi.3.gz %changelog +* Thu Mar 20 2025 zhangpan - 12:4.4.2-14 +- Type:CVE +- ID:NA +- SUG:restart +- DESC:fix CVE-2023-3341 CVE-2024-11187 + * Mon Nov 11 2024 huyizhen - 12:4.4.2-13 - Type:CVE - ID:NA -- Gitee