diff --git a/backport-Fix-CVE-2021-25214.patch b/backport-Fix-CVE-2021-25214.patch new file mode 100644 index 0000000000000000000000000000000000000000..65267f466244539749f343716eda184065d5982e --- /dev/null +++ b/backport-Fix-CVE-2021-25214.patch @@ -0,0 +1,36 @@ +From 813a1d0f943f7b4ecf43c449a08762a8d8557a45 Mon Sep 17 00:00:00 2001 +From: UNKNOWN <> +Date: Tue, 27 Apr 2021 12:02:53 +0800 +Subject: [PATCH v2 1/2] Fix CVE-2021-25214 + +Conflict:NA +Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25214.patch + + +diff --git a/bind/bind-9.11.14/lib/dns/xfrin.c b/bind/bind-9.11.14/lib/dns/xfrin.c +index 558f40c..bae6d41 100644 +--- a/bind/bind-9.11.14/lib/dns/xfrin.c ++++ b/bind/bind-9.11.14/lib/dns/xfrin.c +@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl, + dns_rdatatype_ismeta(rdata->type)) + FAIL(DNS_R_FORMERR); + ++ /* ++ * Immediately reject the entire transfer if the RR that is currently ++ * being processed is an SOA record that is not placed at the zone ++ * apex. ++ */ ++ if (rdata->type == dns_rdatatype_soa && ++ !dns_name_equal(&xfr->name, name)) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(name, namebuf, sizeof(namebuf)); ++ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'", ++ namebuf); ++ FAIL(DNS_R_NOTZONETOP); ++ } ++ + redo: + switch (xfr->state) { + case XFRST_SOAQUERY: +-- +1.8.3.1 diff --git a/backport-Fix-CVE-2021-25215.patch b/backport-Fix-CVE-2021-25215.patch new file mode 100644 index 0000000000000000000000000000000000000000..a78c7921232afe5da5e5cad0403c9d83749db52a --- /dev/null +++ b/backport-Fix-CVE-2021-25215.patch @@ -0,0 +1,36 @@ +From c42cc79ef9a23d8273b273bb86a1c8c9995b28a0 Mon Sep 17 00:00:00 2001 +From: UNKNOWN <> +Date: Tue, 27 Apr 2021 12:12:24 +0800 +Subject: [PATCH v2 2/2] Fix CVE-2021-25215 + +Conflict:NA +Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25215.patch + + +diff --git a/bind/bind-9.11.14/bin/named/query.c b/bind/bind-9.11.14/bin/named/query.c +index 6e988f5..2e7700a 100644 +--- a/bind/bind-9.11.14/bin/named/query.c ++++ b/bind/bind-9.11.14/bin/named/query.c +@@ -9139,10 +9139,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + if (noqname != NULL) + query_addnoqnameproof(client, noqname); + /* +- * We shouldn't ever fail to add 'rdataset' +- * because it's already in the answer. ++ * 'rdataset' will only be non-NULL here if the ANSWER section ++ * of the message to be sent to the client already contains an ++ * RRset with the same owner name and the same type as ++ * 'rdataset'. This should never happen, with one exception: ++ * when chasing DNAME records, one of the DNAME records placed ++ * in the ANSWER section may turn out to be the final answer to ++ * the client's query, but we have no way of knowing that until ++ * now. In such a case, 'rdataset' will be freed later, so we ++ * do not need to free it here. + */ +- INSIST(rdataset == NULL); ++ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname); + } + + addauth: +-- +1.8.3.1 diff --git a/backport-Fix-CVE-2021-25219.patch b/backport-Fix-CVE-2021-25219.patch new file mode 100644 index 0000000000000000000000000000000000000000..c22efae7f33af86cd6d7339b8846c39e57a56a5c --- /dev/null +++ b/backport-Fix-CVE-2021-25219.patch @@ -0,0 +1,69 @@ +Conflict: NA +Reference : https://downloads.isc.org/bind9/cur/9.11/patches/CVE-2021-25219.patch +diff --git a/bind/bind-9.11.14/bin/named/config.c b/bind/bind-9.11.14/bin/named/config.c +index fbd2f2126c..d24e4f8a26 100644 +--- a/bind/bind-9.11.14/bin/named/config.c ++++ b/bind/bind-9.11.14/bin/named/config.c +@@ -175,7 +175,7 @@ options {\n\ + #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2) + " geoip-use-ecs yes;\n" + #endif +-" lame-ttl 600;\n" ++" lame-ttl 0;\n" + #ifdef HAVE_LMDB + " lmdb-mapsize 32M;\n" + #endif +diff --git a/bind/bind-9.11.14/bin/named/server.c b/bind/bind-9.11.14/bin/named/server.c +index 6ff95e3bcc..9826588e6d 100644 +--- a/bind/bind-9.11.14/bin/named/server.c ++++ b/bind/bind-9.11.14/bin/named/server.c +@@ -3986,8 +3986,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + result = ns_config_get(maps, "lame-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + lame_ttl = cfg_obj_asuint32(obj); +- if (lame_ttl > 1800) +- lame_ttl = 1800; ++ if (lame_ttl > 0) { ++ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, ++ "disabling lame cache despite lame-ttl > 0 as it " ++ "may cause performance issues"); ++ lame_ttl = 0; ++ } + dns_resolver_setlamettl(view->resolver, lame_ttl); + + /* +diff --git a/bind/bind-9.11.14/lib/dns/resolver.c b/bind/bind-9.11.14/lib/dns/resolver.c +index 8175f7918b..b34cb12b73 100644 +--- a/bind/bind-9.11.14/lib/dns/resolver.c ++++ b/bind/bind-9.11.14/lib/dns/resolver.c +@@ -8396,18 +8396,20 @@ resquery_response(isc_task_t *task, isc_event_t *event) { + /* + * Is the server lame? + */ +- if (res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) && +- is_lame(fctx)) { ++ if (!ISFORWARDER(query->addrinfo) && is_lame(fctx)) { + inc_stats(res, dns_resstatscounter_lame); + log_lame(fctx, query->addrinfo); +- result = dns_adb_marklame(fctx->adb, query->addrinfo, +- &fctx->name, fctx->type, +- now + res->lame_ttl); +- if (result != ISC_R_SUCCESS) +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, +- "could not mark server as lame: %s", +- isc_result_totext(result)); ++ if (res->lame_ttl != 0) { ++ result = dns_adb_marklame(fctx->adb, query->addrinfo, ++ &fctx->name, fctx->type, ++ now + res->lame_ttl); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, ++ "could not mark server as lame: %s", ++ isc_result_totext(result)); ++ } ++ } + broken_server = DNS_R_LAME; + keep_trying = true; + FCTXTRACE("lame server"); diff --git a/backport-Fix-CVE-2021-25220.patch b/backport-Fix-CVE-2021-25220.patch new file mode 100644 index 0000000000000000000000000000000000000000..2c8de1993ca399a6865c4a25827132496406e5b8 --- /dev/null +++ b/backport-Fix-CVE-2021-25220.patch @@ -0,0 +1,210 @@ +Conflict: rmessage to fctx->rmessage +Reference: +https://gitlab.isc.org/isc-projects/bind9/-/commit/fc9cb6cf91c1a36b797ffef0a277dbb3989d43dc +--- + bind/bind-9.11.14/lib/dns/resolver.c | 130 +++++++++++++++++++++++++-- + 1 file changed, 125 insertions(+), 5 deletions(-) + +diff --git a/bind/bind-9.11.14/lib/dns/resolver.c b/bind/bind-9.11.14/lib/dns/resolver.c +index cff130c..45faf19 100644 +--- a/bind/bind-9.11.14/lib/dns/resolver.c ++++ b/bind/bind-9.11.14/lib/dns/resolver.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + + #ifdef WANT_QUERYTRACE + #define RTRACE(m) isc_log_write(dns_lctx, \ +@@ -303,6 +304,8 @@ struct fetchctx { + bool ns_ttl_ok; + uint32_t ns_ttl; + isc_counter_t * qc; ++ dns_fixedname_t fwdfname; ++ dns_name_t *fwdname; + + /*% + * The number of events we're waiting for. +@@ -3344,6 +3347,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (result == ISC_R_SUCCESS) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copy(domain, fctx->fwdname, NULL); + if (fctx->fwdpolicy == dns_fwdpolicy_only && + isstrictsubdomain(domain, &fctx->domain)) { + fcount_decr(fctx); +@@ -4368,6 +4372,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, + fctx->restarts = 0; + fctx->querysent = 0; + fctx->referrals = 0; ++ ++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); ++ + TIME_NOW(&fctx->start); + fctx->timeouts = 0; + fctx->lamecount = 0; +@@ -4421,8 +4428,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, + domain = dns_fixedname_initname(&fixed); + result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname, + domain, &forwarders); +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS) { + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copy(domain, fctx->fwdname, NULL); ++ } + + if (fctx->fwdpolicy != dns_fwdpolicy_only) { + /* +@@ -6175,6 +6184,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, + rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; + } + ++/* ++ * Returns true if 'name' is external to the namespace for which ++ * the server being queried can answer, either because it's not a ++ * subdomain or because it's below a forward declaration or a ++ * locally served zone. ++ */ ++static inline bool ++name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { ++ isc_result_t result; ++ dns_forwarders_t *forwarders = NULL; ++ dns_fixedname_t fixed, zfixed; ++ dns_name_t *fname = dns_fixedname_initname(&fixed); ++ dns_name_t *zfname = dns_fixedname_initname(&zfixed); ++ dns_name_t *apex = NULL; ++ dns_name_t suffix; ++ dns_zone_t *zone = NULL; ++ unsigned int labels; ++ dns_namereln_t rel; ++ /* ++ * The following two variables do not influence code flow; they are ++ * only necessary for calling dns_name_fullcompare(). ++ */ ++ int _orderp = 0; ++ unsigned int _nlabelsp = 0; ++ ++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; ++ ++ /* ++ * The name is outside the queried namespace. ++ */ ++ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp); ++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { ++ return (true); ++ } ++ ++ /* ++ * If the record lives in the parent zone, adjust the name so we ++ * look for the correct zone or forward clause. ++ */ ++ labels = dns_name_countlabels(name); ++ if (dns_rdatatype_atparent(type) && labels > 1U) { ++ dns_name_init(&suffix, NULL); ++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); ++ name = &suffix; ++ } else if (rel == dns_namereln_equal) { ++ /* If 'name' is 'apex', no further checking is needed. */ ++ return (false); ++ } ++ ++ /* ++ * If there is a locally served zone between 'apex' and 'name' ++ * then don't cache. ++ */ ++ LOCK(&fctx->res->view->lock); ++ if (fctx->res->view->zonetable != NULL) { ++ unsigned int options = DNS_ZTFIND_NOEXACT; ++ result = dns_zt_find(fctx->res->view->zonetable, name, options, ++ zfname, &zone); ++ if (zone != NULL) { ++ dns_zone_detach(&zone); ++ } ++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { ++ if (dns_name_fullcompare(zfname, apex, &_orderp, ++ &_nlabelsp) == ++ dns_namereln_subdomain) ++ { ++ UNLOCK(&fctx->res->view->lock); ++ return (true); ++ } ++ } ++ } ++ UNLOCK(&fctx->res->view->lock); ++ ++ /* ++ * Look for a forward declaration below 'name'. ++ */ ++ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname, ++ &forwarders); ++ ++ if (ISFORWARDER(fctx->addrinfo)) { ++ /* ++ * See if the forwarder declaration is better. ++ */ ++ if (result == ISC_R_SUCCESS) { ++ return (!dns_name_equal(fname, fctx->fwdname)); ++ } ++ ++ /* ++ * If the lookup failed, the configuration must have ++ * changed: play it safe and don't cache. ++ */ ++ return (true); ++ } else if (result == ISC_R_SUCCESS && ++ forwarders->fwdpolicy == dns_fwdpolicy_only && ++ !ISC_LIST_EMPTY(forwarders->fwdrs)) ++ { ++ /* ++ * If 'name' is covered by a 'forward only' clause then we ++ * can't cache this repsonse. ++ */ ++ return (true); ++ } ++ ++ return (false); ++} ++ + static isc_result_t + check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, + dns_section_t section) +@@ -6201,7 +6316,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, + result = dns_message_findname(fctx->rmessage, section, addname, + dns_rdatatype_any, 0, &name, NULL); + if (result == ISC_R_SUCCESS) { +- external = !dns_name_issubdomain(name, &fctx->domain); ++ external = name_external(name, type, fctx); + if (type == dns_rdatatype_a) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +@@ -7071,6 +7186,13 @@ answer_response(fetchctx_t *fctx) { + break; + + case dns_namereln_subdomain: ++ /* ++ * Don't accept DNAME from parent namespace. ++ */ ++ if (name_external(name, dns_rdatatype_dname, fctx)) { ++ continue; ++ } ++ + /* + * In-scope DNAME records must have at least + * as many labels as the domain being queried. +@@ -7299,11 +7421,9 @@ answer_response(fetchctx_t *fctx) { + */ + result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); + while (!done && result == ISC_R_SUCCESS) { +- bool external; + name = NULL; + dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); +- external = !dns_name_issubdomain(name, &fctx->domain); +- if (!external) { ++ if (!name_external(name, dns_rdatatype_ns, fctx)) { + /* + * We expect to find NS or SIG NS rdatasets, and + * nothing else. +-- +2.23.0 + diff --git a/dhcp.spec b/dhcp.spec index d2f5e60bf1842793fcdabe0cc1cf5be69c689eb3..b3fa5ce9c9abfd6d80e37d743066996a65fb5724 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -3,10 +3,10 @@ Name: dhcp Version: 4.4.2 -Release: 13 +Release: 14 Summary: Dynamic host configuration protocol software #Please don't change the epoch on this package -Epoch: 12 +Epoch: 13 License: ISC URL: https://www.isc.org/dhcp/ Source0: http://ftp.isc.org/isc/dhcp/%{version}/dhcp-%{version}.tar.gz @@ -60,6 +60,10 @@ Patch38: fix-coredump-when-client-active-is-NULL.patch Patch39: bugfix-error-message-display.patch Patch40: feature-lease-time-config-ipv6.patch Patch41: add-a-test-case-to-parse-code93-in-option_unittest.patch +Patch42: backport-Fix-CVE-2021-25214.patch +Patch43: backport-Fix-CVE-2021-25215.patch +Patch44: backport-Fix-CVE-2021-25219.patch +Patch45: backport-Fix-CVE-2021-25220.patch BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel BuildRequires: systemd systemd-devel @@ -302,6 +306,12 @@ exit 0 %{_mandir}/man3/omapi.3.gz %changelog +* Tue Sep 27 2022 renmingshuai - 4.4.2-14 +- Type:CVE +- ID:NA +- SUG:restart +- DESC:Fix CVE-2021-25214 CVE-2021-25215 CVE-2021-25219 CVE-2021-25220 + * Wed Mar 09 2022 kircher - 4.4.2-13 - Type:bugfix - ID:NA