From e2d326e7f9271a66dcc8e211de43bfd15800ae60 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Thu, 4 Jan 2024 13:12:46 +0000
Subject: [PATCH] fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178

(cherry picked from commit ccf55ac8efd82ac96528229f60c5a434ca018168)
---
 backport-CVE-2022-2795.patch  | 39 +++++++++++++++++++++++++++++++++++
 backport-CVE-2022-38177.patch | 21 +++++++++++++++++++
 backport-CVE-2022-38178.patch | 21 +++++++++++++++++++
 dhcp.spec                     | 11 +++++++++-
 4 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-2795.patch
 create mode 100644 backport-CVE-2022-38177.patch
 create mode 100644 backport-CVE-2022-38178.patch

diff --git a/backport-CVE-2022-2795.patch b/backport-CVE-2022-2795.patch
new file mode 100644
index 0000000..17f9e45
--- /dev/null
+++ b/backport-CVE-2022-2795.patch
@@ -0,0 +1,39 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0001-CVE-2022-2795.patch
+
+diff --git a/bind/bind-9.11.36/lib/dns/resolver.c b/bind/bind-9.11.36/lib/dns/resolver.c
+index d2cf14bbc8b..73a0ee9f779 100644
+--- a/bind/bind-9.11.36/lib/dns/resolver.c
++++ b/bind/bind-9.11.36/lib/dns/resolver.c
+@@ -195,6 +195,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3902,6 +3909,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);
diff --git a/backport-CVE-2022-38177.patch b/backport-CVE-2022-38177.patch
new file mode 100644
index 0000000..2ef2815
--- /dev/null
+++ b/backport-CVE-2022-38177.patch
@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0003-CVE-2022-38177.patch
+---
+ bind/bind-9.11.36/lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+index 83b5b51..7576e04 100644
+--- a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
++++ b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.33.0
+
diff --git a/backport-CVE-2022-38178.patch b/backport-CVE-2022-38178.patch
new file mode 100644
index 0000000..9b7846d
--- /dev/null
+++ b/backport-CVE-2022-38178.patch
@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0004-CVE-2022-38178.patch
+---
+ bind/bind-9.11.36/lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.36/lib/dns/openssleddsa_link.c b/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
+index 8b115ec..4f3c2a8 100644
+--- a/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
++++ b/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.33.0
+
diff --git a/dhcp.spec b/dhcp.spec
index 1cbae0c..096a27b 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -3,7 +3,7 @@
 
 Name:      dhcp
 Version:   4.4.3
-Release:   4
+Release:   5
 Summary:   Dynamic host configuration protocol software
 #Please don't change the epoch on this package
 Epoch:     12
@@ -57,6 +57,9 @@ Patch38: backport-Fix-CVE-2021-25220.patch
 Patch39: backport-Fix-CVE-2022-2928.patch
 Patch40: backport-Fix-CVE-2022-2929.patch
 Patch41: Revert-correcting-the-logic-in-dhclient.patch
+Patch42: backport-CVE-2022-2795.patch
+Patch43: backport-CVE-2022-38177.patch
+Patch44: backport-CVE-2022-38178.patch
 
 BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
 BuildRequires: systemd systemd-devel
@@ -305,6 +308,12 @@ exit 0
 %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Thu Jan 4 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-5
+- Type:CVE
+- ID:CVE-2022-2795,CVE-2022-38177,CVE-2022-38178
+- SUG:restart
+- DESC:fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178
+
 * Fri Nov 24 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-4
 - Type:bugfix
 - ID:
-- 
Gitee