diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-connectivity/bind')
5 files changed, 221 insertions, 3 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch index a31ea81f8..5f5cb0d34 100644 --- a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch @@ -5,6 +5,9 @@ Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion failure due to improper DNAME handling when parsing fetch reply messages. (CVE-2016-1286) [RT #41753] +CVE: CVE-2016-1286 +Upstream-Status: Backport + (cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> --- diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch new file mode 100644 index 000000000..5393063c5 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch @@ -0,0 +1,90 @@ +From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 12 Oct 2016 19:52:59 +0900 +Subject: [PATCH] +4406. [security] getrrsetbyname with a non absolute name could + trigger an infinite recursion bug in lwresd + and named with lwres configured if when combined + with a search list entry the resulting name is + too long. (CVE-2016-2775) [RT #42694] + +Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the +v9.11.0_patch branch. + +CVE: CVE-2016-2775 +Upstream-Status: Backport + +Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> + +--- + CHANGES | 6 ++++++ + bin/named/lwdgrbn.c | 16 ++++++++++------ + bin/tests/system/lwresd/lwtest.c | 9 ++++++++- + 3 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/CHANGES b/CHANGES +index d2e3360..d0a9d12 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,9 @@ ++4406. [security] getrrsetbyname with a non absolute name could ++ trigger an infinite recursion bug in lwresd ++ and named with lwres configured if when combined ++ with a search list entry the resulting name is ++ too long. (CVE-2016-2775) [RT #42694] ++ + 4322. [security] Duplicate EDNS COOKIE options in a response could + trigger an assertion failure. (CVE-2016-2088) + [RT #41809] +diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c +index 3e7b15b..e1e9adc 100644 +--- a/bin/named/lwdgrbn.c ++++ b/bin/named/lwdgrbn.c +@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { + INSIST(client->lookup == NULL); + + dns_fixedname_init(&absname); +- result = ns_lwsearchctx_current(&client->searchctx, +- dns_fixedname_name(&absname)); ++ + /* +- * This will return failure if relative name + suffix is too long. +- * In this case, just go on to the next entry in the search path. ++ * Perform search across all search domains until success ++ * is returned. Return in case of failure. + */ +- if (result != ISC_R_SUCCESS) +- start_lookup(client); ++ while (ns_lwsearchctx_current(&client->searchctx, ++ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { ++ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { ++ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); ++ return; ++ } ++ } + + result = dns_lookup_create(cm->mctx, + dns_fixedname_name(&absname), +diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c +index ad9b551..3eb4a66 100644 +--- a/bin/tests/system/lwresd/lwtest.c ++++ b/bin/tests/system/lwresd/lwtest.c +@@ -768,7 +768,14 @@ main(void) { + test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1); + test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); + test_getrrsetbyname("", 1, 1, 0, 0, 0); +- ++ test_getrrsetbyname("123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789", 1, 1, 0, 0, 0); ++ + if (fails == 0) + printf("I:ok\n"); + return (fails); +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch new file mode 100644 index 000000000..738bf6005 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch @@ -0,0 +1,123 @@ +From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 12 Oct 2016 20:36:52 +0900 +Subject: [PATCH] +4467. [security] It was possible to trigger an assertion when + rendering a message. (CVE-2016-2776) [RT #43139] + +Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the +v9.11.0_patch branch. + +CVE: CVE-2016-2776 +Upstream-Status: Backport + +Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> + +--- + CHANGES | 3 +++ + lib/dns/message.c | 42 +++++++++++++++++++++++++++++++----------- + 2 files changed, 34 insertions(+), 11 deletions(-) + +diff --git a/CHANGES b/CHANGES +index d0a9d12..5c8c61a 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,6 @@ ++4467. [security] It was possible to trigger an assertion when ++ rendering a message. (CVE-2016-2776) [RT #43139] ++ + 4406. [security] getrrsetbyname with a non absolute name could + trigger an infinite recursion bug in lwresd + and named with lwres configured if when combined +diff --git a/lib/dns/message.c b/lib/dns/message.c +index 6b5b4bb..b74dc81 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_NOSPACE); + +- if (r.length < msg->reserved) ++ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) + return (ISC_R_NOSPACE); + + /* +@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options, + + return (ISC_TRUE); + } +- + #endif ++ ++static isc_result_t ++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, ++ dns_compress_t *cctx, isc_buffer_t *target, ++ unsigned int reserved, unsigned int options, unsigned int *countp) ++{ ++ isc_result_t result; ++ ++ /* ++ * Shrink the space in the buffer by the reserved amount. ++ */ ++ if (target->length - target->used < reserved) ++ return (ISC_R_NOSPACE); ++ ++ target->length -= reserved; ++ result = dns_rdataset_towire(rdataset, owner_name, ++ cctx, target, options, countp); ++ target->length += reserved; ++ ++ return (result); ++} ++ + isc_result_t + dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, + unsigned int options) +@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, + /* + * Shrink the space in the buffer by the reserved amount. + */ ++ if (msg->buffer->length - msg->buffer->used < msg->reserved) ++ return (ISC_R_NOSPACE); + msg->buffer->length -= msg->reserved; + + total = 0; +@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) { + * Render. + */ + count = 0; +- result = dns_rdataset_towire(msg->opt, dns_rootname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->opt, dns_rootname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); +@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) { + if (result != ISC_R_SUCCESS) + return (result); + count = 0; +- result = dns_rdataset_towire(msg->tsig, msg->tsigname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->tsig, msg->tsigname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); +@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) { + * the owner name of a SIG(0) is irrelevant, and will not + * be set in a message being rendered. + */ +- result = dns_rdataset_towire(msg->sig0, dns_rootname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->sig0, dns_rootname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch index 6989d6d4b..b02ecb106 100644 --- a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch @@ -1,6 +1,6 @@ Upstream-Status: Pending -Signed-off-by Saul Wold <sgw@linux.intel.com> +Signed-off-by: Saul Wold <sgw@linux.intel.com> Index: bind-9.9.5/bin/Makefile.in =================================================================== diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb index 1e3a20f9a..4e2e856b7 100644 --- a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb @@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2016-1286_1.patch \ file://CVE-2016-1286_2.patch \ file://CVE-2016-2088.patch \ + file://CVE-2016-2775.patch \ + file://CVE-2016-2776.patch \ " SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" @@ -56,7 +58,7 @@ SYSTEMD_SERVICE_${PN} = "named.service" PARALLEL_MAKE = "" -RDEPENDS_${PN} = "python-core" +RDEPENDS_${PN} = "python3-core" RDEPENDS_${PN}-dev = "" PACKAGE_BEFORE_PN += "${PN}-utils" @@ -81,7 +83,7 @@ do_install_append() { install -d "${D}${sysconfdir}/init.d" install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/" install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind" - sed -i -e '1s,#!.*python,#! /usr/bin/env python,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds + sed -i -e '1s,#!.*python,#! /usr/bin/python3,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds # Install systemd related files install -d ${D}${sbindir} |