[gnome-continuous-yocto/gnomeostree-3.22-krogoth: 112/246] bind: fix two CVEs



commit 7343438092667d32878d18a33ab9a69c07a016df
Author: Zheng Ruoqin <zhengrq fnst cn fujitsu com>
Date:   Fri Oct 14 10:11:04 2016 -0400

    bind: fix two CVEs
    
    Add two CVE patches from upstream
    git: https://www.isc.org/git/
    
    1.CVE-2016-2775.patch
    2.CVE-2016-2776.patch
    
    (From OE-Core rev: 5f4588d675e400f13bb6001df04790c867a95230)
    
    (From OE-Core rev: ecc0a8ba077305c51804fd7bc287758b43420a76)
    
    Signed-off-by: zhengruoqin <zhengrq fnst cn fujitsu com>
    Signed-off-by: Ross Burton <ross burton intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>
    Signed-off-by: Armin Kuster <akuster808 gmail com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../bind/bind/CVE-2016-2775.patch                  |   90 ++++++++++++++
 .../bind/bind/CVE-2016-2776.patch                  |  123 ++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.10.3-P3.bb   |    2 +
 3 files changed, 215 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000..5393063
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,90 @@
+From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka isc org>
+Date: Wed, 12 Oct 2016 19:52:59 +0900
+Subject: [PATCH]
+4406.   [security]      getrrsetbyname with a non absolute name could
+                        trigger an infinite recursion bug in lwresd
+                        and named with lwres configured if when combined
+                        with a search list entry the resulting name is
+                        too long. (CVE-2016-2775) [RT #42694]
+
+Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
+v9.11.0_patch branch.
+
+CVE: CVE-2016-2775
+Upstream-Status: Backport
+
+Signed-off-by: zhengruoqin <zhengrq fnst cn fujitsu com>
+
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  9 ++++++++-
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index d2e3360..d0a9d12 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,9 @@
++4406.   [security]      getrrsetbyname with a non absolute name could
++                        trigger an infinite recursion bug in lwresd
++                        and named with lwres configured if when combined
++                        with a search list entry the resulting name is
++                        too long. (CVE-2016-2775) [RT #42694]
++
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]
+diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
+index 3e7b15b..e1e9adc 100644
+--- a/bin/named/lwdgrbn.c
++++ b/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+       INSIST(client->lookup == NULL);
+ 
+       dns_fixedname_init(&absname);
+-      result = ns_lwsearchctx_current(&client->searchctx,
+-                                      dns_fixedname_name(&absname));
++
+       /*
+-       * This will return failure if relative name + suffix is too long.
+-       * In this case, just go on to the next entry in the search path.
++         * Perform search across all search domains until success
++         * is returned. Return in case of failure.
+        */
+-      if (result != ISC_R_SUCCESS)
+-              start_lookup(client);
++        while (ns_lwsearchctx_current(&client->searchctx,
++                        dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
++                if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
++                        ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++                        return;
++                }
++        }
+ 
+       result = dns_lookup_create(cm->mctx,
+                                  dns_fixedname_name(&absname),
+diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
+index ad9b551..3eb4a66 100644
+--- a/bin/tests/system/lwresd/lwtest.c
++++ b/bin/tests/system/lwresd/lwtest.c
+@@ -768,7 +768,14 @@ main(void) {
+       test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
+       test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+       test_getrrsetbyname("", 1, 1, 0, 0, 0);
+-
++        test_getrrsetbyname("123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789", 1, 1, 0, 0, 0);
++ 
+       if (fails == 0)
+               printf("I:ok\n");
+       return (fails);
+-- 
+2.7.4
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 0000000..738bf60
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,123 @@
+From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka isc org>
+Date: Wed, 12 Oct 2016 20:36:52 +0900
+Subject: [PATCH] 
+4467.   [security]      It was possible to trigger an assertion when 
+                        rendering a message. (CVE-2016-2776) [RT #43139]
+
+Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
+v9.11.0_patch branch.
+
+CVE: CVE-2016-2776
+Upstream-Status: Backport
+
+Signed-off-by: zhengruoqin <zhengrq fnst cn fujitsu com>
+
+---
+ CHANGES           |  3 +++
+ lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
+ 2 files changed, 34 insertions(+), 11 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index d0a9d12..5c8c61a 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,6 @@
++4467.   [security]      It was possible to trigger an assertion when
++                        rendering a message. (CVE-2016-2776) [RT #43139]
++
+ 4406.   [security]      getrrsetbyname with a non absolute name could
+                         trigger an infinite recursion bug in lwresd
+                         and named with lwres configured if when combined
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 6b5b4bb..b74dc81 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+       if (r.length < DNS_MESSAGE_HEADERLEN)
+               return (ISC_R_NOSPACE);
+ 
+-      if (r.length < msg->reserved)
++        if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+               return (ISC_R_NOSPACE);
+ 
+       /*
+@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
+ 
+       return (ISC_TRUE);
+ }
+-
+ #endif
++
++static isc_result_t
++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
++         dns_compress_t *cctx, isc_buffer_t *target,
++         unsigned int reserved, unsigned int options, unsigned int *countp)
++{
++       isc_result_t result;
++
++       /*
++        * Shrink the space in the buffer by the reserved amount.
++        */
++       if (target->length - target->used < reserved)
++               return (ISC_R_NOSPACE);
++
++       target->length -= reserved;
++       result = dns_rdataset_towire(rdataset, owner_name,
++                                    cctx, target, options, countp);
++       target->length += reserved;
++
++       return (result);
++}
++
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+                         unsigned int options)
+@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+       /*
+        * Shrink the space in the buffer by the reserved amount.
+        */
++        if (msg->buffer->length - msg->buffer->used < msg->reserved)
++                return (ISC_R_NOSPACE);
+       msg->buffer->length -= msg->reserved;
+ 
+       total = 0;
+@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
+                * Render.
+                */
+               count = 0;
+-              result = dns_rdataset_towire(msg->opt, dns_rootname,
+-                                           msg->cctx, msg->buffer, 0,
+-                                           &count);
++                result = renderset(msg->opt, dns_rootname, msg->cctx,
++                                   msg->buffer, msg->reserved, 0, &count);
+               msg->counts[DNS_SECTION_ADDITIONAL] += count;
+               if (result != ISC_R_SUCCESS)
+                       return (result);
+@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
+               if (result != ISC_R_SUCCESS)
+                       return (result);
+               count = 0;
+-              result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-                                           msg->cctx, msg->buffer, 0,
+-                                           &count);
++                result = renderset(msg->tsig, msg->tsigname, msg->cctx,
++                                   msg->buffer, msg->reserved, 0, &count);
+               msg->counts[DNS_SECTION_ADDITIONAL] += count;
+               if (result != ISC_R_SUCCESS)
+                       return (result);
+@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
+                * the owner name of a SIG(0) is irrelevant, and will not
+                * be set in a message being rendered.
+                */
+-              result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-                                           msg->cctx, msg->buffer, 0,
+-                                           &count);
++                result = renderset(msg->sig0, dns_rootname, msg->cctx,
++                                   msg->buffer, msg->reserved, 0, &count);
+               msg->counts[DNS_SECTION_ADDITIONAL] += count;
+               if (result != ISC_R_SUCCESS)
+                       return (result);
+-- 
+2.7.4
+
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb 
b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 1e3a20f..d88fe90 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://CVE-2016-1286_1.patch \
            file://CVE-2016-1286_2.patch \
            file://CVE-2016-2088.patch \
+           file://CVE-2016-2775.patch \
+           file://CVE-2016-2776.patch \
            "
 
 SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]