From 54bf7379036eec6d6c4399aa374f898ba3464996 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster808@gmail.com>
Date: Sun, 2 Oct 2016 17:49:24 -0700
Subject: bind: Security fix CVE-2016-2775

affect bind < 9.10.4-p2

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../bind/bind/CVE-2016-2775.patch                  | 84 ++++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.10.2-P4.bb   |  1 +
 2 files changed, 85 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000000..5d4d9126bf
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,84 @@
+From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 7 Jul 2016 12:52:47 +1000
+Subject: [PATCH] 4406.   [bug]           getrrsetbyname with a non absolute
+ name could                         trigger a infinite recursion bug in lwresd
+                         and named with lwres configured if when combined     
+                    with a search list entry the resulting name is            
+             too long. [RT #42694]
+
+(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2775
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  8 ++++++++
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
++++ bind-9.10.2-P4/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+ 	INSIST(client->lookup == NULL);
+ 
+ 	dns_fixedname_init(&absname);
+-	result = ns_lwsearchctx_current(&client->searchctx,
+-					dns_fixedname_name(&absname));
++
+ 	/*
+-	 * This will return failure if relative name + suffix is too long.
+-	 * In this case, just go on to the next entry in the search path.
++	 * Perform search across all search domains until success
++	 * is returned. Return in case of failure.
+ 	 */
+-	if (result != ISC_R_SUCCESS)
+-		start_lookup(client);
++	while (ns_lwsearchctx_current(&client->searchctx,
++			dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
++		if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
++			ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++			return;
++		}
++	}
+ 
+ 	result = dns_lookup_create(cm->mctx,
+ 				   dns_fixedname_name(&absname),
+Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
++++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+@@ -768,6 +768,14 @@ main(void) {
+ 	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+ 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
+ 
++	test_getrrsetbyname("123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789", 1, 1, 0, 0, 0);
++
+ 	if (fails == 0)
+ 		printf("I:ok\n");
+ 	return (fails);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,9 @@
++4406.  [bug]           getrrsetbyname with a non absolute name could
++                       trigger a infinite recursion bug in lwresd
++                       and named with lwres configured if when combined
++                       with a search list entry the resulting name is
++                       too long. [RT #42694]
++
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index 0dfa314f7a..80c7b44127 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -29,6 +29,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://CVE-2016-1286_1.patch \
            file://CVE-2016-1286_2.patch \
            file://CVE-2016-2088.patch \
+           file://CVE-2016-2775.patch \
            "
 
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
-- 
cgit 1.2.3-korg