From 91e05c25eb221ff1dc2bde5cfaa0bea88345b1e4 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 17 Sep 2016 14:22:15 -0700 Subject: bind: Security fix CVE-2016-2088 Signed-off-by: Armin Kuster --- .../bind/bind/CVE-2016-2088.patch | 216 +++++++++++++++++++++ meta/recipes-connectivity/bind/bind_9.10.2-P4.bb | 1 + 2 files changed, 217 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch new file mode 100644 index 0000000000..f3f2cc82d2 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch @@ -0,0 +1,216 @@ +From d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Sat, 27 Feb 2016 11:23:50 +1100 +Subject: [PATCH] 4322. [security] Duplicate EDNS COOKIE options in a + response could trigger an assertion failure. + (CVE-2016-2088) [RT #41809] + +(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029) +(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3) + +Upstream-Status: Backport +CVE: CVE-2016-2088 +minor fixup to get to apply. + +Signed-off-by: Armin Kuster + +--- + CHANGES | 5 +++++ + bin/dig/dighost.c | 9 +++++++++ + bin/named/client.c | 33 +++++++++++++++++++++++---------- + doc/arm/notes.xml | 7 +++++++ + lib/dns/resolver.c | 14 +++++++++++++- + 5 files changed, 57 insertions(+), 11 deletions(-) + +Index: bind-9.10.2-P4/CHANGES +=================================================================== +--- bind-9.10.2-P4.orig/CHANGES ++++ bind-9.10.2-P4/CHANGES +@@ -1,3 +1,7 @@ ++4322. [security] Duplicate EDNS COOKIE options in a response could ++ trigger an assertion failure. (CVE-2016-2088) ++ [RT #41809] ++ + 4319. [security] Fix resolver assertion failure due to improper + DNAME handling when parsing fetch reply messages. + (CVE-2016-1286) [RT #41753] +Index: bind-9.10.2-P4/bin/dig/dighost.c +=================================================================== +--- bind-9.10.2-P4.orig/bin/dig/dighost.c ++++ bind-9.10.2-P4/bin/dig/dighost.c +@@ -3349,6 +3349,7 @@ process_opt(dig_lookup_t *l, dns_message + isc_buffer_t optbuf; + isc_uint16_t optcode, optlen; + dns_rdataset_t *opt = msg->opt; ++ isc_boolean_t seen_cookie = ISC_FALSE; + + result = dns_rdataset_first(opt); + if (result == ISC_R_SUCCESS) { +@@ -3360,8 +3361,16 @@ process_opt(dig_lookup_t *l, dns_message + optcode = isc_buffer_getuint16(&optbuf); + optlen = isc_buffer_getuint16(&optbuf); + switch (optcode) { +- case DNS_OPT_SIT: ++ case DNS_OPT_SIT: ++ /* ++ * Only process the first cookie option. ++ */ ++ if (seen_cookie) { ++ isc_buffer_forward(&optbuf, optlen); ++ break; ++ } + process_sit(l, msg, &optbuf, optlen); ++ seen_cookie = ISC_TRUE; + break; + default: + isc_buffer_forward(&optbuf, optlen); +Index: bind-9.10.2-P4/bin/named/client.c +=================================================================== +--- bind-9.10.2-P4.orig/bin/named/client.c ++++ bind-9.10.2-P4/bin/named/client.c +@@ -121,7 +121,10 @@ + */ + #endif + +-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ ++#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ ++ ++#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) ++#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) + + /*% nameserver client manager structure */ + struct ns_clientmgr { +@@ -1391,7 +1394,7 @@ ns_client_addopt(ns_client_t *client, dn + { + char nsid[BUFSIZ], *nsidp; + #ifdef ISC_PLATFORM_USESIT +- unsigned char sit[SIT_SIZE]; ++ unsigned char sit[COOKIE_SIZE]; + #endif + isc_result_t result; + dns_view_t *view; +@@ -1416,7 +1419,7 @@ ns_client_addopt(ns_client_t *client, dn + flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; + + /* Set EDNS options if applicable */ +- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 && ++ if (WANTNSID(client) && + (ns_g_server->server_id != NULL || + ns_g_server->server_usehostname)) { + if (ns_g_server->server_usehostname) { +@@ -1449,7 +1452,7 @@ ns_client_addopt(ns_client_t *client, dn + + INSIST(count < DNS_EDNSOPTIONS); + ednsopts[count].code = DNS_OPT_SIT; +- ednsopts[count].length = SIT_SIZE; ++ ednsopts[count].length = COOKIE_SIZE; + ednsopts[count].value = sit; + count++; + } +@@ -1657,19 +1660,26 @@ compute_sit(ns_client_t *client, isc_uin + + static void + process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { +- unsigned char dbuf[SIT_SIZE]; ++ unsigned char dbuf[COOKIE_SIZE]; + unsigned char *old; + isc_stdtime_t now; + isc_uint32_t when; + isc_uint32_t nonce; + isc_buffer_t db; + ++ /* ++ * If we have already seen a ECS option skip this ECS option. ++ */ ++ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) { ++ isc_buffer_forward(buf, optlen); ++ return; ++ } + client->attributes |= NS_CLIENTATTR_WANTSIT; + + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_sitopt); + +- if (optlen != SIT_SIZE) { ++ if (optlen != COOKIE_SIZE) { + /* + * Not our token. + */ +@@ -1713,7 +1723,7 @@ process_sit(ns_client_t *client, isc_buf + isc_buffer_init(&db, dbuf, sizeof(dbuf)); + compute_sit(client, when, nonce, &db); + +- if (memcmp(old, dbuf, SIT_SIZE) != 0) { ++ if (memcmp(old, dbuf, COOKIE_SIZE) != 0) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_sitnomatch); + return; +@@ -1779,7 +1789,9 @@ process_opt(ns_client_t *client, dns_rda + optlen = isc_buffer_getuint16(&optbuf); + switch (optcode) { + case DNS_OPT_NSID: +- isc_stats_increment(ns_g_server->nsstats, ++ if (!WANTNSID(client)) ++ isc_stats_increment( ++ ns_g_server->nsstats, + dns_nsstatscounter_nsidopt); + client->attributes |= NS_CLIENTATTR_WANTNSID; + isc_buffer_forward(&optbuf, optlen); +@@ -1790,7 +1802,9 @@ process_opt(ns_client_t *client, dns_rda + break; + #endif + case DNS_OPT_EXPIRE: +- isc_stats_increment(ns_g_server->nsstats, ++ if (!WANTEXPIRE(client)) ++ isc_stats_increment( ++ ns_g_server->nsstats, + dns_nsstatscounter_expireopt); + client->attributes |= NS_CLIENTATTR_WANTEXPIRE; + isc_buffer_forward(&optbuf, optlen); +Index: bind-9.10.2-P4/lib/dns/resolver.c +=================================================================== +--- bind-9.10.2-P4.orig/lib/dns/resolver.c ++++ bind-9.10.2-P4/lib/dns/resolver.c +@@ -7144,7 +7144,9 @@ process_opt(resquery_t *query, dns_rdata + unsigned char *sit; + dns_adbaddrinfo_t *addrinfo; + unsigned char cookie[8]; ++ isc_boolean_t seen_cookie = ISC_FALSE; + #endif ++ isc_boolean_t seen_nsid = ISC_FALSE; + + result = dns_rdataset_first(opt); + if (result == ISC_R_SUCCESS) { +@@ -7158,14 +7160,23 @@ process_opt(resquery_t *query, dns_rdata + INSIST(optlen <= isc_buffer_remaininglength(&optbuf)); + switch (optcode) { + case DNS_OPT_NSID: +- if (query->options & DNS_FETCHOPT_WANTNSID) ++ if (!seen_nsid && ++ query->options & DNS_FETCHOPT_WANTNSID) + log_nsid(&optbuf, optlen, query, + ISC_LOG_DEBUG(3), + query->fctx->res->mctx); + isc_buffer_forward(&optbuf, optlen); ++ seen_nsid = ISC_TRUE; + break; + #ifdef ISC_PLATFORM_USESIT + case DNS_OPT_SIT: ++ /* ++ * Only process the first cookie option. ++ */ ++ if (seen_cookie) { ++ isc_buffer_forward(&optbuf, optlen); ++ break; ++ } + sit = isc_buffer_current(&optbuf); + compute_cc(query, cookie, sizeof(cookie)); + INSIST(query->fctx->rmessage->sitbad == 0 && +@@ -7183,6 +7194,7 @@ process_opt(resquery_t *query, dns_rdata + isc_buffer_forward(&optbuf, optlen); + inc_stats(query->fctx->res, + dns_resstatscounter_sitin); ++ seen_cookie = ISC_TRUE; + break; + #endif + default: diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb index f1951a0a57..0dfa314f7a 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb @@ -28,6 +28,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2016-1285.patch \ file://CVE-2016-1286_1.patch \ file://CVE-2016-1286_2.patch \ + file://CVE-2016-2088.patch \ " SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7" -- cgit 1.2.3-korg