From bf81b4e5327134e131e3198adad68c74afb5e259 Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Mon, 10 Sep 2018 17:18:46 +0800 Subject: bind: patch for CVE-2018-5740 Signed-off-by: Changqing Li Signed-off-by: Ross Burton --- .../bind/bind/CVE-2018-5740.patch | 72 ++++++++++++++++++++++ meta/recipes-connectivity/bind/bind_9.11.4.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch (limited to 'meta/recipes-connectivity') diff --git a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch new file mode 100644 index 0000000000..7a2ba7eab6 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch @@ -0,0 +1,72 @@ +Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740] + +CVE: CVE-2018-5740 + +Signed-off-by: Changqing Li + +diff --git a/CHANGES b/CHANGES +index 750b600..3d8d655 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,9 @@ ++ --- 9.11.4-P1 released --- ++ ++4997. [security] named could crash during recursive processing ++ of DNAME records when "deny-answer-aliases" was ++ in use. (CVE-2018-5740) [GL #387] ++ + --- 9.11.4 released --- + + --- 9.11.4rc2 released --- +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8f674a2..41d1385 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + unsigned int nlabels; + dns_fixedname_t fixed; + dns_name_t prefix; ++ int order; + + REQUIRE(rdataset != NULL); + REQUIRE(rdataset->type == dns_rdatatype_cname || +@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + tname = &cname.cname; + break; + case dns_rdatatype_dname: ++ if (dns_name_fullcompare(qname, rname, &order, &nlabels) != ++ dns_namereln_subdomain) ++ { ++ return (ISC_TRUE); ++ } + result = dns_rdata_tostruct(&rdata, &dname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_name_init(&prefix, NULL); + tname = dns_fixedname_initname(&fixed); +- nlabels = dns_name_countlabels(qname) - +- dns_name_countlabels(rname); ++ nlabels = dns_name_countlabels(rname); + dns_name_split(qname, nlabels, &prefix, NULL); + result = dns_name_concatenate(&prefix, &dname.dname, tname, + NULL); +- if (result == DNS_R_NAMETOOLONG) ++ if (result == DNS_R_NAMETOOLONG) { ++ if (chainingp != NULL) { ++ *chainingp = ISC_TRUE; ++ } + return (ISC_TRUE); ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: +@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) { + } + if ((ardataset->type == dns_rdatatype_cname || + ardataset->type == dns_rdatatype_dname) && +- !is_answertarget_allowed(fctx, qname, aname, ardataset, ++ type != ardataset->type && ++ type != dns_rdatatype_any && ++ !is_answertarget_allowed(fctx, qname, aname, ardataset, + NULL)) + { + return (DNS_R_SERVFAIL); diff --git a/meta/recipes-connectivity/bind/bind_9.11.4.bb b/meta/recipes-connectivity/bind/bind_9.11.4.bb index d27068c64f..23c3aadf9c 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.4.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.4.bb @@ -19,6 +19,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-lib-dns-gen.c-fix-too-long-error.patch \ file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ + file://CVE-2018-5740.patch \ " SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36" -- cgit 1.2.3-korg