All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH V2] bind: patch for CVE-2018-5740
@ 2018-09-11  1:23 changqing.li
  2018-09-11  1:29 ` Changqing Li
  0 siblings, 1 reply; 2+ messages in thread
From: changqing.li @ 2018-09-11  1:23 UTC (permalink / raw)
  To: openembedded-core

From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../bind/bind/CVE-2018-5740.patch                  | 72 ++++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.11.4.bb      |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
new file mode 100644
index 0000000..4236b3b
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Backport[https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
+
+CVE: CVE-2018-5740
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+diff --git a/CHANGES b/CHANGES
+index 750b600..3d8d655 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,9 @@
++	--- 9.11.4-P1 released ---
++
++4997.	[security]	named could crash during recursive processing
++			of DNAME records when "deny-answer-aliases" was
++			in use. (CVE-2018-5740) [GL #387]
++
+ 	--- 9.11.4 released ---
+ 
+ 	--- 9.11.4rc2 released ---
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8f674a2..41d1385 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ 	unsigned int nlabels;
+ 	dns_fixedname_t fixed;
+ 	dns_name_t prefix;
++	int order;
+ 
+ 	REQUIRE(rdataset != NULL);
+ 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
+@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ 		tname = &cname.cname;
+ 		break;
+ 	case dns_rdatatype_dname:
++		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
++		    dns_namereln_subdomain)
++		{
++			return (ISC_TRUE);
++		}
+ 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+ 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ 		dns_name_init(&prefix, NULL);
+ 		tname = dns_fixedname_initname(&fixed);
+-		nlabels = dns_name_countlabels(qname) -
+-			  dns_name_countlabels(rname);
++		nlabels = dns_name_countlabels(rname);
+ 		dns_name_split(qname, nlabels, &prefix, NULL);
+ 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
+ 					      NULL);
+-		if (result == DNS_R_NAMETOOLONG)
++		if (result == DNS_R_NAMETOOLONG) {
++			if (chainingp != NULL) {
++				*chainingp = ISC_TRUE;
++			}
+ 			return (ISC_TRUE);
++		}
+ 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ 		break;
+ 	default:
+@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
+ 		}
+ 		if ((ardataset->type == dns_rdatatype_cname ||
+ 		     ardataset->type == dns_rdatatype_dname) &&
+-		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
++		    type != ardataset->type &&
++		    type != dns_rdatatype_any &&
++		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+ 					      NULL))
+ 		{
+ 			return (DNS_R_SERVFAIL);
diff --git a/meta/recipes-connectivity/bind/bind_9.11.4.bb b/meta/recipes-connectivity/bind/bind_9.11.4.bb
index d27068c..23c3aad 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-lib-dns-gen.c-fix-too-long-error.patch \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
+           file://CVE-2018-5740.patch \
 "
 
 SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH V2] bind: patch for CVE-2018-5740
  2018-09-11  1:23 [PATCH V2] bind: patch for CVE-2018-5740 changqing.li
@ 2018-09-11  1:29 ` Changqing Li
  0 siblings, 0 replies; 2+ messages in thread
From: Changqing Li @ 2018-09-11  1:29 UTC (permalink / raw)
  To: openembedded-core

Please ignore this patch,  I just noticed that Ross have fix 
Upstream-Status, and merge to master-next.  Thanks.


On 09/11/2018 09:23 AM, changqing.li@windriver.com wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>   .../bind/bind/CVE-2018-5740.patch                  | 72 ++++++++++++++++++++++
>   meta/recipes-connectivity/bind/bind_9.11.4.bb      |  1 +
>   2 files changed, 73 insertions(+)
>   create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
>
> diff --git a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
> new file mode 100644
> index 0000000..4236b3b
> --- /dev/null
> +++ b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
> @@ -0,0 +1,72 @@
> +Upstream-Status: Backport[https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
> +
> +CVE: CVE-2018-5740
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +
> +diff --git a/CHANGES b/CHANGES
> +index 750b600..3d8d655 100644
> +--- a/CHANGES
> ++++ b/CHANGES
> +@@ -1,3 +1,9 @@
> ++	--- 9.11.4-P1 released ---
> ++
> ++4997.	[security]	named could crash during recursive processing
> ++			of DNAME records when "deny-answer-aliases" was
> ++			in use. (CVE-2018-5740) [GL #387]
> ++
> + 	--- 9.11.4 released ---
> +
> + 	--- 9.11.4rc2 released ---
> +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
> +index 8f674a2..41d1385 100644
> +--- a/lib/dns/resolver.c
> ++++ b/lib/dns/resolver.c
> +@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
> + 	unsigned int nlabels;
> + 	dns_fixedname_t fixed;
> + 	dns_name_t prefix;
> ++	int order;
> +
> + 	REQUIRE(rdataset != NULL);
> + 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
> +@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
> + 		tname = &cname.cname;
> + 		break;
> + 	case dns_rdatatype_dname:
> ++		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
> ++		    dns_namereln_subdomain)
> ++		{
> ++			return (ISC_TRUE);
> ++		}
> + 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
> + 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
> + 		dns_name_init(&prefix, NULL);
> + 		tname = dns_fixedname_initname(&fixed);
> +-		nlabels = dns_name_countlabels(qname) -
> +-			  dns_name_countlabels(rname);
> ++		nlabels = dns_name_countlabels(rname);
> + 		dns_name_split(qname, nlabels, &prefix, NULL);
> + 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
> + 					      NULL);
> +-		if (result == DNS_R_NAMETOOLONG)
> ++		if (result == DNS_R_NAMETOOLONG) {
> ++			if (chainingp != NULL) {
> ++				*chainingp = ISC_TRUE;
> ++			}
> + 			return (ISC_TRUE);
> ++		}
> + 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
> + 		break;
> + 	default:
> +@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
> + 		}
> + 		if ((ardataset->type == dns_rdatatype_cname ||
> + 		     ardataset->type == dns_rdatatype_dname) &&
> +-		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
> ++		    type != ardataset->type &&
> ++		    type != dns_rdatatype_any &&
> ++		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
> + 					      NULL))
> + 		{
> + 			return (DNS_R_SERVFAIL);
> diff --git a/meta/recipes-connectivity/bind/bind_9.11.4.bb b/meta/recipes-connectivity/bind/bind_9.11.4.bb
> index d27068c..23c3aad 100644
> --- a/meta/recipes-connectivity/bind/bind_9.11.4.bb
> +++ b/meta/recipes-connectivity/bind/bind_9.11.4.bb
> @@ -19,6 +19,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
>              file://0001-lib-dns-gen.c-fix-too-long-error.patch \
>              file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
>              file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
> +           file://CVE-2018-5740.patch \
>   "
>   
>   SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"

-- 
BRs

Sandy(Li Changqing)
Wind River Linux



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-09-11  1:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-11  1:23 [PATCH V2] bind: patch for CVE-2018-5740 changqing.li
2018-09-11  1:29 ` Changqing Li

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.