diff options
author | Armin Kuster <akuster808@gmail.com> | 2016-10-02 17:49:24 -0700 |
---|---|---|
committer | Robert Yang <liezhi.yang@windriver.com> | 2016-12-06 05:19:39 -0800 |
commit | 54bf7379036eec6d6c4399aa374f898ba3464996 (patch) | |
tree | 187e704c90900888a12981a9c9e0818b63fd641b | |
parent | c0a682cfeedfc8976324a3bba863f1d9b0127d76 (diff) | |
download | openembedded-core-54bf7379036eec6d6c4399aa374f898ba3464996.tar.gz openembedded-core-54bf7379036eec6d6c4399aa374f898ba3464996.tar.bz2 openembedded-core-54bf7379036eec6d6c4399aa374f898ba3464996.zip |
bind: Security fix CVE-2016-2775
affect bind < 9.10.4-p2
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch | 84 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind_9.10.2-P4.bb | 1 |
2 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch new file mode 100644 index 0000000000..5d4d9126bf --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch @@ -0,0 +1,84 @@ +From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Thu, 7 Jul 2016 12:52:47 +1000 +Subject: [PATCH] 4406. [bug] getrrsetbyname with a non absolute + name could trigger a infinite recursion bug in lwresd + and named with lwres configured if when combined + with a search list entry the resulting name is + too long. [RT #42694] + +(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232) + +Upstream-Status: Backport +CVE: CVE-2016-2775 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + CHANGES | 6 ++++++ + bin/named/lwdgrbn.c | 16 ++++++++++------ + bin/tests/system/lwresd/lwtest.c | 8 ++++++++ + 3 files changed, 24 insertions(+), 6 deletions(-) + +Index: bind-9.10.2-P4/bin/named/lwdgrbn.c +=================================================================== +--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c ++++ bind-9.10.2-P4/bin/named/lwdgrbn.c +@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { + INSIST(client->lookup == NULL); + + dns_fixedname_init(&absname); +- result = ns_lwsearchctx_current(&client->searchctx, +- dns_fixedname_name(&absname)); ++ + /* +- * This will return failure if relative name + suffix is too long. +- * In this case, just go on to the next entry in the search path. ++ * Perform search across all search domains until success ++ * is returned. Return in case of failure. + */ +- if (result != ISC_R_SUCCESS) +- start_lookup(client); ++ while (ns_lwsearchctx_current(&client->searchctx, ++ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { ++ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { ++ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); ++ return; ++ } ++ } + + result = dns_lookup_create(cm->mctx, + dns_fixedname_name(&absname), +Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c +=================================================================== +--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c ++++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c +@@ -768,6 +768,14 @@ main(void) { + test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); + test_getrrsetbyname("", 1, 1, 0, 0, 0); + ++ test_getrrsetbyname("123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789", 1, 1, 0, 0, 0); ++ + if (fails == 0) + printf("I:ok\n"); + return (fails); +Index: bind-9.10.2-P4/CHANGES +=================================================================== +--- bind-9.10.2-P4.orig/CHANGES ++++ bind-9.10.2-P4/CHANGES +@@ -1,3 +1,9 @@ ++4406. [bug] getrrsetbyname with a non absolute name could ++ trigger a infinite recursion bug in lwresd ++ and named with lwres configured if when combined ++ with a search list entry the resulting name is ++ too long. [RT #42694] ++ + 4322. [security] Duplicate EDNS COOKIE options in a response could + trigger an assertion failure. (CVE-2016-2088) + [RT #41809] diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb index 0dfa314f7a..80c7b44127 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb @@ -29,6 +29,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2016-1286_1.patch \ file://CVE-2016-1286_2.patch \ file://CVE-2016-2088.patch \ + file://CVE-2016-2775.patch \ " SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7" |