diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2017-04-13 13:48:12 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-04-28 11:26:07 +0100 |
commit | c06f3a5993c7d63d91840c2a4d5b621e946ef78f (patch) | |
tree | 80e55372aeb8214675047c1fcae518cb98b218bf | |
parent | 83d55bcc63510d3704078f19c255c524d8fffc39 (diff) | |
download | openembedded-core-c06f3a5993c7d63d91840c2a4d5b621e946ef78f.tar.gz openembedded-core-c06f3a5993c7d63d91840c2a4d5b621e946ef78f.tar.bz2 openembedded-core-c06f3a5993c7d63d91840c2a4d5b621e946ef78f.zip |
bind: Security fix CVE-2016-8864
CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before
9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause
a denial of service (assertion failure and daemon exit) via a DNAME
record in the answer section of a response to a recursive query,
related to db.c and resolver.c.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8864
Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch | 219 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 |
2 files changed, 220 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch new file mode 100644 index 0000000000..b52d6800ff --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch @@ -0,0 +1,219 @@ +From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Fri, 21 Oct 2016 14:55:10 +1100 +Subject: [PATCH] 4489. [security] It was possible to trigger assertions when + processing a response. (CVE-2016-8864) [RT #43465] + +(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca) + +Upstream-Status: Backport +[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8] + +CVE: CVE-2016-8864 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + CHANGES | 3 +++ + lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 50 insertions(+), 22 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 5c8c61a..41cfce5 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,6 @@ ++4489. [security] It was possible to trigger assertions when processing ++ a response. (CVE-2016-8864) [RT #43465] ++ + 4467. [security] It was possible to trigger an assertion when + rendering a message. (CVE-2016-2776) [RT #43139] + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index ba1ae23..13c8b44 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, + valarg->addrinfo = addrinfo; + + if (!ISC_LIST_EMPTY(fctx->validators)) +- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); ++ valoptions |= DNS_VALIDATOR_DEFER; ++ else ++ valoptions &= ~DNS_VALIDATOR_DEFER; + + result = dns_validator_create(fctx->res->view, name, type, rdataset, + sigrdataset, fctx->rmessage, +@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, + rdataset, + sigrdataset, + valoptions, task); +- /* +- * Defer any further validations. +- * This prevents multiple validators +- * from manipulating fctx->rmessage +- * simultaneously. +- */ +- valoptions |= DNS_VALIDATOR_DEFER; + } + } else if (CHAINING(rdataset)) { + if (rdataset->type == dns_rdatatype_cname) +@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, + eresult == DNS_R_NCACHENXRRSET); + } + event->result = eresult; ++ if (adbp != NULL && *adbp != NULL) { ++ if (anodep != NULL && *anodep != NULL) ++ dns_db_detachnode(*adbp, anodep); ++ dns_db_detach(adbp); ++ } + dns_db_attach(fctx->cache, adbp); + dns_db_transfernode(fctx->cache, &node, anodep); + clone_results(fctx); +@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, + fctx->attributes |= FCTX_ATTR_HAVEANSWER; + if (event != NULL) { + event->result = eresult; ++ if (adbp != NULL && *adbp != NULL) { ++ if (anodep != NULL && *anodep != NULL) ++ dns_db_detachnode(*adbp, anodep); ++ dns_db_detach(adbp); ++ } + dns_db_attach(fctx->cache, adbp); + dns_db_transfernode(fctx->cache, &node, anodep); + clone_results(fctx); +@@ -6718,13 +6723,15 @@ static isc_result_t + answer_response(fetchctx_t *fctx) { + isc_result_t result; + dns_message_t *message; +- dns_name_t *name, *dname, *qname, tname, *ns_name; ++ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; ++ dns_name_t *cname = NULL; + dns_rdataset_t *rdataset, *ns_rdataset; + isc_boolean_t done, external, chaining, aa, found, want_chaining; +- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; ++ isc_boolean_t have_answer, found_cname, found_dname, found_type; ++ isc_boolean_t wanted_chaining; + unsigned int aflag; + dns_rdatatype_t type; +- dns_fixedname_t fdname, fqname; ++ dns_fixedname_t fdname, fqname, fqdname; + dns_view_t *view; + + FCTXTRACE("answer_response"); +@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) { + + done = ISC_FALSE; + found_cname = ISC_FALSE; ++ found_dname = ISC_FALSE; + found_type = ISC_FALSE; + chaining = ISC_FALSE; + have_answer = ISC_FALSE; +@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) { + aa = ISC_TRUE; + else + aa = ISC_FALSE; +- qname = &fctx->name; ++ dqname = qname = &fctx->name; + type = fctx->type; + view = fctx->res->view; ++ dns_fixedname_init(&fqdname); + result = dns_message_firstname(message, DNS_SECTION_ANSWER); + while (!done && result == ISC_R_SUCCESS) { +- dns_namereln_t namereln; ++ dns_namereln_t namereln, dnamereln; + int order; + unsigned int nlabels; + +@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) { + dns_message_currentname(message, DNS_SECTION_ANSWER, &name); + external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); ++ dnamereln = dns_name_fullcompare(dqname, name, &order, ++ &nlabels); + if (namereln == dns_namereln_equal) { + wanted_chaining = ISC_FALSE; + for (rdataset = ISC_LIST_HEAD(name->list); +@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) { + } + } else if (rdataset->type == dns_rdatatype_rrsig + && rdataset->covers == +- dns_rdatatype_cname ++ dns_rdatatype_cname + && !found_type) { + /* + * We're looking for something else, +@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) { + * a CNAME or DNAME). + */ + INSIST(!external); +- if (aflag == +- DNS_RDATASETATTR_ANSWER) { ++ if ((rdataset->type != ++ dns_rdatatype_cname) || ++ !found_dname || ++ (aflag == ++ DNS_RDATASETATTR_ANSWER)) ++ { + have_answer = ISC_TRUE; ++ if (rdataset->type == ++ dns_rdatatype_cname) ++ cname = name; + name->attributes |= +- DNS_NAMEATTR_ANSWER; ++ DNS_NAMEATTR_ANSWER; + } + rdataset->attributes |= aflag; + if (aa) +@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) { + return (DNS_R_FORMERR); + } + +- if (namereln != dns_namereln_subdomain) { ++ if (dnamereln != dns_namereln_subdomain) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + +- dns_name_format(qname, qbuf, ++ dns_name_format(dqname, qbuf, + sizeof(qbuf)); + dns_name_format(name, obuf, + sizeof(obuf)); +@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) { + want_chaining = ISC_TRUE; + POST(want_chaining); + aflag = DNS_RDATASETATTR_ANSWER; +- result = dname_target(rdataset, qname, ++ result = dname_target(rdataset, dqname, + nlabels, &fdname); + if (result == ISC_R_NOSPACE) { + /* +@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) { + + dname = dns_fixedname_name(&fdname); + if (!is_answertarget_allowed(view, +- qname, rdataset->type, +- dname, &fctx->domain)) { ++ dqname, rdataset->type, ++ dname, &fctx->domain)) ++ { + return (DNS_R_SERVFAIL); + } ++ dqname = dns_fixedname_name(&fqdname); ++ dns_name_copy(dname, dqname, NULL); + } else { + /* + * We've found a signature that +@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) { + INSIST(!external); + if (aflag == DNS_RDATASETATTR_ANSWER) { + have_answer = ISC_TRUE; ++ found_dname = ISC_TRUE; ++ if (cname != NULL) ++ cname->attributes &= ++ ~DNS_NAMEATTR_ANSWER; + name->attributes |= + DNS_NAMEATTR_ANSWER; + } +-- +2.7.4 + diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb index 4e2e856b72..fa45809980 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb @@ -27,6 +27,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2016-2088.patch \ file://CVE-2016-2775.patch \ file://CVE-2016-2776.patch \ + file://CVE-2016-8864.patch \ " SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" |