diff options
13 files changed, 61 insertions, 2443 deletions
diff --git a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch index 805cbb3315..1e23c0f56b 100644 --- a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch +++ b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch @@ -7,15 +7,19 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> Update context for version 9.10.3-P2. Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Update context for version 9.10.5-P3. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> --- configure.in | 23 +++-------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/configure.in b/configure.in -index 0db826d..75819eb 100644 +index 4da73a4..6f2a754 100644 --- a/configure.in +++ b/configure.in -@@ -2107,26 +2107,9 @@ case "$use_libxml2" in +@@ -2282,26 +2282,9 @@ case "$use_libxml2" in DST_LIBXML2_INC="" ;; auto|yes) @@ -25,7 +29,7 @@ index 0db826d..75819eb 100644 - libxml2_cflags=`xml2-config --cflags` - ;; - *) -- if test "$use_libxml2" = "yes" ; then +- if test "yes" = "$use_libxml2" ; then - AC_MSG_RESULT(no) - AC_MSG_ERROR(required libxml2 version not available) - else diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch deleted file mode 100644 index 2149bd180d..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Thu, 18 Feb 2016 12:11:27 +1100 -Subject: [PATCH] 4318. [security] Malformed control messages can - trigger assertions in named and rndc. (CVE-2016-1285) - [RT #41666] - -(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) - -CVE: CVE-2016-1285 -Upstream-Status: Backport -[Removed doc/arm/notes.xml changes from upstream patch] - -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - CHANGES | 3 +++ - bin/named/control.c | 2 +- - bin/named/controlconf.c | 2 +- - bin/rndc/rndc.c | 8 ++++---- - doc/arm/notes.xml | 11 +++++++++++ - lib/isccc/cc.c | 14 +++++++------- - 6 files changed, 27 insertions(+), 13 deletions(-) - -diff --git a/CHANGES b/CHANGES -index b9bd9ef..2c727d5 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4318. [security] Malformed control messages can trigger assertions -+ in named and rndc. (CVE-2016-1285) [RT #41666] -+ - --- 9.10.3-P3 released --- - - 4288. [bug] Fixed a regression in resolver.c:possibly_mark() -diff --git a/bin/named/control.c b/bin/named/control.c -index 8554335..81340ca 100644 ---- a/bin/named/control.c -+++ b/bin/named/control.c -@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { - #endif - - data = isccc_alist_lookup(message, "_data"); -- if (data == NULL) { -+ if (!isccc_alist_alistp(data)) { - /* - * No data section. - */ -diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 765afdd..a39ab8b 100644 ---- a/bin/named/controlconf.c -+++ b/bin/named/controlconf.c -@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { - * Limit exposure to replay attacks. - */ - _ctrl = isccc_alist_lookup(request, "_ctrl"); -- if (_ctrl == NULL) { -+ if (!isccc_alist_alistp(_ctrl)) { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup_request; - } -diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index cb17050..b6e05c8 100644 ---- a/bin/rndc/rndc.c -+++ b/bin/rndc/rndc.c -@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - data = isccc_alist_lookup(response, "_data"); -- if (data == NULL) -- fatal("no data section in response"); -+ if (!isccc_alist_alistp(data)) -+ fatal("bad or missing data section in response"); - result = isccc_cc_lookupstring(data, "err", &errormsg); - if (result == ISC_R_SUCCESS) { - failed = ISC_TRUE; -@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - _ctrl = isccc_alist_lookup(response, "_ctrl"); -- if (_ctrl == NULL) -- fatal("_ctrl section missing"); -+ if (!isccc_alist_alistp(_ctrl)) -+ fatal("bad or missing ctrl section in response"); - nonce = 0; - if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) - nonce = 0; -diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 47a3b74..2bb961e 100644 ---- a/lib/isccc/cc.c -+++ b/lib/isccc/cc.c -@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - * Extract digest. - */ - _auth = isccc_alist_lookup(alist, "_auth"); -- if (_auth == NULL) -+ if (!isccc_alist_alistp(_auth)) - return (ISC_R_FAILURE); - if (algorithm == ISCCC_ALG_HMACMD5) - hmac = isccc_alist_lookup(_auth, "hmd5"); - else - hmac = isccc_alist_lookup(_auth, "hsha"); -- if (hmac == NULL) -+ if (!isccc_sexpr_binaryp(hmac)) - return (ISC_R_FAILURE); - /* - * Compute digest. -@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, - REQUIRE(ackp != NULL && *ackp == NULL); - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, - - _ctrl = isccc_alist_lookup(message, "_ctrl"); - _data = isccc_alist_lookup(message, "_data"); -- if (_ctrl == NULL || _data == NULL || -+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch deleted file mode 100644 index ae5cc48d9c..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 -From: Mukund Sivaraman <muks@isc.org> -Date: Mon, 22 Feb 2016 12:22:43 +0530 -Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling - (CVE-2016-1286) (#41753) - -(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) - -CVE: CVE-2016-1286 -Upstream-Status: Backport - -[Removed doc/arm/notes.xml changes from upstream patch.] - -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- -diff -ruN a/CHANGES b/CHANGES ---- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 -+++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 -@@ -1,3 +1,7 @@ -+4319. [security] Fix resolver assertion failure due to improper -+ DNAME handling when parsing fetch reply messages. -+ (CVE-2016-1286) [RT #41753] -+ - 4318. [security] Malformed control messages can trigger assertions - in named and rndc. (CVE-2016-1285) [RT #41666] - -diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c ---- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 -+++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 -@@ -6967,21 +6967,26 @@ - isc_boolean_t found_dname = ISC_FALSE; - dns_name_t *dname_name; - -+ /* -+ * Only pass DNAME or RRSIG(DNAME). -+ */ -+ if (rdataset->type != dns_rdatatype_dname && -+ (rdataset->type != dns_rdatatype_rrsig || -+ rdataset->covers != dns_rdatatype_dname)) -+ continue; -+ -+ /* -+ * If we're not chaining, then the DNAME and -+ * its signature should not be external. -+ */ -+ if (!chaining && external) { -+ log_formerr(fctx, "external DNAME"); -+ return (DNS_R_FORMERR); -+ } -+ - found = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { -- /* -- * We're looking for something else, -- * but we found a DNAME. -- * -- * If we're not chaining, then the -- * DNAME should not be external. -- */ -- if (!chaining && external) { -- log_formerr(fctx, -- "external DNAME"); -- return (DNS_R_FORMERR); -- } - found = ISC_TRUE; - want_chaining = ISC_TRUE; - POST(want_chaining); -@@ -7010,9 +7015,7 @@ - &fctx->domain)) { - return (DNS_R_SERVFAIL); - } -- } else if (rdataset->type == dns_rdatatype_rrsig -- && rdataset->covers == -- dns_rdatatype_dname) { -+ } else { - /* - * We've found a signature that - * covers the DNAME. diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch deleted file mode 100644 index 5f5cb0d340..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch +++ /dev/null @@ -1,317 +0,0 @@ -From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Mon, 29 Feb 2016 07:16:48 +1100 -Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion - failure due to improper DNAME handling when parsing - fetch reply messages. (CVE-2016-1286) [RT #41753] - -CVE: CVE-2016-1286 -Upstream-Status: Backport - -(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374) -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - lib/dns/resolver.c | 192 ++++++++++++++++++++++++++--------------------------- - 1 file changed, 93 insertions(+), 99 deletions(-) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 70aba87..41e9df4 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { - } - - static inline isc_result_t --dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, -- dns_name_t *oname, dns_fixedname_t *fixeddname) -+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, -+ unsigned int nlabels, dns_fixedname_t *fixeddname) - { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; -- unsigned int nlabels; -- int order; -- dns_namereln_t namereln; - dns_rdata_dname_t dname; - dns_fixedname_t prefix; - -@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, - if (result != ISC_R_SUCCESS) - return (result); - -- /* -- * Get the prefix of qname. -- */ -- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); -- if (namereln != dns_namereln_subdomain) { -- char qbuf[DNS_NAME_FORMATSIZE]; -- char obuf[DNS_NAME_FORMATSIZE]; -- -- dns_rdata_freestruct(&dname); -- dns_name_format(qname, qbuf, sizeof(qbuf)); -- dns_name_format(oname, obuf, sizeof(obuf)); -- log_formerr(fctx, "unrelated DNAME in answer: " -- "%s is not in %s", qbuf, obuf); -- return (DNS_R_FORMERR); -- } - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); - dns_fixedname_init(fixeddname); -@@ -6736,13 +6718,13 @@ static isc_result_t - answer_response(fetchctx_t *fctx) { - isc_result_t result; - dns_message_t *message; -- dns_name_t *name, *qname, tname, *ns_name; -+ dns_name_t *name, *dname, *qname, tname, *ns_name; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, chaining, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; - unsigned int aflag; - dns_rdatatype_t type; -- dns_fixedname_t dname, fqname; -+ dns_fixedname_t fdname, fqname; - dns_view_t *view; - - FCTXTRACE("answer_response"); -@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) { - view = fctx->res->view; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { -+ dns_namereln_t namereln; -+ int order; -+ unsigned int nlabels; -+ - name = NULL; - dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); -- if (dns_name_equal(name, qname)) { -+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels); -+ if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) { - */ - INSIST(!external); - if (aflag == -- DNS_RDATASETATTR_ANSWER) -+ DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_ANSWER; -+ name->attributes |= -+ DNS_NAMEATTR_ANSWER; -+ } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = -@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) { - if (wanted_chaining) - chaining = ISC_TRUE; - } else { -+ dns_rdataset_t *dnameset = NULL; -+ - /* - * Look for a DNAME (or its SIG). Anything else is - * ignored. -@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -- rdataset = ISC_LIST_NEXT(rdataset, link)) { -- isc_boolean_t found_dname = ISC_FALSE; -- dns_name_t *dname_name; -- -+ rdataset = ISC_LIST_NEXT(rdataset, link)) -+ { - /* - * Only pass DNAME or RRSIG(DNAME). - */ -@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) { - * its signature should not be external. - */ - if (!chaining && external) { -- log_formerr(fctx, "external DNAME"); -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(name, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(&fctx->domain, obuf, -+ sizeof(obuf)); -+ log_formerr(fctx, "external DNAME or " -+ "RRSIG covering DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); -+ return (DNS_R_FORMERR); -+ } -+ -+ if (namereln != dns_namereln_subdomain) { -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(qname, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(name, obuf, -+ sizeof(obuf)); -+ log_formerr(fctx, "unrelated DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } - -- found = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { -- found = ISC_TRUE; - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; -- result = dname_target(fctx, rdataset, -- qname, name, -- &dname); -+ result = dname_target(rdataset, qname, -+ nlabels, &fdname); - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the -@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) { - } else if (result != ISC_R_SUCCESS) - return (result); - else -- found_dname = ISC_TRUE; -+ dnameset = rdataset; - -- dname_name = dns_fixedname_name(&dname); -+ dname = dns_fixedname_name(&fdname); - if (!is_answertarget_allowed(view, -- qname, -- rdataset->type, -- dname_name, -- &fctx->domain)) { -+ qname, rdataset->type, -+ dname, &fctx->domain)) { - return (DNS_R_SERVFAIL); - } - } else { -@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) { - * We've found a signature that - * covers the DNAME. - */ -- found = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } - -- if (found) { -+ /* -+ * We've found an answer to our -+ * question. -+ */ -+ name->attributes |= DNS_NAMEATTR_CACHE; -+ rdataset->attributes |= DNS_RDATASETATTR_CACHE; -+ rdataset->trust = dns_trust_answer; -+ if (!chaining) { - /* -- * We've found an answer to our -- * question. -+ * This data is "the" answer to -+ * our question only if we're -+ * not chaining. - */ -- name->attributes |= -- DNS_NAMEATTR_CACHE; -- rdataset->attributes |= -- DNS_RDATASETATTR_CACHE; -- rdataset->trust = dns_trust_answer; -- if (!chaining) { -- /* -- * This data is "the" answer -- * to our question only if -- * we're not chaining. -- */ -- INSIST(!external); -- if (aflag == -- DNS_RDATASETATTR_ANSWER) -- have_answer = ISC_TRUE; -+ INSIST(!external); -+ if (aflag == DNS_RDATASETATTR_ANSWER) { -+ have_answer = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_ANSWER; -- rdataset->attributes |= aflag; -- if (aa) -- rdataset->trust = -- dns_trust_authanswer; -- } else if (external) { -- rdataset->attributes |= -- DNS_RDATASETATTR_EXTERNAL; -- } -- -- /* -- * DNAME chaining. -- */ -- if (found_dname) { -- /* -- * Copy the dname into the -- * qname fixed name. -- * -- * Although we check for -- * failure of the copy -- * operation, in practice it -- * should never fail since -- * we already know that the -- * result fits in a fixedname. -- */ -- dns_fixedname_init(&fqname); -- result = dns_name_copy( -- dns_fixedname_name(&dname), -- dns_fixedname_name(&fqname), -- NULL); -- if (result != ISC_R_SUCCESS) -- return (result); -- wanted_chaining = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_CHAINING; -- rdataset->attributes |= -- DNS_RDATASETATTR_CHAINING; -- qname = dns_fixedname_name( -- &fqname); - } -+ rdataset->attributes |= aflag; -+ if (aa) -+ rdataset->trust = -+ dns_trust_authanswer; -+ } else if (external) { -+ rdataset->attributes |= -+ DNS_RDATASETATTR_EXTERNAL; - } - } -+ -+ /* -+ * DNAME chaining. -+ */ -+ if (dnameset != NULL) { -+ /* -+ * Copy the dname into the qname fixed name. -+ * -+ * Although we check for failure of the copy -+ * operation, in practice it should never fail -+ * since we already know that the result fits -+ * in a fixedname. -+ */ -+ dns_fixedname_init(&fqname); -+ qname = dns_fixedname_name(&fqname); -+ result = dns_name_copy(dname, qname, NULL); -+ if (result != ISC_R_SUCCESS) -+ return (result); -+ wanted_chaining = ISC_TRUE; -+ name->attributes |= DNS_NAMEATTR_CHAINING; -+ dnameset->attributes |= -+ DNS_RDATASETATTR_CHAINING; -+ } - if (wanted_chaining) - chaining = ISC_TRUE; - } --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch deleted file mode 100644 index 1b84d46b78..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch +++ /dev/null @@ -1,247 +0,0 @@ -CVE-2016-2088 - -Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the -v9_10_3_patch branch. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088 -https://kb.isc.org/article/AA-01351 - -CVE: CVE-2016-2088 -Upstream-Status: Backport -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> - - -Original commit message from Mark Andrews <marka@isc.org> below: - -4322. [security] Duplicate EDNS COOKIE options in a response could - trigger an assertion failure. (CVE-2016-2088) - [RT #41809] - -(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029) -(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3) ---- - CHANGES | 4 ++++ - bin/dig/dighost.c | 9 +++++++++ - bin/named/client.c | 33 +++++++++++++++++++++++---------- - doc/arm/notes.xml | 7 +++++++ - lib/dns/resolver.c | 14 +++++++++++++- - 5 files changed, 56 insertions(+), 11 deletions(-) - -diff --git a/CHANGES b/CHANGES -index c5b5d2b..d2e3360 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,7 @@ -+4322. [security] Duplicate EDNS COOKIE options in a response could -+ trigger an assertion failure. (CVE-2016-2088) -+ [RT #41809] -+ - 4319. [security] Fix resolver assertion failure due to improper - DNAME handling when parsing fetch reply messages. - (CVE-2016-1286) [RT #41753] -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index ca82f8e..340904f 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { - isc_buffer_t optbuf; - isc_uint16_t optcode, optlen; - dns_rdataset_t *opt = msg->opt; -+ isc_boolean_t seen_cookie = ISC_FALSE; - - result = dns_rdataset_first(opt); - if (result == ISC_R_SUCCESS) { -@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { - optlen = isc_buffer_getuint16(&optbuf); - switch (optcode) { - case DNS_OPT_COOKIE: -+ /* -+ * Only process the first cookie option. -+ */ -+ if (seen_cookie) { -+ isc_buffer_forward(&optbuf, optlen); -+ break; -+ } - process_sit(l, msg, &optbuf, optlen); -+ seen_cookie = ISC_TRUE; - break; - default: - isc_buffer_forward(&optbuf, optlen); -diff --git a/bin/named/client.c b/bin/named/client.c -index 683305c..0d7331a 100644 ---- a/bin/named/client.c -+++ b/bin/named/client.c -@@ -120,7 +120,10 @@ - */ - #endif - --#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ -+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ -+ -+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) -+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) - - /*% nameserver client manager structure */ - struct ns_clientmgr { -@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - { - char nsid[BUFSIZ], *nsidp; - #ifdef ISC_PLATFORM_USESIT -- unsigned char sit[SIT_SIZE]; -+ unsigned char sit[COOKIE_SIZE]; - #endif - isc_result_t result; - dns_view_t *view; -@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; - - /* Set EDNS options if applicable */ -- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 && -+ if (WANTNSID(client) && - (ns_g_server->server_id != NULL || - ns_g_server->server_usehostname)) { - if (ns_g_server->server_usehostname) { -@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - - INSIST(count < DNS_EDNSOPTIONS); - ednsopts[count].code = DNS_OPT_COOKIE; -- ednsopts[count].length = SIT_SIZE; -+ ednsopts[count].length = COOKIE_SIZE; - ednsopts[count].value = sit; - count++; - } -@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, - - static void - process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { -- unsigned char dbuf[SIT_SIZE]; -+ unsigned char dbuf[COOKIE_SIZE]; - unsigned char *old; - isc_stdtime_t now; - isc_uint32_t when; - isc_uint32_t nonce; - isc_buffer_t db; - -+ /* -+ * If we have already seen a ECS option skip this ECS option. -+ */ -+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) { -+ isc_buffer_forward(buf, optlen); -+ return; -+ } - client->attributes |= NS_CLIENTATTR_WANTSIT; - - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitopt); - -- if (optlen != SIT_SIZE) { -+ if (optlen != COOKIE_SIZE) { - /* - * Not our token. - */ -@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { - isc_buffer_init(&db, dbuf, sizeof(dbuf)); - compute_sit(client, when, nonce, &db); - -- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) { -+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitnomatch); - return; - } - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitmatch); -- - client->attributes |= NS_CLIENTATTR_HAVESIT; - } - #endif -@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { - optlen = isc_buffer_getuint16(&optbuf); - switch (optcode) { - case DNS_OPT_NSID: -- isc_stats_increment(ns_g_server->nsstats, -+ if (!WANTNSID(client)) -+ isc_stats_increment( -+ ns_g_server->nsstats, - dns_nsstatscounter_nsidopt); - client->attributes |= NS_CLIENTATTR_WANTNSID; - isc_buffer_forward(&optbuf, optlen); -@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { - break; - #endif - case DNS_OPT_EXPIRE: -- isc_stats_increment(ns_g_server->nsstats, -+ if (!WANTEXPIRE(client)) -+ isc_stats_increment( -+ ns_g_server->nsstats, - dns_nsstatscounter_expireopt); - client->attributes |= NS_CLIENTATTR_WANTEXPIRE; - isc_buffer_forward(&optbuf, optlen); -diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index ebf4f55..095eb5b 100644 ---- a/doc/arm/notes.xml -+++ b/doc/arm/notes.xml -@@ -51,6 +51,13 @@ - <title>Security Fixes</title> - <itemizedlist> - <listitem> -+ <para> -+ Duplicate EDNS COOKIE options in a response could trigger -+ an assertion failure. This flaw is disclosed in CVE-2016-2088. -+ [RT #41809] -+ </para> -+ </listitem> -+ <listitem> - <para> - Specific APL data could trigger an INSIST. This flaw - was discovered by Brian Mitchell and is disclosed in -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index a797e3f..ba1ae23 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - unsigned char *sit; - dns_adbaddrinfo_t *addrinfo; - unsigned char cookie[8]; -+ isc_boolean_t seen_cookie = ISC_FALSE; - #endif -+ isc_boolean_t seen_nsid = ISC_FALSE; - - result = dns_rdataset_first(opt); - if (result == ISC_R_SUCCESS) { -@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - INSIST(optlen <= isc_buffer_remaininglength(&optbuf)); - switch (optcode) { - case DNS_OPT_NSID: -- if (query->options & DNS_FETCHOPT_WANTNSID) -+ if (!seen_nsid && -+ query->options & DNS_FETCHOPT_WANTNSID) - log_nsid(&optbuf, optlen, query, - ISC_LOG_DEBUG(3), - query->fctx->res->mctx); - isc_buffer_forward(&optbuf, optlen); -+ seen_nsid = ISC_TRUE; - break; - #ifdef ISC_PLATFORM_USESIT - case DNS_OPT_COOKIE: -+ /* -+ * Only process the first cookie option. -+ */ -+ if (seen_cookie) { -+ isc_buffer_forward(&optbuf, optlen); -+ break; -+ } - sit = isc_buffer_current(&optbuf); - compute_cc(query, cookie, sizeof(cookie)); - INSIST(query->fctx->rmessage->sitbad == 0 && -@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - isc_buffer_forward(&optbuf, optlen); - inc_stats(query->fctx->res, - dns_resstatscounter_sitin); -+ seen_cookie = ISC_TRUE; - break; - #endif - default: --- -2.1.4 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch deleted file mode 100644 index 5393063c56..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Wed, 12 Oct 2016 19:52:59 +0900 -Subject: [PATCH] -4406. [security] getrrsetbyname with a non absolute name could - trigger an infinite recursion bug in lwresd - and named with lwres configured if when combined - with a search list entry the resulting name is - too long. (CVE-2016-2775) [RT #42694] - -Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the -v9.11.0_patch branch. - -CVE: CVE-2016-2775 -Upstream-Status: Backport - -Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> - ---- - CHANGES | 6 ++++++ - bin/named/lwdgrbn.c | 16 ++++++++++------ - bin/tests/system/lwresd/lwtest.c | 9 ++++++++- - 3 files changed, 24 insertions(+), 7 deletions(-) - -diff --git a/CHANGES b/CHANGES -index d2e3360..d0a9d12 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,9 @@ -+4406. [security] getrrsetbyname with a non absolute name could -+ trigger an infinite recursion bug in lwresd -+ and named with lwres configured if when combined -+ with a search list entry the resulting name is -+ too long. (CVE-2016-2775) [RT #42694] -+ - 4322. [security] Duplicate EDNS COOKIE options in a response could - trigger an assertion failure. (CVE-2016-2088) - [RT #41809] -diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c -index 3e7b15b..e1e9adc 100644 ---- a/bin/named/lwdgrbn.c -+++ b/bin/named/lwdgrbn.c -@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { - INSIST(client->lookup == NULL); - - dns_fixedname_init(&absname); -- result = ns_lwsearchctx_current(&client->searchctx, -- dns_fixedname_name(&absname)); -+ - /* -- * This will return failure if relative name + suffix is too long. -- * In this case, just go on to the next entry in the search path. -+ * Perform search across all search domains until success -+ * is returned. Return in case of failure. - */ -- if (result != ISC_R_SUCCESS) -- start_lookup(client); -+ while (ns_lwsearchctx_current(&client->searchctx, -+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { -+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { -+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -+ return; -+ } -+ } - - result = dns_lookup_create(cm->mctx, - dns_fixedname_name(&absname), -diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c -index ad9b551..3eb4a66 100644 ---- a/bin/tests/system/lwresd/lwtest.c -+++ b/bin/tests/system/lwresd/lwtest.c -@@ -768,7 +768,14 @@ main(void) { - test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1); - test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); - test_getrrsetbyname("", 1, 1, 0, 0, 0); -- -+ test_getrrsetbyname("123456789.123456789.123456789.123456789." - |