From de1238a589ade1220d51cb4b9277cc17479f6f17 Mon Sep 17 00:00:00 2001 From: "Roy.Li" Date: Thu, 13 Jun 2013 13:51:51 +0800 Subject: bind: backport six CVE patches Signed-off-by: Roy.Li Signed-off-by: Saul Wold --- .../bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch | 119 +++++++++++++++++ .../bind/bind-9.8.1/bind-CVE-2011-4313.patch | 89 +++++++++++++ .../bind/bind-9.8.1/bind-CVE-2012-1667.patch | 92 ++++++++++++++ .../bind/bind-9.8.1/bind-CVE-2012-3817.patch | 40 ++++++ .../bind/bind-9.8.1/bind-CVE-2013-2266.patch | 41 ++++++ .../bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch | 141 +++++++++++++++++++++ meta/recipes-connectivity/bind/bind_9.8.1.bb | 6 + 7 files changed, 528 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2011-4313.patch create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-1667.patch create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2013-2266.patch create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch (limited to 'meta') diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch new file mode 100644 index 0000000000..0abb475adc --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch @@ -0,0 +1,119 @@ +bind_Fix_for_CVE-2012-5166 + +Upstream-Status: Backport + +Reference:http://launchpadlibrarian.net/119212498/bind9_1%3A9.7.3.dfsOBg +-1ubuntu2.6_1%3A9.7.3.dfsg-1ubuntu2.7.diff.gz + +ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before +9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows +remote attackers to cause a denial of service (named daemon hang) +via unspecified combinations of resource records. + +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5166 + +Signed-off-by: yanjun.zhu +diff -urpN a/bin/named/query.c b/bin/named/query.c +--- a/bin/named/query.c 2012-10-22 13:24:27.000000000 +0800 ++++ b/bin/named/query.c 2012-10-22 13:17:04.000000000 +0800 +@@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d + mname = NULL; + } + +- /* +- * If the dns_name_t we're looking up is already in the message, +- * we don't want to trigger the caller's name replacement logic. +- */ +- if (name == mname) +- mname = NULL; +- + *mnamep = mname; + + CTRACE("query_isduplicate: false: done"); +@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_ + if (dns_rdataset_isassociated(rdataset) && + !query_isduplicate(client, fname, type, &mname)) { + if (mname != NULL) { ++ INSIST(mname != fname); + query_releasename(client, &fname); + fname = mname; + } else +@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_ + mname = NULL; + if (!query_isduplicate(client, fname, + dns_rdatatype_a, &mname)) { +- if (mname != NULL) { +- query_releasename(client, &fname); +- fname = mname; +- } else +- need_addname = ISC_TRUE; ++ if (mname != fname) { ++ if (mname != NULL) { ++ query_releasename(client, &fname); ++ fname = mname; ++ } else ++ need_addname = ISC_TRUE; ++ } + ISC_LIST_APPEND(fname->list, rdataset, link); + added_something = ISC_TRUE; + if (sigrdataset != NULL && +@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_ + mname = NULL; + if (!query_isduplicate(client, fname, + dns_rdatatype_aaaa, &mname)) { +- if (mname != NULL) { +- query_releasename(client, &fname); +- fname = mname; +- } else +- need_addname = ISC_TRUE; ++ if (mname != fname) { ++ if (mname != NULL) { ++ query_releasename(client, &fname); ++ fname = mname; ++ } else ++ need_addname = ISC_TRUE; ++ } + ISC_LIST_APPEND(fname->list, rdataset, link); + added_something = ISC_TRUE; + if (sigrdataset != NULL && +@@ -1960,22 +1958,24 @@ query_addadditional2(void *arg, dns_name + crdataset->type == dns_rdatatype_aaaa) { + if (!query_isduplicate(client, fname, crdataset->type, + &mname)) { +- if (mname != NULL) { +- /* +- * A different type of this name is +- * already stored in the additional +- * section. We'll reuse the name. +- * Note that this should happen at most +- * once. Otherwise, fname->link could +- * leak below. +- */ +- INSIST(mname0 == NULL); +- +- query_releasename(client, &fname); +- fname = mname; +- mname0 = mname; +- } else +- need_addname = ISC_TRUE; ++ if (mname != fname) { ++ if (mname != NULL) { ++ /* ++ * A different type of this name is ++ * already stored in the additional ++ * section. We'll reuse the name. ++ * Note that this should happen at most ++ * once. Otherwise, fname->link could ++ * leak below. ++ */ ++ INSIST(mname0 == NULL); ++ ++ query_releasename(client, &fname); ++ fname = mname; ++ mname0 = mname; ++ } else ++ need_addname = ISC_TRUE; ++ } + ISC_LIST_UNLINK(cfname.list, crdataset, link); + ISC_LIST_APPEND(fname->list, crdataset, link); + added_something = ISC_TRUE; diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2011-4313.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2011-4313.patch new file mode 100644 index 0000000000..19d8df1c2d --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2011-4313.patch @@ -0,0 +1,89 @@ +The patch to fix CVE-2011-4313 + +Upstream-Status: Backport + +Reference: https://www.redhat.com/security/data/cve/CVE-2011-4313.html + +query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV +through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1 +through 9.9.0b1 allows remote attackers to cause a denial of service +(assertion failure and named exit) via unknown vectors related to recursive DNS +queries, error logging, and the caching of an invalid record by the resolver. + +Signed-off-by Ming Liu +--- + bin/named/query.c | 19 ++++++++----------- + lib/dns/rbtdb.c | 4 ++-- + 2 files changed, 10 insertions(+), 13 deletions(-) + +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -1393,11 +1393,9 @@ query_addadditional(void *arg, dns_name_ + goto addname; + if (result == DNS_R_NCACHENXRRSET) { + dns_rdataset_disassociate(rdataset); +- /* +- * Negative cache entries don't have sigrdatasets. +- */ +- INSIST(sigrdataset == NULL || +- ! dns_rdataset_isassociated(sigrdataset)); ++ if (sigrdataset != NULL && ++ dns_rdataset_isassociated(sigrdataset)) ++ dns_rdataset_disassociate(sigrdataset); + } + if (result == ISC_R_SUCCESS) { + mname = NULL; +@@ -1438,8 +1436,9 @@ query_addadditional(void *arg, dns_name_ + goto addname; + if (result == DNS_R_NCACHENXRRSET) { + dns_rdataset_disassociate(rdataset); +- INSIST(sigrdataset == NULL || +- ! dns_rdataset_isassociated(sigrdataset)); ++ if (sigrdataset != NULL && ++ dns_rdataset_isassociated(sigrdataset)) ++ dns_rdataset_disassociate(sigrdataset); + } + if (result == ISC_R_SUCCESS) { + mname = NULL; +@@ -1889,10 +1888,8 @@ query_addadditional2(void *arg, dns_name + goto setcache; + if (result == DNS_R_NCACHENXRRSET) { + dns_rdataset_disassociate(rdataset); +- /* +- * Negative cache entries don't have sigrdatasets. +- */ +- INSIST(! dns_rdataset_isassociated(sigrdataset)); ++ if (dns_rdataset_isassociated(sigrdataset)) ++ dns_rdataset_disassociate(sigrdataset); + } + if (result == ISC_R_SUCCESS) { + /* Remember the result as a cache */ +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -5053,7 +5053,7 @@ cache_find(dns_db_t *db, dns_name_t *nam + rdataset); + if (need_headerupdate(found, search.now)) + update = found; +- if (foundsig != NULL) { ++ if (!NEGATIVE(found) && foundsig != NULL) { + bind_rdataset(search.rbtdb, node, foundsig, search.now, + sigrdataset); + if (need_headerupdate(foundsig, search.now)) +@@ -5596,7 +5596,7 @@ zone_findrdataset(dns_db_t *db, dns_dbno + } + if (found != NULL) { + bind_rdataset(rbtdb, rbtnode, found, now, rdataset); +- if (foundsig != NULL) ++ if (!NEGATIVE(found) && foundsig != NULL) + bind_rdataset(rbtdb, rbtnode, foundsig, now, + sigrdataset); + } +@@ -5685,7 +5685,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn + } + if (found != NULL) { + bind_rdataset(rbtdb, rbtnode, found, now, rdataset); +- if (foundsig != NULL) ++ if (!NEGATIVE(found) && foundsig != NULL) + bind_rdataset(rbtdb, rbtnode, foundsig, now, + sigrdataset); + } diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-1667.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-1667.patch new file mode 100644 index 0000000000..c441eab65d --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-1667.patch @@ -0,0 +1,92 @@ +bind CVE-2012-1667 + +Upstream-Status: Backport + +ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, +and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource +records with a zero-length RDATA section, which allows remote DNS servers to +cause a denial of service (daemon crash or data corruption) or obtain +sensitive information from process memory via a crafted record. + +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667 + +The cve patch comes from bind97-9.7.0-10.P2.el5_8.1.src.rpm package. + +Signed-off-by: Li Wang +--- + lib/dns/rdata.c | 8 ++++---- + lib/dns/rdataslab.c | 11 ++++++++--- + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c +index 063b1f6..9337a80 100644 +--- a/lib/dns/rdata.c ++++ b/lib/dns/rdata.c +@@ -325,8 +325,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { + + REQUIRE(rdata1 != NULL); + REQUIRE(rdata2 != NULL); +- REQUIRE(rdata1->data != NULL); +- REQUIRE(rdata2->data != NULL); ++ REQUIRE(rdata1->length == 0 || rdata1->data != NULL); ++ REQUIRE(rdata2->length == 0 || rdata2->data != NULL); + REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); + REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); + +@@ -356,8 +356,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { + + REQUIRE(rdata1 != NULL); + REQUIRE(rdata2 != NULL); +- REQUIRE(rdata1->data != NULL); +- REQUIRE(rdata2->data != NULL); ++ REQUIRE(rdata1->length == 0 || rdata1->data != NULL); ++ REQUIRE(rdata2->length == 0 || rdata2->data != NULL); + REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); + REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); + +diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c +index a41f16f..ed13b30 100644 +--- a/lib/dns/rdataslab.c ++++ b/lib/dns/rdataslab.c +@@ -125,6 +125,11 @@ isc_result_t + dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + isc_region_t *region, unsigned int reservelen) + { ++ /* ++ * Use &removed as a sentinal pointer for duplicate ++ * rdata as rdata.data == NULL is valid. ++ */ ++ static unsigned char removed; + struct xrdata *x; + unsigned char *rawbuf; + #if DNS_RDATASET_FIXED +@@ -168,6 +173,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + INSIST(result == ISC_R_SUCCESS); + dns_rdata_init(&x[i].rdata); + dns_rdataset_current(rdataset, &x[i].rdata); ++ INSIST(x[i].rdata.data != &removed); + #if DNS_RDATASET_FIXED + x[i].order = i; + #endif +@@ -200,8 +206,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + */ + for (i = 1; i < nalloc; i++) { + if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) { +- x[i-1].rdata.data = NULL; +- x[i-1].rdata.length = 0; ++ x[i-1].rdata.data = &removed; + #if DNS_RDATASET_FIXED + /* + * Preserve the least order so A, B, A -> A, B +@@ -291,7 +296,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, + #endif + + for (i = 0; i < nalloc; i++) { +- if (x[i].rdata.data == NULL) ++ if (x[i].rdata.data == &removed) + continue; + #if DNS_RDATASET_FIXED + offsettable[x[i].order] = rawbuf - offsetbase; +-- +1.7.0.5 + diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch new file mode 100644 index 0000000000..1e159bd2f8 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch @@ -0,0 +1,40 @@ +bind: fix for CVE-2012-3817 + +Upstream-Status: Backport + +ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; +9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation +is enabled, does not properly initialize the failing-query cache, which allows +remote attackers to cause a denial of service (assertion failure and daemon exit) +by sending many queries. + +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817 + +This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package. + +Signed-off-by: Ming Liu +--- + resolver.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t + goto cleanup; + bad->type = type; + bad->hashval = hashval; ++ bad->expire = *expire; + isc_buffer_init(&buffer, bad + 1, name->length); + dns_name_init(&bad->name, NULL); + dns_name_copy(name, &bad->name, &buffer); +@@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t + if (resolver->badcount < resolver->badhash * 2 && + resolver->badhash > DNS_BADCACHE_SIZE) + resizehash(resolver, &now, ISC_FALSE); +- } +- bad->expire = *expire; ++ } else ++ bad->expire = *expire; + cleanup: + UNLOCK(&resolver->lock); + } diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2013-2266.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2013-2266.patch new file mode 100644 index 0000000000..7ec6deb714 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2013-2266.patch @@ -0,0 +1,41 @@ +bind: fix for CVE-2013-2266 + +Upstream-Status: Backport + +libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, +9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows +remote attackers to cause a denial of service (memory consumption) via a +crafted regular expression, as demonstrated by a memory-exhaustion attack +against a machine running a named process. + +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2266 + +Signed-off-by Ming Liu +--- + config.h.in | 3 --- + configure.in | 2 +- + 2 files changed, 1 insertion(+), 4 deletions(-) + +--- a/config.h.in ++++ b/config.h.in +@@ -277,9 +277,6 @@ int sigwait(const unsigned int *set, int + /* Define if your OpenSSL version supports GOST. */ + #undef HAVE_OPENSSL_GOST + +-/* Define to 1 if you have the header file. */ +-#undef HAVE_REGEX_H +- + /* Define to 1 if you have the `setegid' function. */ + #undef HAVE_SETEGID + +--- a/configure.in ++++ b/configure.in +@@ -279,7 +279,7 @@ esac + + AC_HEADER_STDC + +-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,, ++AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,, + [$ac_includes_default + #ifdef HAVE_SYS_PARAM_H + # include diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch new file mode 100644 index 0000000000..5dd6f69e45 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch @@ -0,0 +1,141 @@ +bind_Fix_for_CVE-2012-4244 + +Upstream-Status: Backport + +Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit + +ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, + and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to +cause a denial of service (assertion failure and named daemon exit) via +a query for a long resource record. + +Signed-off-by: yanjun.zhu + +diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h +--- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800 ++++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800 +@@ -147,6 +147,17 @@ struct dns_rdata { + (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) + + /* ++ * The maximum length of a RDATA that can be sent on the wire. ++ * Max packet size (65535) less header (12), less name (1), type (2), ++ * class (2), ttl(4), length (2). ++ * ++ * None of the defined types that support name compression can exceed ++ * this and all new types are to be sent uncompressed. ++ */ ++ ++#define DNS_RDATA_MAXLENGTH 65512U ++ ++/* + * Flags affecting rdata formatting style. Flags 0xFFFF0000 + * are used by masterfile-level formatting and defined elsewhere. + * See additional comments at dns_rdata_tofmttext(). +diff -urpN a/lib/dns/master.c b/lib/dns/master.c +--- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800 ++++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800 +@@ -75,7 +75,7 @@ + /*% + * max message size - header - root - type - class - ttl - rdlen + */ +-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) ++#define MINTSIZ DNS_RDATA_MAXLENGTH + /*% + * Size for tokens in the presentation format, + * The largest tokens are the base64 blocks in KEY and CERT records, +diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c +--- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800 ++++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800 +@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d + isc_buffer_t st; + isc_boolean_t use_default = ISC_FALSE; + isc_uint32_t activelength; ++ size_t length; + + REQUIRE(dctx != NULL); + if (rdata != NULL) { +@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d + } + + /* ++ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH ++ * as we cannot transmit it. ++ */ ++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); ++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) ++ result = DNS_R_FORMERR; ++ ++ /* + * We should have consumed all of our buffer. + */ + if (result == ISC_R_SUCCESS && !buffer_empty(source)) +@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d + + if (rdata != NULL && result == ISC_R_SUCCESS) { + region.base = isc_buffer_used(&st); +- region.length = isc_buffer_usedlength(target) - +- isc_buffer_usedlength(&st); ++ region.length = length; + dns_rdata_fromregion(rdata, rdclass, type, ®ion); + } + +@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d + unsigned long line; + void (*callback)(dns_rdatacallbacks_t *, const char *, ...); + isc_result_t tresult; ++ size_t length; + + REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); + if (rdata != NULL) { +@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d + } + } while (1); + ++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); ++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) ++ result = ISC_R_NOSPACE; ++ + if (rdata != NULL && result == ISC_R_SUCCESS) { + region.base = isc_buffer_used(&st); +- region.length = isc_buffer_usedlength(target) - +- isc_buffer_usedlength(&st); ++ region.length = length; + dns_rdata_fromregion(rdata, rdclass, type, ®ion); + } + if (result != ISC_R_SUCCESS) { +@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, + isc_buffer_t st; + isc_region_t region; + isc_boolean_t use_default = ISC_FALSE; ++ size_t length; + + REQUIRE(source != NULL); + if (rdata != NULL) { +@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, + if (use_default) + (void)NULL; + ++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); ++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) ++ result = ISC_R_NOSPACE; ++ + if (rdata != NULL && result == ISC_R_SUCCESS) { + region.base = isc_buffer_used(&st); +- region.length = isc_buffer_usedlength(target) - +- isc_buffer_usedlength(&st); ++ region.length = length; + dns_rdata_fromregion(rdata, rdclass, type, ®ion); + } + if (result != ISC_R_SUCCESS) +diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c +--- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800 ++++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800 +@@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ + length = x[i].rdata.length; + if (rdataset->type == dns_rdatatype_rrsig) + length++; ++ INSIST(length <= 0xffff); + *rawbuf++ = (length & 0xff00) >> 8; + *rawbuf++ = (length & 0x00ff); + #if DNS_RDATASET_FIXED diff --git a/meta/recipes-connectivity/bind/bind_9.8.1.bb b/meta/recipes-connectivity/bind/bind_9.8.1.bb index b807dbf1a7..3c5d600944 100644 --- a/meta/recipes-connectivity/bind/bind_9.8.1.bb +++ b/meta/recipes-connectivity/bind/bind_9.8.1.bb @@ -12,6 +12,12 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://conf.patch \ file://cross-build-fix.patch \ file://make-etc-initd-bind-stop-work.patch \ + file://bind-9.8.1-CVE-2012-5166.patch \ + file://bind-CVE-2011-4313.patch \ + file://bind-CVE-2012-1667.patch \ + file://bind-CVE-2012-3817.patch \ + file://bind-CVE-2013-2266.patch \ + file://bind-Fix-CVE-2012-4244.patch \ " SRC_URI[md5sum] = "cf31117c5d35af34d4c0702970ad9fb7" -- cgit v1.2.3