import bind-9.16.23-4.el9

2022-09-27 07:14:30 -04:00 · 2022-09-27 07:14:30 -04:00 · 8dc5c2990f
commit 8dc5c2990f
parent 13a9717633
4 changed files with 1495 additions and 1 deletions
--- a/SOURCES/bind-9.16-CVE-2021-25220-test.patch
+++ b/SOURCES/bind-9.16-CVE-2021-25220-test.patch
--- a/SOURCES/bind-9.16-CVE-2021-25220.patch
+++ b/SOURCES/bind-9.16-CVE-2021-25220.patch
@ -0,0 +1,251 @@
+From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 19 Jan 2022 17:38:18 +1100
+Subject: [PATCH] Add additional name checks when using a forwarder
+
+When using a forwarder, check that the owner name of response
+records are within the bailiwick of the forwarded name space.
+
+(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b)
+
+Check that the forward declaration is unchanged and not overridden
+
+If we are using a fowarder, in addition to checking that names to
+be cached are subdomains of the forwarded namespace, we must also
+check that there are no subsidiary forwarded namespaces which would
+take precedence. To be safe, we don't cache any responses if the
+forwarding configuration has changed since the query was sent.
+
+(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3)
+
+Check cached names for possible "forward only" clause
+
+When caching additional and glue data *not* from a forwarder, we must
+check that there is no "forward only" clause covering the owner name
+that would take precedence.  Such names would normally be allowed by
+baliwick rules, but a "forward only" zone introduces a new baliwick
+scope.
+
+(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78)
+
+Look for zones deeper than the current domain or forward name
+
+When caching glue, we need to ensure that there is no closer
+source of truth for the name. If the owner name for the glue
+record would be answered by a locally configured zone, do not
+cache.
+
+(cherry picked from commit 71b24210542730355149130770deea3e58d8527a)
+---
+ lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 123 insertions(+), 5 deletions(-)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index a7bc661bb7..7603a07b7b 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -63,6 +63,8 @@
+ #include <dns/stats.h>
+ #include <dns/tsig.h>
+ #include <dns/validator.h>
+#include <dns/zone.h>
+
+ #ifdef WANT_QUERYTRACE
+ #define RTRACE(m)                                                             \
+ 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                     \
+@@ -337,6 +339,8 @@ struct fetchctx {
+ 	dns_fetch_t *qminfetch;
+ 	dns_rdataset_t qminrrset;
+ 	dns_name_t qmindcname;
+	dns_fixedname_t fwdfname;
+	dns_name_t *fwdname;
+ 
+ 	/*%
+ 	 * The number of events we're waiting for.
+@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 		if (result == ISC_R_SUCCESS) {
+ 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+ 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copynf(domain, fctx->fwdname);
+ 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
+ 			    isstrictsubdomain(domain, &fctx->domain))
+ 			{
+@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
+ 	fctx->restarts = 0;
+ 	fctx->querysent = 0;
+ 	fctx->referrals = 0;
+
+	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
+
+ 	TIME_NOW(&fctx->start);
+ 	fctx->timeouts = 0;
+ 	fctx->lamecount = 0;
+@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
+ 					   fname, &forwarders);
+ 		if (result == ISC_R_SUCCESS) {
+ 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copynf(fname, fctx->fwdname);
+ 		}
+ 
+ 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
+ 	}
+ }
+ 
+/*
+ * Returns true if 'name' is external to the namespace for which
+ * the server being queried can answer, either because it's not a
+ * subdomain or because it's below a forward declaration or a
+ * locally served zone.
+ */
+static inline bool
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_forwarders_t *forwarders = NULL;
+	dns_fixedname_t fixed, zfixed;
+	dns_name_t *fname = dns_fixedname_initname(&fixed);
+	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
+	dns_name_t *apex = NULL;
+	dns_name_t suffix;
+	dns_zone_t *zone = NULL;
+	unsigned int labels;
+	dns_namereln_t rel;
+
+	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
+
+	/*
+	 * The name is outside the queried namespace.
+	 */
+	rel = dns_name_fullcompare(name, apex, &(int){ 0 },
+				   &(unsigned int){ 0U });
+	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
+		return (true);
+	}
+
+	/*
+	 * If the record lives in the parent zone, adjust the name so we
+	 * look for the correct zone or forward clause.
+	 */
+	labels = dns_name_countlabels(name);
+	if (dns_rdatatype_atparent(type) && labels > 1U) {
+		dns_name_init(&suffix, NULL);
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+		name = &suffix;
+	} else if (rel == dns_namereln_equal) {
+		/* If 'name' is 'apex', no further checking is needed. */
+		return (false);
+	}
+
+	/*
+	 * If there is a locally served zone between 'apex' and 'name'
+	 * then don't cache.
+	 */
+	LOCK(&fctx->res->view->lock);
+	if (fctx->res->view->zonetable != NULL) {
+		unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
+		result = dns_zt_find(fctx->res->view->zonetable, name, options,
+				     zfname, &zone);
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+			if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
+						 &(unsigned int){ 0U }) ==
+			    dns_namereln_subdomain)
+			{
+				UNLOCK(&fctx->res->view->lock);
+				return (true);
+			}
+		}
+	}
+	UNLOCK(&fctx->res->view->lock);
+
+	/*
+	 * Look for a forward declaration below 'name'.
+	 */
+	result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+				   &forwarders);
+
+	if (ISFORWARDER(fctx->addrinfo)) {
+		/*
+		 * See if the forwarder declaration is better.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			return (!dns_name_equal(fname, fctx->fwdname));
+		}
+
+		/*
+		 * If the lookup failed, the configuration must have
+		 * changed: play it safe and don't cache.
+		 */
+		return (true);
+	} else if (result == ISC_R_SUCCESS &&
+		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
+		   !ISC_LIST_EMPTY(forwarders->fwdrs))
+	{
+		/*
+		 * If 'name' is covered by a 'forward only' clause then we
+		 * can't cache this repsonse.
+		 */
+		return (true);
+	}
+
+	return (false);
+}
+
+ static isc_result_t
+ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
+ 	      dns_section_t section) {
+@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
+ 	result = dns_message_findname(rctx->query->rmessage, section, addname,
+ 				      dns_rdatatype_any, 0, &name, NULL);
+ 	if (result == ISC_R_SUCCESS) {
+-		external = !dns_name_issubdomain(name, &fctx->domain);
+		external = name_external(name, type, fctx);
+ 		if (type == dns_rdatatype_a) {
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+ 			     rdataset != NULL;
+@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) {
+ 			break;
+ 
+ 		case dns_namereln_subdomain:
+			/*
+			 * Don't accept DNAME from parent namespace.
+			 */
+			if (name_external(name, dns_rdatatype_dname, fctx)) {
+				continue;
+			}
+
+ 			/*
+ 			 * In-scope DNAME records must have at least
+ 			 * as many labels as the domain being queried.
+@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) {
+ 				       DNS_SECTION_AUTHORITY);
+ 	while (!done && result == ISC_R_SUCCESS) {
+ 		dns_name_t *name = NULL;
+-		bool external;
+ 
+ 		dns_message_currentname(rctx->query->rmessage,
+ 					DNS_SECTION_AUTHORITY, &name);
+-		external = !dns_name_issubdomain(name, &fctx->domain);
+ 
+-		if (!external) {
+		if (!name_external(name, dns_rdatatype_ns, fctx)) {
+ 			dns_rdataset_t *rdataset = NULL;
+ 
+ 			/*
+@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
+ 		}
+ 
+ 		if (!dns_name_issubdomain(name, &fctx->domain)) {
+-			/* Invalid name found; preserve it for logging later */
+			/*
+			 * Invalid name found; preserve it for logging
+			 * later.
+			 */
+ 			rctx->found_name = name;
+ 			rctx->found_type = ISC_LIST_HEAD(name->list)->type;
+ 			continue;
+-- 
+2.34.1
+
--- a/SOURCES/bind-9.16-CVE-2022-0396.patch
+++ b/SOURCES/bind-9.16-CVE-2022-0396.patch
@ -0,0 +1,81 @@
+From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 8 Feb 2022 12:42:34 +0100
+Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
+
+When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
+asynchronously to ensure correct order of multiple packets processing in
+the isc__nm_process_sock_buffer().  When not run asynchronously, it
+would cause:
+
+  a) out-of-order processing of the return codes from processbuffer();
+
+  b) stack growth because the next TCP DNS message read callback will
+     be called from within the current TCP DNS message read callback.
+
+The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
+sockets which calls isc__nm_process_sock_buffer().  If the read callback
+(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
+attach to the nmhandle (f.e. because it wants to drop the processing or
+we send the response directly via uv_try_write()), the
+isc__nm_resume_processing() (via .closehandle_cb) would call
+isc__nm_process_sock_buffer() recursively.
+
+The below shortened code path shows how the stack can grow:
+
+ 1: ns__client_request(handle, ...);
+ 2: isc_nm_tcpdns_sequential(handle);
+ 3: ns_query_start(client, handle);
+ 4:   query_lookup(qctx);
+ 5:     query_send(qctcx->client);
+ 6:       isc__nmhandle_detach(&client->reqhandle);
+ 7:         nmhandle_detach_cb(&handle);
+ 8:           sock->closehandle_cb(sock); // isc__nm_resume_processing
+ 9:             isc__nm_process_sock_buffer(sock);
+10:               processbuffer(sock); // isc__nm_tcpdns_processbuffer
+11:                 isc_nmhandle_attach(req->handle, &handle);
+12:                 isc__nm_readcb(sock, req, ISC_R_SUCCESS);
+13:                   isc__nm_async_readcb(NULL, ...);
+14:                     uvreq->cb.recv(...); // ns__client_request
+
+Instead, if 'sock->closehandle_cb' is set, we need to run detach the
+handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
+the code flow above does not start this recursion. This ensures the
+correct order when processing multiple packets in the function
+'isc__nm_process_sock_buffer()' and prevents the stack growth.
+
+When not run asynchronously, the out-of-order processing leaves the
+first TCP socket open until all requests on the stream have been
+processed.
+
+If the pipelining is disabled on the TCP via `keep-response-order`
+configuration option, named would keep the first socket in lingering
+CLOSE_WAIT state when the client sends an incomplete packet and then
+closes the connection from the client side.
+
+(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17)
+---
+ lib/isc/netmgr/netmgr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
+index 3283eb6e4f..0ed3182fb6 100644
+--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
+@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
+ 	handle = *handlep;
+ 	*handlep = NULL;
+ 
+	/*
+	 * If the closehandle_cb is set, it needs to run asynchronously to
+	 * ensure correct ordering of the isc__nm_process_sock_buffer().
+	 */
+ 	sock = handle->sock;
+-	if (sock->tid == isc_nm_tid()) {
+	if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
+ 		nmhandle_detach_cb(&handle FLARG_PASS);
+ 	} else {
+ 		isc__netievent_detach_t *event =
+-- 
+2.34.1
+
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@ -51,7 +51,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  1%{?dist}
+Release:  4%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -101,6 +101,10 @@ Patch157:bind-9.11-fips-tests.patch
 Patch164:bind-9.11-rh1666814.patch
 Patch170:bind-9.11-feature-test-named.patch
 Patch171:bind-9.11-tests-variants.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987
+Patch172:bind-9.16-CVE-2022-0396.patch
+Patch173:bind-9.16-CVE-2021-25220.patch
+Patch174:bind-9.16-CVE-2021-25220-test.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -401,6 +405,9 @@ in HTML and PDF format.
 %patch164 -p1 -b .rh1666814
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
+%patch172 -p1 -b .CVE-2022-0396
+%patch173 -p1 -b .CVE-2021-25220
+%patch174 -p1 -b .CVE-2021-25220-test

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1123,6 +1130,17 @@ fi;
 %endif

 %changelog
+* Thu Jul 14 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-4
+- Export bind-doc package (#2104863)
+
+* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
+- Tighten cache protection against record from forwarders (CVE-2021-25220)
+- Include test of forwarders
+
+* Fri Mar 25 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-2
+- TCP connections with 'keep-response-order' are properly close in all cases
+  (CVE-2022-0396)
+
 * Fri Nov 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-1
 - Update to 9.16.23 (#2024210)