import CS bind-dyndb-ldap-11.9-10.el9

2024-09-30 15:06:48 +00:00 · 2024-09-30 15:06:48 +00:00 · 21586ca87a
commit 21586ca87a
parent 24312dc3ca
3 changed files with 112 additions and 2 deletions
--- a/SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
+++ b/SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
@ -0,0 +1,76 @@
+From c7801fabb1597c4d4b18b21fcfcf6ab064040ba5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 7 Aug 2024 16:19:46 +0200
+Subject: [PATCH] Detect presence of dns_zone_setmaxrrperset
+
+Because it were backported into bind-9.16 branch by upstream and testing
+of simpler variant fails in some cases. This assumes these call do not
+appear only after 9.18.28, but may be backported into previous versions.
+Tests just call presence and assumes dns_db_setmaxtypepername will be
+present also.
+---
+ configure.ac      |  4 ++++
+ src/ldap_driver.c | 25 +++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index faac214..b897c2b 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -137,6 +137,10 @@ AC_CHECK_LIB([dns], [dns_db_setservestalettl],
+   [AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])]
+ )
+ 
+AC_CHECK_LIB([dns], [dns_db_setmaxrrperset],
+  [AC_DEFINE([HAVE_DNS_DB_SETMAXRRPERSET], 1, [Define if dns library provides dns_db_setmaxrrperset])]
+)
+
+ dnl Older autoconf (2.59, for example) doesn't define docdir
+ [[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}'
+ AC_SUBST([docdir])
+diff --git a/src/ldap_driver.c b/src/ldap_driver.c
+index 5f9e00a..29896d4 100644
+--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
+@@ -909,6 +909,27 @@ adjusthashsize(dns_db_t *db, size_t size) {
+ }
+ #endif
+ 
+#if HAVE_DNS_DB_SETMAXRRPERSET
+/* Calls added to fix CVE-2024-1737 in 9.18.28 */
+static void
+setmaxrrperset(dns_db_t *db, uint32_t value) {
+	ldapdb_t *ldapdb = (ldapdb_t *) db;
+
+	REQUIRE(VALID_LDAPDB(ldapdb));
+
+	return dns_db_setmaxrrperset(ldapdb->rbtdb, value);
+}
+
+static void
+setmaxtypepername(dns_db_t *db, uint32_t value) {
+	ldapdb_t *ldapdb = (ldapdb_t *) db;
+
+	REQUIRE(VALID_LDAPDB(ldapdb));
+
+	return dns_db_setmaxtypepername(ldapdb->rbtdb, value);
+}
+#endif
+
+ static dns_dbmethods_t ldapdb_methods = {
+ 	attach,
+ 	detach,
+@@ -969,6 +990,10 @@ static dns_dbmethods_t ldapdb_methods = {
+ #if LIBDNS_VERSION_MAJOR >= 1606
+ 	adjusthashsize, /* adjusthashsize */
+ #endif
+#if HAVE_DNS_DB_SETMAXRRPERSET
+	setmaxrrperset, /* setmaxrrperset */
+	setmaxtypepername, /* setmaxtypepername */
+#endif
+ };
+ 
+ isc_result_t ATTR_NONNULLS
+-- 
+2.45.2
+
--- a/SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
+++ b/SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
@ -0,0 +1,24 @@
+diff --git a/src/mldap.c b/src/mldap.c
+index 92a330c..79efddb 100644
+--- a/src/mldap.c
+++ b/src/mldap.c
+@@ -50,18 +50,7 @@
+ static unsigned char uuid_rootname_ndata[]
+ 	= { 4, 'u', 'u', 'i', 'd', 4, 'l', 'd', 'a', 'p', 0 };
+ static unsigned char uuid_rootname_offsets[] = { 0, 5, 10 };
+-static dns_name_t uuid_rootname =
+-{
+-	DNS_NAME_MAGIC,
+-	uuid_rootname_ndata,
+-	sizeof(uuid_rootname_ndata),
+-	sizeof(uuid_rootname_offsets),
+-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+-	uuid_rootname_offsets,
+-	NULL,
+-	{ (void *)-1, (void *)-1 },
+-	{ NULL, NULL }
+-};
+static dns_name_t uuid_rootname = DNS_NAME_INITABSOLUTE(uuid_rootname_ndata, uuid_rootname_offsets);
+ 
+ struct mldapdb {
+ 	isc_mem_t	*mctx;
--- a/SPECS/bind-dyndb-ldap.spec
+++ b/SPECS/bind-dyndb-ldap.spec
@ -1,7 +1,7 @@

 %define VERSION %{version}

-%define bind_version 32:9.11.17-1
+%define bind_version 32:9.16.23-19

 %if 0%{?fedora} >= 31 || 0%{?rhel} > 8
    %global openssl_pkcs11_version 0.4.10-6
@ -12,7 +12,7 @@

 Name:           bind-dyndb-ldap
 Version:        11.9
-Release:        8%{?dist}
+Release:        10%{?dist}
 Summary:        LDAP back-end plug-in for BIND

 License:        GPLv2+
@ -22,6 +22,10 @@ Source1:        https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.a

 Patch1:         bind-dyndb-ldap-11.9-bind-9.16.17.patch
 Patch2:         0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
+# https://pagure.io/bind-dyndb-ldap/pull-request/229
+Patch3:         https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
+# https://pagure.io/bind-dyndb-ldap/pull-request/235
+Patch4:         bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch

 BuildRequires:  bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
 BuildRequires:  krb5-devel
@ -117,6 +121,12 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf


 %changelog
+* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 11.9-10
+- Rebuilt for BIND CVE-2024-1737 fixes (CVE-2024-1737)
+
+* Thu Feb 22 2024 Petr Menšík <pemensik@redhat.com> - 11.9-9
+- Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387)
+
 * Wed Oct 19 2022 Rafael Jeffman <rjeffman<redhat.com> - 11.9-8
 - Modify empty zone conflicts under exclusive mode
  Resolves: rhbz#2129844, rhbz#2130614