From 21586ca87a11599712f0feb95f1c2bae16eef638 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 30 Sep 2024 15:06:48 +0000 Subject: [PATCH] import CS bind-dyndb-ldap-11.9-10.el9 --- ...-dyndb-ldap-11.10-bind-CVE-2024-1737.patch | 76 +++++++++++++++++++ ...-dyndb-ldap-11.9-bind-CVE-2023-50387.patch | 24 ++++++ SPECS/bind-dyndb-ldap.spec | 14 +++- 3 files changed, 112 insertions(+), 2 deletions(-) create mode 100644 SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch create mode 100644 SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch diff --git a/SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch b/SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch new file mode 100644 index 0000000..06764ac --- /dev/null +++ b/SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch @@ -0,0 +1,76 @@ +From c7801fabb1597c4d4b18b21fcfcf6ab064040ba5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 7 Aug 2024 16:19:46 +0200 +Subject: [PATCH] Detect presence of dns_zone_setmaxrrperset + +Because it were backported into bind-9.16 branch by upstream and testing +of simpler variant fails in some cases. This assumes these call do not +appear only after 9.18.28, but may be backported into previous versions. +Tests just call presence and assumes dns_db_setmaxtypepername will be +present also. +--- + configure.ac | 4 ++++ + src/ldap_driver.c | 25 +++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/configure.ac b/configure.ac +index faac214..b897c2b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -137,6 +137,10 @@ AC_CHECK_LIB([dns], [dns_db_setservestalettl], + [AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])] + ) + ++AC_CHECK_LIB([dns], [dns_db_setmaxrrperset], ++ [AC_DEFINE([HAVE_DNS_DB_SETMAXRRPERSET], 1, [Define if dns library provides dns_db_setmaxrrperset])] ++) ++ + dnl Older autoconf (2.59, for example) doesn't define docdir + [[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}' + AC_SUBST([docdir]) +diff --git a/src/ldap_driver.c b/src/ldap_driver.c +index 5f9e00a..29896d4 100644 +--- a/src/ldap_driver.c ++++ b/src/ldap_driver.c +@@ -909,6 +909,27 @@ adjusthashsize(dns_db_t *db, size_t size) { + } + #endif + ++#if HAVE_DNS_DB_SETMAXRRPERSET ++/* Calls added to fix CVE-2024-1737 in 9.18.28 */ ++static void ++setmaxrrperset(dns_db_t *db, uint32_t value) { ++ ldapdb_t *ldapdb = (ldapdb_t *) db; ++ ++ REQUIRE(VALID_LDAPDB(ldapdb)); ++ ++ return dns_db_setmaxrrperset(ldapdb->rbtdb, value); ++} ++ ++static void ++setmaxtypepername(dns_db_t *db, uint32_t value) { ++ ldapdb_t *ldapdb = (ldapdb_t *) db; ++ ++ REQUIRE(VALID_LDAPDB(ldapdb)); ++ ++ return dns_db_setmaxtypepername(ldapdb->rbtdb, value); ++} ++#endif ++ + static dns_dbmethods_t ldapdb_methods = { + attach, + detach, +@@ -969,6 +990,10 @@ static dns_dbmethods_t ldapdb_methods = { + #if LIBDNS_VERSION_MAJOR >= 1606 + adjusthashsize, /* adjusthashsize */ + #endif ++#if HAVE_DNS_DB_SETMAXRRPERSET ++ setmaxrrperset, /* setmaxrrperset */ ++ setmaxtypepername, /* setmaxtypepername */ ++#endif + }; + + isc_result_t ATTR_NONNULLS +-- +2.45.2 + diff --git a/SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch b/SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch new file mode 100644 index 0000000..0272ebf --- /dev/null +++ b/SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch @@ -0,0 +1,24 @@ +diff --git a/src/mldap.c b/src/mldap.c +index 92a330c..79efddb 100644 +--- a/src/mldap.c ++++ b/src/mldap.c +@@ -50,18 +50,7 @@ + static unsigned char uuid_rootname_ndata[] + = { 4, 'u', 'u', 'i', 'd', 4, 'l', 'd', 'a', 'p', 0 }; + static unsigned char uuid_rootname_offsets[] = { 0, 5, 10 }; +-static dns_name_t uuid_rootname = +-{ +- DNS_NAME_MAGIC, +- uuid_rootname_ndata, +- sizeof(uuid_rootname_ndata), +- sizeof(uuid_rootname_offsets), +- DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, +- uuid_rootname_offsets, +- NULL, +- { (void *)-1, (void *)-1 }, +- { NULL, NULL } +-}; ++static dns_name_t uuid_rootname = DNS_NAME_INITABSOLUTE(uuid_rootname_ndata, uuid_rootname_offsets); + + struct mldapdb { + isc_mem_t *mctx; diff --git a/SPECS/bind-dyndb-ldap.spec b/SPECS/bind-dyndb-ldap.spec index e004bba..80ed0e7 100644 --- a/SPECS/bind-dyndb-ldap.spec +++ b/SPECS/bind-dyndb-ldap.spec @@ -1,7 +1,7 @@ %define VERSION %{version} -%define bind_version 32:9.11.17-1 +%define bind_version 32:9.16.23-19 %if 0%{?fedora} >= 31 || 0%{?rhel} > 8 %global openssl_pkcs11_version 0.4.10-6 @@ -12,7 +12,7 @@ Name: bind-dyndb-ldap Version: 11.9 -Release: 8%{?dist} +Release: 10%{?dist} Summary: LDAP back-end plug-in for BIND License: GPLv2+ @@ -22,6 +22,10 @@ Source1: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.a Patch1: bind-dyndb-ldap-11.9-bind-9.16.17.patch Patch2: 0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch +# https://pagure.io/bind-dyndb-ldap/pull-request/229 +Patch3: https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch +# https://pagure.io/bind-dyndb-ldap/pull-request/235 +Patch4: bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version} BuildRequires: krb5-devel @@ -117,6 +121,12 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf %changelog +* Wed Aug 07 2024 Petr Menšík - 11.9-10 +- Rebuilt for BIND CVE-2024-1737 fixes (CVE-2024-1737) + +* Thu Feb 22 2024 Petr Menšík - 11.9-9 +- Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387) + * Wed Oct 19 2022 Rafael Jeffman - 11.9-8 - Modify empty zone conflicts under exclusive mode Resolves: rhbz#2129844, rhbz#2130614