import CS bind-dyndb-ldap-11.9-10.el9

2024-09-30 15:06:48 +00:00 · 2024-09-30 15:06:48 +00:00 · 21586ca87a
commit 21586ca87a
parent 24312dc3ca
3 changed files with 112 additions and 2 deletions
--- a/SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
+++ b/SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
@ -0,0 +1,76 @@
 From c7801fabb1597c4d4b18b21fcfcf6ab064040ba5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 7 Aug 2024 16:19:46 +0200
 Subject: [PATCH] Detect presence of dns_zone_setmaxrrperset
 Because it were backported into bind-9.16 branch by upstream and testing
 of simpler variant fails in some cases. This assumes these call do not
 appear only after 9.18.28, but may be backported into previous versions.
 Tests just call presence and assumes dns_db_setmaxtypepername will be
 present also.
 ---
 configure.ac      |  4 ++++
 src/ldap_driver.c | 25 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+)
 diff --git a/configure.ac b/configure.ac
 index faac214..b897c2b 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -137,6 +137,10 @@ AC_CHECK_LIB([dns], [dns_db_setservestalettl],
   [AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])]
 )
 +AC_CHECK_LIB([dns], [dns_db_setmaxrrperset],
 +  [AC_DEFINE([HAVE_DNS_DB_SETMAXRRPERSET], 1, [Define if dns library provides dns_db_setmaxrrperset])]
 +)
 +
 dnl Older autoconf (2.59, for example) doesn't define docdir
 [[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}'
 AC_SUBST([docdir])
 diff --git a/src/ldap_driver.c b/src/ldap_driver.c
 index 5f9e00a..29896d4 100644
 --- a/src/ldap_driver.c
 +++ b/src/ldap_driver.c
@@ -909,6 +909,27 @@ adjusthashsize(dns_db_t *db, size_t size) {
 }
 #endif
 +#if HAVE_DNS_DB_SETMAXRRPERSET
 +/* Calls added to fix CVE-2024-1737 in 9.18.28 */
 +static void
 +setmaxrrperset(dns_db_t *db, uint32_t value) {
 +	ldapdb_t *ldapdb = (ldapdb_t *) db;
 +
 +	REQUIRE(VALID_LDAPDB(ldapdb));
 +
 +	return dns_db_setmaxrrperset(ldapdb->rbtdb, value);
 +}
 +
 +static void
 +setmaxtypepername(dns_db_t *db, uint32_t value) {
 +	ldapdb_t *ldapdb = (ldapdb_t *) db;
 +
 +	REQUIRE(VALID_LDAPDB(ldapdb));
 +
 +	return dns_db_setmaxtypepername(ldapdb->rbtdb, value);
 +}
 +#endif
 +
 static dns_dbmethods_t ldapdb_methods = {
 	attach,
 	detach,
@@ -969,6 +990,10 @@ static dns_dbmethods_t ldapdb_methods = {
 #if LIBDNS_VERSION_MAJOR >= 1606
 	adjusthashsize, /* adjusthashsize */
 #endif
 +#if HAVE_DNS_DB_SETMAXRRPERSET
 +	setmaxrrperset, /* setmaxrrperset */
 +	setmaxtypepername, /* setmaxtypepername */
 +#endif
 };
 isc_result_t ATTR_NONNULLS
 -- 
 2.45.2
--- a/SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
+++ b/SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
@ -0,0 +1,24 @@
 diff --git a/src/mldap.c b/src/mldap.c
 index 92a330c..79efddb 100644
 --- a/src/mldap.c
 +++ b/src/mldap.c
@@ -50,18 +50,7 @@
 static unsigned char uuid_rootname_ndata[]
 	= { 4, 'u', 'u', 'i', 'd', 4, 'l', 'd', 'a', 'p', 0 };
 static unsigned char uuid_rootname_offsets[] = { 0, 5, 10 };
 -static dns_name_t uuid_rootname =
 -{
 -	DNS_NAME_MAGIC,
 -	uuid_rootname_ndata,
 -	sizeof(uuid_rootname_ndata),
 -	sizeof(uuid_rootname_offsets),
 -	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
 -	uuid_rootname_offsets,
 -	NULL,
 -	{ (void *)-1, (void *)-1 },
 -	{ NULL, NULL }
 -};
 +static dns_name_t uuid_rootname = DNS_NAME_INITABSOLUTE(uuid_rootname_ndata, uuid_rootname_offsets);
 struct mldapdb {
 	isc_mem_t	*mctx;
--- a/SPECS/bind-dyndb-ldap.spec
+++ b/SPECS/bind-dyndb-ldap.spec
@ -1,7 +1,7 @@
 %define VERSION %{version}
-%define bind_version 32:9.11.17-1
+%define bind_version 32:9.16.23-19
 %if 0%{?fedora} >= 31 || 0%{?rhel} > 8
    %global openssl_pkcs11_version 0.4.10-6
@ -12,7 +12,7 @@
 Name:           bind-dyndb-ldap
 Version:        11.9
-Release:        8%{?dist}
+Release:        10%{?dist}
 Summary:        LDAP back-end plug-in for BIND
 License:        GPLv2+
@ -22,6 +22,10 @@ Source1:        https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.a
 Patch1:         bind-dyndb-ldap-11.9-bind-9.16.17.patch
 Patch2:         0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
 # https://pagure.io/bind-dyndb-ldap/pull-request/229
 Patch3:         https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
 # https://pagure.io/bind-dyndb-ldap/pull-request/235
 Patch4:         bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
 BuildRequires:  bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
 BuildRequires:  krb5-devel
@ -117,6 +121,12 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf
 %changelog
 * Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 11.9-10
 - Rebuilt for BIND CVE-2024-1737 fixes (CVE-2024-1737)
 * Thu Feb 22 2024 Petr Menšík <pemensik@redhat.com> - 11.9-9
 - Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387)
 * Wed Oct 19 2022 Rafael Jeffman <rjeffman<redhat.com> - 11.9-8
 - Modify empty zone conflicts under exclusive mode
  Resolves: rhbz#2129844, rhbz#2130614