diff --git a/bind-9.20-CVE-2025-8677-dual-signing-test.patch b/bind-9.20-CVE-2025-8677-dual-signing-test.patch new file mode 100644 index 0000000..19740a2 --- /dev/null +++ b/bind-9.20-CVE-2025-8677-dual-signing-test.patch @@ -0,0 +1,172 @@ +From 1cbe670c421ca866fe8cbde661801e89e254a46d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Sat, 1 Nov 2025 12:00:59 +0100 +Subject: [PATCH] Add a system test with one good and one bad algorithm + +The case where there would be one supported algorithm and one already +unsupported (like RSAMD5 or RSASHA1) was missing. + +(cherry picked from commit 3aa6f585e0466700e5d4b64fffccf883bb1c21dd) +--- + bin/tests/system/dnssec/ns2/example.db.in | 4 +++ + bin/tests/system/dnssec/ns2/sign.sh | 3 ++- + bin/tests/system/dnssec/ns3/named.conf.in | 6 +++++ + bin/tests/system/dnssec/ns3/sign.sh | 31 ++++++++++++++++++++++ + bin/tests/system/dnssec/ns3/template.db.in | 27 +++++++++++++++++++ + bin/tests/system/dnssec/tests.sh | 11 ++++++++ + bin/tests/system/dnssec/tests_sh_dnssec.py | 1 + + 7 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 bin/tests/system/dnssec/ns3/template.db.in + +diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in +index f711f5823f..63d41e5e00 100644 +--- a/bin/tests/system/dnssec/ns2/example.db.in ++++ b/bin/tests/system/dnssec/ns2/example.db.in +@@ -168,4 +168,8 @@ ns.managed-future A 10.53.0.3 + revkey NS ns.revkey + ns.revkey A 10.53.0.3 + ++; A secure subdomain with extra bad key ++extrabadkey NS ns3.extrabadkey ++ns3.extrabadkey A 10.53.0.3 ++ + dname-at-apex-nsec3 NS ns3 +diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh +index b60e82a631..eb008067a4 100644 +--- a/bin/tests/system/dnssec/ns2/sign.sh ++++ b/bin/tests/system/dnssec/ns2/sign.sh +@@ -62,7 +62,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ +- dname-at-apex-nsec3 occluded; do ++ dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \ ++ extrabadkey; do + cp "../ns3/dsset-$subdomain.example." . + done + +diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in +index 680cff58d5..3536046319 100644 +--- a/bin/tests/system/dnssec/ns3/named.conf.in ++++ b/bin/tests/system/dnssec/ns3/named.conf.in +@@ -84,6 +84,12 @@ zone "insecure2.example" { + allow-update { any; }; + }; + ++zone "extrabadkey.example" { ++ type primary; ++ file "extrabadkey.example.db.signed"; ++ allow-update { any; }; ++}; ++ + zone "insecure.nsec3.example" { + type primary; + file "insecure.nsec3.example.db"; +diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh +index 14fc709bfb..743a0e4121 100644 +--- a/bin/tests/system/dnssec/ns3/sign.sh ++++ b/bin/tests/system/dnssec/ns3/sign.sh +@@ -673,3 +673,34 @@ $DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}." + cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ + "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" + "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null ++ ++# ++# ++# ++zone=extrabadkey.example. ++infile=template.db.in ++zonefile=extrabadkey.example.db ++ ++# Add KSK and ZSK that we will mangle to RSAMD5 ++ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") ++zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") ++cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" ++"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1 ++ ++# Mangle the signatures to RSAMD5 and save them for future use ++sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" < "$zonefile.signed" > "$zonefile.signed.rsamd5" ++ ++# Now add normal KSK and ZSK to the zone file ++ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") ++zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") ++cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" ++ ++# Mangle the DNSKEY algorithm numbers and add them to the signed zone file ++cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >> "$zonefile" ++ ++# Sign normally ++"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 ++ ++# Add the mangled signatures to signed zone file ++cat "$zonefile.signed.rsamd5" >> "$zonefile.signed" ++rm "$zonefile.signed.rsamd5" +diff --git a/bin/tests/system/dnssec/ns3/template.db.in b/bin/tests/system/dnssec/ns3/template.db.in +new file mode 100644 +index 0000000000..f603e448ff +--- /dev/null ++++ b/bin/tests/system/dnssec/ns3/template.db.in +@@ -0,0 +1,27 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA mname1. . ( ++ 2000042407 ; serial ++ 20 ; refresh (20 seconds) ++ 20 ; retry (20 seconds) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns3 ++ns3 A 10.53.0.3 ++ ++a A 10.0.0.1 ++a.b A 10.0.0.1 ++b A 10.0.0.2 ++d A 10.0.0.4 ++z A 10.0.0.26 +diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh +index b58b11a5c7..d3690eee6b 100644 +--- a/bin/tests/system/dnssec/tests.sh ++++ b/bin/tests/system/dnssec/tests.sh +@@ -4497,5 +4497,16 @@ n=$((n + 1)) + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + ++echo_i "checking extra-bad-algorithm positive validation ($n)" ++ret=0 ++dig_with_opts +noauth a.extrabadkey.example. @10.53.0.3 A >dig.out.ns3.test$n || ret=1 ++dig_with_opts +noauth a.extrabadkey.example. @10.53.0.4 A >dig.out.ns4.test$n || ret=1 ++digcomp --lc dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 ++grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 ++grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 ++n=$((n + 1)) ++test "$ret" -eq 0 || echo_i "failed" ++status=$((status + ret)) ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py +index 529a4a0e10..f731ea2ab4 100644 +--- a/bin/tests/system/dnssec/tests_sh_dnssec.py ++++ b/bin/tests/system/dnssec/tests_sh_dnssec.py +@@ -92,6 +92,7 @@ pytestmark = pytest.mark.extra_artifacts( + "ns3/example.bk", + "ns3/expired.example.db", + "ns3/expiring.example.db", ++ "ns3/extrabadkey.example.db", + "ns3/future.example.db", + "ns3/keyless.example.db", + "ns3/kskonly.example.db", +-- +2.51.1 + diff --git a/bind.spec b/bind.spec index f718aa6..8d70902 100644 --- a/bind.spec +++ b/bind.spec @@ -154,6 +154,8 @@ Patch224: bind-9.18-CVE-2025-40778.patch Patch225: bind-9.18-CVE-2025-40780.patch # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11194 Patch226: bind-9.20-CVE-2025-8677-dual-signing.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11195 +Patch227: bind-9.20-CVE-2025-8677-dual-signing-test.patch %{?systemd_ordering} # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers