diff --git a/bind-9.18-query-fname-relative.patch b/bind-9.18-query-fname-relative.patch new file mode 100644 index 0000000..219721a --- /dev/null +++ b/bind-9.18-query-fname-relative.patch @@ -0,0 +1,90 @@ +From 5bc7cd7a7b9c37e5c70ccf74c5485a02411aaef5 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 25 Apr 2025 02:00:00 +0200 +Subject: [PATCH] Insert additional checks ensuring name is not relative + +Mitigation for crashes put in various places, where obviously relative +uninitialized name must not appear. This seems unnecessary once true +cause were identified, but may prevent similar places. +--- + lib/ns/query.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 11d2520..7e8a4d2 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -2203,6 +2203,20 @@ regular: + CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); + } + ++static void ++log_query_relative(query_ctx_t *qctx, const char *func, const dns_name_t *name) { ++ if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) { ++ char namebuf[DNS_NAME_FORMATSIZE] = "!"; ++ dns_name_format(name, namebuf, sizeof(namebuf)); ++ ns_client_log( ++ qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ++ ISC_LOG_DEBUG(1), ++ "%s: fname=%s leading to relative name, aborting query.", ++ func, namebuf ++ ); ++ } ++} ++ + static void + query_addrrset(query_ctx_t *qctx, dns_name_t **namep, + dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp, +@@ -2275,6 +2289,11 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep, + client->query.attributes &= ~NS_QUERYATTR_SECURE; + } + ++ if (!qctx->is_zone && mname && !dns_name_isabsolute(mname)) { ++ log_query_relative(qctx, "query_addrrset", mname); ++ QUERY_ERROR(qctx, DNS_R_SERVFAIL); ++ return; ++ } + /* + * Update message name, set rdataset order, and do additional + * section processing if needed. +@@ -8074,6 +8093,11 @@ query_respond_any(query_ctx_t *qctx) { + : qctx->tname; + query_prefetch(qctx->client, name, + qctx->rdataset); ++ if (name && !dns_name_isabsolute(name)) { ++ log_query_relative(qctx, "query_respond_any", name); ++ result = DNS_R_DROP; ++ break; ++ } + } + + /* +@@ -10696,6 +10720,11 @@ query_cname(query_ctx_t *qctx) { + + if (!qctx->is_zone && RECURSIONOK(qctx->client)) { + query_prefetch(qctx->client, qctx->fname, qctx->rdataset); ++ if (qctx->fname && !dns_name_isabsolute(qctx->fname)) { ++ log_query_relative(qctx, "query_cname", qctx->fname); ++ QUERY_ERROR(qctx, DNS_R_SERVFAIL); ++ return (ns_query_done(qctx)); ++ } + } + + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, +@@ -10801,7 +10830,13 @@ query_dname(query_ctx_t *qctx) { + + if (!qctx->is_zone && RECURSIONOK(qctx->client)) { + query_prefetch(qctx->client, qctx->fname, qctx->rdataset); ++ if (qctx->fname && !dns_name_isabsolute(qctx->fname)) { ++ log_query_relative(qctx, "query_dname", qctx->fname); ++ QUERY_ERROR(qctx, DNS_R_SERVFAIL); ++ return (ns_query_done(qctx)); ++ } + } ++ + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, + qctx->dbuf, DNS_SECTION_ANSWER); + +-- +2.49.0 + diff --git a/bind.spec b/bind.spec index 4fbc509..b5daf6b 100644 --- a/bind.spec +++ b/bind.spec @@ -183,6 +183,8 @@ Patch216: bind-9.18-CVE-2024-11187.patch # https://gitlab.isc.org/isc-projects/bind9/-/issues/5357 # downstream patch fixing bind-dyndb-ldap causing issue Patch217: bind-9.21-resume-qmin-cname.patch +# downstream only, extra check for above change, RHEL-30407 +Patch218: bind-9.18-query-fname-relative.patch %{?systemd_ordering} Requires: coreutils @@ -1229,6 +1231,7 @@ fi; %changelog * Tue Jun 10 2025 Petr Menšík - 32:9.18.23-29 - Prevent name.c:670 attributes assertion failed (RHEL-30407) +- Add extra checks for relative names * Sat Feb 15 2025 Petr Menšík - 32:9.16.23-28 - Fix test backport changes