test failure conditions
verify that updates are refused when the client is disallowed by allow-query, and update forwarding is refused when the client is is disallowed by update-forwarding. verify that "too many DNS UPDATEs" appears in the log file when too many simultaneous updates are processing. Related: CVE-2022-3094
This commit is contained in:
parent
1d416c2d77
commit
25cbffd195
266
bind-9.16-CVE-2022-3094-test.patch
Normal file
266
bind-9.16-CVE-2022-3094-test.patch
Normal file
@ -0,0 +1,266 @@
|
|||||||
|
From 3d84c651f823cb90b73fd736d32ad6de57b11610 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Wed, 9 Nov 2022 21:56:16 -0800
|
||||||
|
Subject: [PATCH] test failure conditions
|
||||||
|
|
||||||
|
verify that updates are refused when the client is disallowed by
|
||||||
|
allow-query, and update forwarding is refused when the client is
|
||||||
|
is disallowed by update-forwarding.
|
||||||
|
|
||||||
|
verify that "too many DNS UPDATEs" appears in the log file when too
|
||||||
|
many simultaneous updates are processing.
|
||||||
|
|
||||||
|
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
|
||||||
|
---
|
||||||
|
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
|
||||||
|
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
|
||||||
|
bin/tests/system/upforwd/clean.sh | 2 +
|
||||||
|
.../ns3/{named.conf.in => named1.conf.in} | 7 +++-
|
||||||
|
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
|
||||||
|
bin/tests/system/upforwd/setup.sh | 2 +-
|
||||||
|
bin/tests/system/upforwd/tests.sh | 40 ++++++++++++++++++
|
||||||
|
7 files changed, 120 insertions(+), 2 deletions(-)
|
||||||
|
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (85%)
|
||||||
|
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
index cb80269..228ad6a 100644
|
||||||
|
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
@@ -20,6 +20,7 @@ options {
|
||||||
|
listen-on-v6 { none; };
|
||||||
|
recursion no;
|
||||||
|
notify yes;
|
||||||
|
+ update-quota 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
key rndc_key {
|
||||||
|
@@ -76,6 +77,7 @@ zone "other.nil" {
|
||||||
|
check-integrity no;
|
||||||
|
check-mx warn;
|
||||||
|
update-policy local;
|
||||||
|
+ allow-query { !10.53.0.2; any; };
|
||||||
|
allow-query-on { 10.53.0.1; 127.0.0.1; };
|
||||||
|
allow-transfer { any; };
|
||||||
|
};
|
||||||
|
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
index f8994ff..4cabf8d 100755
|
||||||
|
--- a/bin/tests/system/nsupdate/tests.sh
|
||||||
|
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
@@ -1069,6 +1069,34 @@ END
|
||||||
|
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
|
||||||
|
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "check that update is rejected if query is not allowed ($n)"
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -d <<END
|
||||||
|
+ local 10.53.0.2
|
||||||
|
+ server 10.53.0.1 ${PORT}
|
||||||
|
+ update add reject.other.nil 3600 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} > nsupdate.out.test$n 2>&1
|
||||||
|
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "check that update is rejected if quota is exceeded ($n)"
|
||||||
|
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -l -p ${PORT} -k ns1/session.key > nsupdate.out.test$n-${loop} 2>&1 <<END
|
||||||
|
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} &
|
||||||
|
+done
|
||||||
|
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
if $FEATURETEST --gssapi ; then
|
||||||
|
n=`expr $n + 1`
|
||||||
|
ret=0
|
||||||
|
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
|
||||||
|
index 15cf423..832c727 100644
|
||||||
|
--- a/bin/tests/system/upforwd/clean.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/clean.sh
|
||||||
|
@@ -24,3 +24,5 @@ rm -f Ksig0.example2.*
|
||||||
|
rm -f keyname
|
||||||
|
rm -f ns*/named.lock
|
||||||
|
rm -f ns1/example2.db
|
||||||
|
+rm -f nsupdate.out.*
|
||||||
|
+rm -f ns*/named.run.prev
|
||||||
|
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
similarity index 85%
|
||||||
|
rename from bin/tests/system/upforwd/ns3/named.conf.in
|
||||||
|
rename to bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
index e81cd1a..83a490f 100644
|
||||||
|
--- a/bin/tests/system/upforwd/ns3/named.conf.in
|
||||||
|
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
@@ -22,10 +22,15 @@ options {
|
||||||
|
notify yes;
|
||||||
|
};
|
||||||
|
|
||||||
|
+include "../../common/rndc.key";
|
||||||
|
+controls {
|
||||||
|
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
zone "example" {
|
||||||
|
type slave;
|
||||||
|
file "example.bk";
|
||||||
|
- allow-update-forwarding { any; };
|
||||||
|
+ allow-update-forwarding { 10.53.0.1; };
|
||||||
|
masters { 10.53.0.1; };
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..992cd69
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
@@ -0,0 +1,41 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||||
|
+ *
|
||||||
|
+ * SPDX-License-Identifier: MPL-2.0
|
||||||
|
+ *
|
||||||
|
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||||
|
+ *
|
||||||
|
+ * See the COPYRIGHT file distributed with this work for additional
|
||||||
|
+ * information regarding copyright ownership.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+options {
|
||||||
|
+ query-source address 10.53.0.3;
|
||||||
|
+ notify-source 10.53.0.3;
|
||||||
|
+ transfer-source 10.53.0.3;
|
||||||
|
+ port @PORT@;
|
||||||
|
+ pid-file "named.pid";
|
||||||
|
+ listen-on { 10.53.0.3; };
|
||||||
|
+ listen-on-v6 { none; };
|
||||||
|
+ recursion no;
|
||||||
|
+ notify yes;
|
||||||
|
+ update-quota 1;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+key rndc_key {
|
||||||
|
+ secret "1234abcd8765";
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+controls {
|
||||||
|
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+zone "example" {
|
||||||
|
+ type slave;
|
||||||
|
+ file "example.bk";
|
||||||
|
+ allow-update-forwarding { any; };
|
||||||
|
+ masters { 10.53.0.1; };
|
||||||
|
+};
|
||||||
|
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
|
||||||
|
index 74c7ba3..928902b 100644
|
||||||
|
--- a/bin/tests/system/upforwd/setup.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/setup.sh
|
||||||
|
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
|
||||||
|
|
||||||
|
copy_setports ns1/named.conf.in ns1/named.conf
|
||||||
|
copy_setports ns2/named.conf.in ns2/named.conf
|
||||||
|
-copy_setports ns3/named.conf.in ns3/named.conf
|
||||||
|
+copy_setports ns3/named1.conf.in ns3/named.conf
|
||||||
|
|
||||||
|
#
|
||||||
|
# SIG(0) required cryptographic support which may not be configured.
|
||||||
|
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||||
|
index f4c3216..ebc9ded 100644
|
||||||
|
--- a/bin/tests/system/upforwd/tests.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/tests.sh
|
||||||
|
@@ -17,6 +17,7 @@ SYSTEMTESTTOP=..
|
||||||
|
. $SYSTEMTESTTOP/conf.sh
|
||||||
|
|
||||||
|
DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
|
||||||
|
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
|
||||||
|
|
||||||
|
status=0
|
||||||
|
n=1
|
||||||
|
@@ -69,6 +70,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||||
|
echo_i "updating zone (signed) ($n)"
|
||||||
|
ret=0
|
||||||
|
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
update add updated.example. 600 A 10.10.10.1
|
||||||
|
update add updated.example. 600 TXT Foo
|
||||||
|
@@ -116,6 +118,7 @@ n=`expr $n + 1`
|
||||||
|
echo_i "updating zone (unsigned) ($n)"
|
||||||
|
ret=0
|
||||||
|
$NSUPDATE -- - <<EOF || ret=1
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
update add unsigned.example. 600 A 10.10.10.1
|
||||||
|
update add unsigned.example. 600 TXT Foo
|
||||||
|
@@ -161,6 +164,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
|
||||||
|
do
|
||||||
|
(
|
||||||
|
$NSUPDATE -- - <<EOF
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
zone nomaster
|
||||||
|
update add unsigned.nomaster. 600 A 10.10.10.1
|
||||||
|
@@ -181,6 +185,7 @@ then
|
||||||
|
ret=0
|
||||||
|
keyname=`cat keyname`
|
||||||
|
$NSUPDATE -k $keyname.private -- - <<EOF
|
||||||
|
+ local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
zone example2
|
||||||
|
update add unsigned.example2. 600 A 10.10.10.1
|
||||||
|
@@ -194,5 +199,40 @@ EOF
|
||||||
|
n=`expr $n + 1`
|
||||||
|
fi
|
||||||
|
|
||||||
|
+echo_i "attempting an update that should be rejected by ACL ($n)"
|
||||||
|
+ret=0
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -- - << EOF
|
||||||
|
+ local 10.53.0.2
|
||||||
|
+ server 10.53.0.3 ${PORT}
|
||||||
|
+ update add another.unsigned.example. 600 A 10.10.10.2
|
||||||
|
+ update add another.unsigned.example. 600 TXT Bar
|
||||||
|
+ send
|
||||||
|
+EOF
|
||||||
|
+} > nsupdate.out.$n 2>&1
|
||||||
|
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
|
||||||
|
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||||
|
+n=`expr $n + 1`
|
||||||
|
+
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "attempting updates that should exceed quota ($n)"
|
||||||
|
+# lower the update quota to 1.
|
||||||
|
+copy_setports ns3/named2.conf.in ns3/named.conf
|
||||||
|
+$RNDCCMD 10.53.0.3 reconfig
|
||||||
|
+nextpart ns3/named.run > /dev/null
|
||||||
|
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
|
||||||
|
+ local 10.53.0.1
|
||||||
|
+ server 10.53.0.3 ${PORT}
|
||||||
|
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} &
|
||||||
|
+done
|
||||||
|
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
echo_i "exit status: $status"
|
||||||
|
[ $status -eq 0 ] || exit 1
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -171,6 +171,7 @@ Patch192: bind-9.11-rh2133889.patch
|
|||||||
Patch193: bind-9.16-CVE-2022-3094-1.patch
|
Patch193: bind-9.16-CVE-2022-3094-1.patch
|
||||||
Patch194: bind-9.16-CVE-2022-3094-2.patch
|
Patch194: bind-9.16-CVE-2022-3094-2.patch
|
||||||
Patch195: bind-9.16-CVE-2022-3094-3.patch
|
Patch195: bind-9.16-CVE-2022-3094-3.patch
|
||||||
|
Patch196: bind-9.16-CVE-2022-3094-test.patch
|
||||||
|
|
||||||
# SDB patches
|
# SDB patches
|
||||||
Patch11: bind-9.3.2b2-sdbsrc.patch
|
Patch11: bind-9.3.2b2-sdbsrc.patch
|
||||||
@ -576,6 +577,7 @@ are used for building ISC DHCP.
|
|||||||
%patch193 -p1 -b .CVE-2022-3094
|
%patch193 -p1 -b .CVE-2022-3094
|
||||||
%patch194 -p1 -b .CVE-2022-3094
|
%patch194 -p1 -b .CVE-2022-3094
|
||||||
%patch195 -p1 -b .CVE-2022-3094
|
%patch195 -p1 -b .CVE-2022-3094
|
||||||
|
%patch196 -p1 -b .CVE-2022-3094-test
|
||||||
|
|
||||||
|
|
||||||
mkdir lib/dns/tests/testdata/dstrandom
|
mkdir lib/dns/tests/testdata/dstrandom
|
||||||
@ -1631,6 +1633,7 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%changelog
|
%changelog
|
||||||
* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-9
|
* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-9
|
||||||
- Prevent flooding with UPDATE requests (CVE-2022-3094)
|
- Prevent flooding with UPDATE requests (CVE-2022-3094)
|
||||||
|
- include upstream test for that change
|
||||||
|
|
||||||
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
|
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
|
||||||
- Correct regression preventing bind-dyndb-ldap build (#2133889)
|
- Correct regression preventing bind-dyndb-ldap build (#2133889)
|
||||||
|
Loading…
Reference in New Issue
Block a user