Handle RRSIG queries when server-stale is active
6066. [security] Handle RRSIG lookups when serve-stale is active. (CVE-2022-3736) [GL #3622] Resolves: CVE-2022-3736
This commit is contained in:
Petr Menšík
parent
495baa1377
commit
288db36de7
53
bind-9.16-CVE-2022-3736.patch
Normal file
53
bind-9.16-CVE-2022-3736.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 1b6590eafce064cbf70f5afc2fe4d6f1bfdc3804 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Thu, 27 Oct 2022 13:22:11 +1100
|
||||
Subject: [PATCH] Move the mapping of SIG and RRSIG to ANY
|
||||
|
||||
dns_db_findext() asserts if RRSIG is passed to it and
|
||||
query_lookup_stale() failed to map RRSIG to ANY to prevent this. To
|
||||
avoid cases like this in the future, move the mapping of SIG and RRSIG
|
||||
to ANY for qctx->type to qctx_init().
|
||||
|
||||
(cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6)
|
||||
---
|
||||
lib/ns/query.c | 17 +++++++++--------
|
||||
1 file changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||
index a450cb7..f66bab4 100644
|
||||
--- a/lib/ns/query.c
|
||||
+++ b/lib/ns/query.c
|
||||
@@ -5103,6 +5103,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
|
||||
qctx->result = ISC_R_SUCCESS;
|
||||
qctx->findcoveringnsec = qctx->view->synthfromdnssec;
|
||||
|
||||
+ /*
|
||||
+ * If it's an RRSIG or SIG query, we'll iterate the node.
|
||||
+ */
|
||||
+ if (qctx->qtype == dns_rdatatype_rrsig ||
|
||||
+ qctx->qtype == dns_rdatatype_sig)
|
||||
+ {
|
||||
+ qctx->type = dns_rdatatype_any;
|
||||
+ }
|
||||
+
|
||||
CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
|
||||
}
|
||||
|
||||
@@ -5243,14 +5252,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
|
||||
|
||||
CALL_HOOK(NS_QUERY_SETUP, &qctx);
|
||||
|
||||
- /*
|
||||
- * If it's a SIG query, we'll iterate the node.
|
||||
- */
|
||||
- if (qctx.qtype == dns_rdatatype_rrsig ||
|
||||
- qctx.qtype == dns_rdatatype_sig) {
|
||||
- qctx.type = dns_rdatatype_any;
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Check SERVFAIL cache
|
||||
*/
|
||||
--
|
||||
2.39.1
|
||||
|
||||
@ -120,6 +120,8 @@ Patch182: bind-9.16-CVE-2022-3094-1.patch
|
||||
Patch183: bind-9.16-CVE-2022-3094-2.patch
|
||||
Patch184: bind-9.16-CVE-2022-3094-3.patch
|
||||
Patch185: bind-9.16-CVE-2022-3094-test.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/ea79385990c564eb478c286c089ea7ed15520690
|
||||
Patch186: bind-9.16-CVE-2022-3736.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -433,6 +435,7 @@ in HTML and PDF format.
|
||||
%patch183 -p1 -b .CVE-2022-3094
|
||||
%patch184 -p1 -b .CVE-2022-3094
|
||||
%patch185 -p1 -b .CVE-2022-3094-test
|
||||
%patch186 -p1 -b .CVE-2022-3736
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1158,6 +1161,7 @@ fi;
|
||||
%changelog
|
||||
* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-9
|
||||
- Prevent flooding with UPDATE requests (CVE-2022-3094)
|
||||
- Handle RRSIG queries when server-stale is active (CVE-2022-3736)
|
||||
|
||||
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-8
|
||||
- Correct regression preventing bind-dyndb-ldap build (#2162795)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user