From 288db36de773a44c5e3f4168d139f290834a0366 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 9 Feb 2023 17:19:54 +0100 Subject: [PATCH] Handle RRSIG queries when server-stale is active 6066. [security] Handle RRSIG lookups when serve-stale is active. (CVE-2022-3736) [GL #3622] Resolves: CVE-2022-3736 --- bind-9.16-CVE-2022-3736.patch | 53 +++++++++++++++++++++++++++++++++++ bind.spec | 4 +++ 2 files changed, 57 insertions(+) create mode 100644 bind-9.16-CVE-2022-3736.patch diff --git a/bind-9.16-CVE-2022-3736.patch b/bind-9.16-CVE-2022-3736.patch new file mode 100644 index 0000000..606c22f --- /dev/null +++ b/bind-9.16-CVE-2022-3736.patch @@ -0,0 +1,53 @@ +From 1b6590eafce064cbf70f5afc2fe4d6f1bfdc3804 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 27 Oct 2022 13:22:11 +1100 +Subject: [PATCH] Move the mapping of SIG and RRSIG to ANY + +dns_db_findext() asserts if RRSIG is passed to it and +query_lookup_stale() failed to map RRSIG to ANY to prevent this. To +avoid cases like this in the future, move the mapping of SIG and RRSIG +to ANY for qctx->type to qctx_init(). + +(cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6) +--- + lib/ns/query.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index a450cb7..f66bab4 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5103,6 +5103,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, + qctx->result = ISC_R_SUCCESS; + qctx->findcoveringnsec = qctx->view->synthfromdnssec; + ++ /* ++ * If it's an RRSIG or SIG query, we'll iterate the node. ++ */ ++ if (qctx->qtype == dns_rdatatype_rrsig || ++ qctx->qtype == dns_rdatatype_sig) ++ { ++ qctx->type = dns_rdatatype_any; ++ } ++ + CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx); + } + +@@ -5243,14 +5252,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) { + + CALL_HOOK(NS_QUERY_SETUP, &qctx); + +- /* +- * If it's a SIG query, we'll iterate the node. +- */ +- if (qctx.qtype == dns_rdatatype_rrsig || +- qctx.qtype == dns_rdatatype_sig) { +- qctx.type = dns_rdatatype_any; +- } +- + /* + * Check SERVFAIL cache + */ +-- +2.39.1 + diff --git a/bind.spec b/bind.spec index bfded25..70893ac 100644 --- a/bind.spec +++ b/bind.spec @@ -120,6 +120,8 @@ Patch182: bind-9.16-CVE-2022-3094-1.patch Patch183: bind-9.16-CVE-2022-3094-2.patch Patch184: bind-9.16-CVE-2022-3094-3.patch Patch185: bind-9.16-CVE-2022-3094-test.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/ea79385990c564eb478c286c089ea7ed15520690 +Patch186: bind-9.16-CVE-2022-3736.patch %{?systemd_ordering} Requires: coreutils @@ -433,6 +435,7 @@ in HTML and PDF format. %patch183 -p1 -b .CVE-2022-3094 %patch184 -p1 -b .CVE-2022-3094 %patch185 -p1 -b .CVE-2022-3094-test +%patch186 -p1 -b .CVE-2022-3736 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1158,6 +1161,7 @@ fi; %changelog * Wed Feb 08 2023 Petr Menšík - 32:9.16.23-9 - Prevent flooding with UPDATE requests (CVE-2022-3094) +- Handle RRSIG queries when server-stale is active (CVE-2022-3736) * Thu Oct 13 2022 Petr Menšík - 32:9.16.23-8 - Correct regression preventing bind-dyndb-ldap build (#2162795)