rpms/bind
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Handle RRSIG queries when server-stale is active

Browse Source 
6066.	[security]	Handle RRSIG lookups when serve-stale is active.
			(CVE-2022-3736) [GL #3622]

Resolves: CVE-2022-3736
This commit is contained in:
Petr Menšík 2023-02-09 17:19:54 +01:00
parent 495baa1377
commit 288db36de7
2 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
bind-9.16-CVE-2022-3736.patch Normal file
View File

@ -0,0 +1,53 @@
From 1b6590eafce064cbf70f5afc2fe4d6f1bfdc3804 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 27 Oct 2022 13:22:11 +1100
Subject: [PATCH] Move the mapping of SIG and RRSIG to ANY
dns_db_findext() asserts if RRSIG is passed to it and
query_lookup_stale() failed to map RRSIG to ANY to prevent this. To
avoid cases like this in the future, move the mapping of SIG and RRSIG
to ANY for qctx->type to qctx_init().
(cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6)
---
lib/ns/query.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index a450cb7..f66bab4 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5103,6 +5103,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
qctx->result = ISC_R_SUCCESS;
qctx->findcoveringnsec = qctx->view->synthfromdnssec;
+ /*
+ * If it's an RRSIG or SIG query, we'll iterate the node.
+ */
+ if (qctx->qtype == dns_rdatatype_rrsig ||
+ qctx->qtype == dns_rdatatype_sig)
+ {
+ qctx->type = dns_rdatatype_any;
+ }
+
CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
}
@@ -5243,14 +5252,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
CALL_HOOK(NS_QUERY_SETUP, &qctx);
- /*
- * If it's a SIG query, we'll iterate the node.
- */
- if (qctx.qtype == dns_rdatatype_rrsig ||
- qctx.qtype == dns_rdatatype_sig) {
- qctx.type = dns_rdatatype_any;
- }
-
/*
* Check SERVFAIL cache
*/
--
2.39.1

4
bind.spec
View File

@ -120,6 +120,8 @@ Patch182: bind-9.16-CVE-2022-3094-1.patch
Patch183: bind-9.16-CVE-2022-3094-2.patch Patch183: bind-9.16-CVE-2022-3094-2.patch
Patch184: bind-9.16-CVE-2022-3094-3.patch Patch184: bind-9.16-CVE-2022-3094-3.patch
Patch185: bind-9.16-CVE-2022-3094-test.patch Patch185: bind-9.16-CVE-2022-3094-test.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/ea79385990c564eb478c286c089ea7ed15520690
Patch186: bind-9.16-CVE-2022-3736.patch
%{?systemd_ordering} %{?systemd_ordering}
Requires: coreutils Requires: coreutils
@ -433,6 +435,7 @@ in HTML and PDF format.
%patch183 -p1 -b .CVE-2022-3094 %patch183 -p1 -b .CVE-2022-3094
%patch184 -p1 -b .CVE-2022-3094 %patch184 -p1 -b .CVE-2022-3094
%patch185 -p1 -b .CVE-2022-3094-test %patch185 -p1 -b .CVE-2022-3094-test
%patch186 -p1 -b .CVE-2022-3736
%if %{with PKCS11} %if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11 %patch135 -p1 -b .config-pkcs11
@ -1158,6 +1161,7 @@ fi;
%changelog %changelog
* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-9 * Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-9
- Prevent flooding with UPDATE requests (CVE-2022-3094) - Prevent flooding with UPDATE requests (CVE-2022-3094)
- Handle RRSIG queries when server-stale is active (CVE-2022-3736)
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-8 * Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-8
- Correct regression preventing bind-dyndb-ldap build (#2162795) - Correct regression preventing bind-dyndb-ldap build (#2162795)