Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/bind.git#d4a07bb1cc9a5065239e1dcf656d5de44d45b40e
2021-03-11 20:19:38 +00:00 · 2021-03-11 20:19:38 +00:00 · 432cf22759
commit 432cf22759
parent b4d56cd9f3
2 changed files with 67 additions and 6 deletions
--- a/bind-9.16-CVE-2020-8625.patch
+++ b/bind-9.16-CVE-2020-8625.patch
@ -0,0 +1,45 @@
+From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 7 Jan 2021 10:44:46 +0100
+Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation
+
+The ISC SPNEGO implementation is based on mod_auth_kerb code.  When
+CVE-2006-5989 was disclosed, the relevant fix was not applied to the
+BIND 9 codebase, making the latter vulnerable to the aforementioned flaw
+when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in
+named.conf.
+
+The original description of CVE-2006-5989 was:
+
+    Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0
+    allows remote attackers to cause a denial of service (crash) via a
+    crafted Kerberos message that triggers a heap-based buffer overflow
+    in the component array.
+
+Later research revealed that this flaw also theoretically enables remote
+code execution, though achieving the latter in real-world conditions is
+currently deemed very difficult.
+
+This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND
+TKEY Query Heap-based Buffer Overflow Remote Code Execution
+Vulnerability") by Trend Micro Zero Day Initiative.
+---
+ lib/dns/spnego.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
+index e61d1c600f..753dc8049f 100644
+--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
+@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+ 		return (ASN1_OVERRUN);
+ 	}
+ 
+-	data->components = malloc(len * sizeof(*data->components));
+	data->components = malloc((len + 1) * sizeof(*data->components));
+ 	if (data->components == NULL) {
+ 		return (ENOMEM);
+ 	}
+-- 
+2.26.2
+
--- a/bind.spec
+++ b/bind.spec
@ -19,7 +19,8 @@
 # New MaxMind GeoLite support
 %bcond_without GEOIP2
 %if 0%{?fedora} >= 28
-%bcond_without UNITTEST
+# Disabled temporarily until kyua is fixed on rawhide, bug #1926779
+%bcond_with UNITTEST
 %bcond_without DNSTAP
 %bcond_without LMDB
 %bcond_without DOC
@ -66,7 +67,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.11
-Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -120,6 +121,8 @@ Patch170:bind-9.11-feature-test-named.patch
 Patch171:bind-9.11-tests-variants.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4582
 Patch172:bind-9.16-unit-tests-multicore.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5
+Patch173:bind-9.16-CVE-2020-8625.patch

 Requires(post):   systemd
 Requires(preun):  systemd
@ -434,6 +437,7 @@ in HTML and PDF format.
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
 %patch172 -p1 -b .multicore
+%patch173 -p1 -b .CVE-2020-8625

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -598,15 +602,18 @@ export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"

 %if %{with UNITTEST}
  pushd build
-  ORIGFILES=$(ulimit -n)
-  ulimit -n 4096 # Requires on some machines with many cores
+  CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l)
+  if [ "$CPUS" -gt 16 ]; then
+    ORIGFILES=$(ulimit -n)
+    ulimit -n 4096 || : # Requires on some machines with many cores
+  fi
  make unit
  e=$?
  if [ "$e" -ne 0 ]; then
    echo "ERROR: this build of BIND failed 'make unit'. Aborting."
    exit $e;
  fi;
-  ulimit -n $ORIGFILES
+  [ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || :
  popd
 ## End of UNITTEST
 %endif
@ -932,6 +939,7 @@ fi;
 %exclude %{_libdir}/named/dlz_*.so
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
 %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
+%config(noreplace) %{_sysconfdir}/logrotate.d/named
 %{_tmpfilesdir}/named.conf
 %{_sysconfdir}/rwtab.d/named
 %{_unitdir}/named.service
@ -978,7 +986,6 @@ fi;
 %ghost %config(noreplace) %{_sysconfdir}/rndc.conf
 # ^- The default rndc.conf which uses rndc.key is in named's default internal config -
 #    so rndc.conf is not necessary.
-%config(noreplace) %{_sysconfdir}/logrotate.d/named
 %defattr(-,named,named,-)
 %dir /run/named

@ -1161,6 +1168,15 @@ fi;
 %endif

 %changelog
+* Fri Feb 26 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-5
+- Make logrotate.d world-readable (#1917061)
+
+* Mon Feb 22 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-4
+- Fix off-by-one bug in ISC SPNEGO implementation (#1929965)
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 32:9.16.11-3
+- rebuild for libpq ABI fix rhbz#1908268
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild