diff --git a/.gitignore b/.gitignore index 4c7e54a..9775b64 100644 --- a/.gitignore +++ b/.gitignore @@ -91,3 +91,4 @@ bind-9.7.2b1.tar.gz /config-19.tar.bz2 /bind-9.11.5-P4.tar.gz /bind-9.11.6.tar.gz +/bind-9.11.6-P1.tar.gz diff --git a/bind-9.11-CVE-2018-5741-atomic.patch b/bind-9.11-CVE-2018-5741-atomic.patch new file mode 100644 index 0000000..cfbded6 --- /dev/null +++ b/bind-9.11-CVE-2018-5741-atomic.patch @@ -0,0 +1,132 @@ +From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 17 Apr 2019 15:22:27 +0200 +Subject: [PATCH] Replace atomic operations in bin/named/client.c with + isc_refcount reference counting + +--- + bin/named/client.c | 18 +++++++----------- + bin/named/include/named/interfacemgr.h | 5 +++-- + bin/named/interfacemgr.c | 7 +++++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/bin/named/client.c b/bin/named/client.c +index 845326abc0..29fecadca8 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) { + static void + mark_tcp_active(ns_client_t *client, bool active) { + if (active && !client->tcpactive) { +- isc_atomic_xadd(&client->interface->ntcpactive, 1); ++ isc_refcount_increment0(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } else if (!active && client->tcpactive) { +- uint32_t old = +- isc_atomic_xadd(&client->interface->ntcpactive, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } + } +@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) { + if (client->mortal && TCP_CLIENT(client) && + client->newstate != NS_CLIENTSTATE_FREED && + !ns_g_clienttest && +- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) ++ isc_refcount_current(&client->interface->ntcpaccepting) == 0) + { + /* Nobody else is accepting */ + client->mortal = false; +@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + isc_result_t result; + ns_client_t *client = event->ev_arg; + isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; +- uint32_t old; + + REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); + REQUIRE(NS_CLIENT_VALID(client)); +@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + INSIST(client->naccepts == 1); + client->naccepts--; + +- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); + + /* + * We must take ownership of the new socket before the exit +@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) { + * quota is tcp-clients plus the number of listening + * interfaces plus 1.) + */ +- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > +- (client->tcpactive ? 1 : 0)); ++ exit = (isc_refcount_current(&client->interface->ntcpactive) > ++ (client->tcpactive ? 1U : 0U)); + if (exit) { + client->newstate = NS_CLIENTSTATE_INACTIVE; + (void)exit_check(client); +@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) { + * listening for connections itself to prevent the interface + * going dead. + */ +- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); ++ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); + } + + static void +diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h +index 3535ef22a8..6e10f210fd 100644 +--- a/bin/named/include/named/interfacemgr.h ++++ b/bin/named/include/named/interfacemgr.h +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include + +@@ -75,11 +76,11 @@ struct ns_interface { + /*%< UDP dispatchers. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + isc_dscp_t dscp; /*%< "listen-on" DSCP value */ +- int32_t ntcpaccepting; /*%< Number of clients ++ isc_refcount_t ntcpaccepting; /*%< Number of clients + ready to accept new + TCP connections on this + interface */ +- int32_t ntcpactive; /*%< Number of clients ++ isc_refcount_t ntcpactive; /*%< Number of clients + servicing TCP queries + (whether accepting or + connected) */ +diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c +index d9f6df5802..135533be6b 100644 +--- a/bin/named/interfacemgr.c ++++ b/bin/named/interfacemgr.c +@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, + * connections will be handled in parallel even though there is + * only one client initially. + */ +- ifp->ntcpaccepting = 0; +- ifp->ntcpactive = 0; ++ isc_refcount_init(&ifp->ntcpaccepting, 0); ++ isc_refcount_init(&ifp->ntcpactive, 0); + + ifp->nudpdispatch = 0; + +@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) { + + ns_interfacemgr_detach(&ifp->mgr); + ++ isc_refcount_destroy(&ifp->ntcpactive); ++ isc_refcount_destroy(&ifp->ntcpaccepting); ++ + ifp->magic = 0; + isc_mem_put(mctx, ifp, sizeof(*ifp)); + } +-- +2.18.1 + diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch index 1f40a16..c5725f7 100644 --- a/bind-9.11-rt46047.patch +++ b/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From 2b7a633f29c2ae8fe801f2a98541013837ebaeaa Mon Sep 17 00:00:00 2001 +From 55e649d82a1adc5209738fb8402624f03287ca87 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -39,14 +39,14 @@ Subject: [PATCH] completed and corrected the crypto-random change bin/tests/system/tkey/keycreate.c | 4 +- bin/tests/system/tkey/keydelete.c | 4 +- doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++------- - doc/arm/notes.xml | 26 +++++++++++ + doc/arm/notes.xml | 31 +++++++++++++ lib/dns/dst_api.c | 4 +- lib/dns/include/dst/dst.h | 14 +++++- lib/dns/openssl_link.c | 3 +- lib/isc/include/isc/entropy.h | 50 +++++++++++++++------ lib/isc/include/isc/random.h | 28 +++++++----- lib/isccfg/namedconf.c | 2 +- - 22 files changed, 220 insertions(+), 107 deletions(-) + 22 files changed, 225 insertions(+), 107 deletions(-) diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 295e16f..0f79aa8 100644 @@ -140,10 +140,10 @@ index 31a99e7..38c83ed 100644 usekeyboard); diff --git a/bin/named/client.c b/bin/named/client.c -index d425df2..7ab3dec 100644 +index ce24670..0ce02a9 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1609,7 +1609,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1754,7 +1754,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -241,7 +241,7 @@ index f5ed2b7..b2c1d05 100644 struct ns_altsecret { diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index 419927b..d721f47 100644 +index d9f6df5..662eb6c 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -17,6 +17,7 @@ @@ -436,7 +436,7 @@ index 2146f9b..ac2c311 100644 } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index dd5365c..1a463b0 100644 +index bb79723..888959c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] @@ -502,13 +502,15 @@ index dd5365c..1a463b0 100644 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index ad4b34c..2685b8e 100644 +index ba9a7cf..c0256f1 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml -@@ -229,6 +229,32 @@ - is used from the shell scripts. - - +@@ -117,6 +117,37 @@ + + + ++
Red Hat Specific Changes ++ + + + By default, BIND now uses the random number generation functions @@ -535,9 +537,12 @@ index ad4b34c..2685b8e 100644 + entropy source. [RT #31459] [RT #46047] + + - -
- ++ ++ ++ +
End of Life + + BIND 9.11 (Extended Support Version) will be supported until at diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index b55ebe0..d2b43d3 100644 --- a/lib/dns/dst_api.c diff --git a/bind-9.11.6-P1.tar.gz.asc b/bind-9.11.6-P1.tar.gz.asc new file mode 100644 index 0000000..53b9403 --- /dev/null +++ b/bind-9.11.6-P1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlysrg0ACgkQF8xdsfAI +hAc4qQ/6A2odUTpjuaPQK/ziTD8UpJXyqFr5rZ+Qx3+wAA7XcFF6rviRwQ1dULu/ +AmQVhAWeXHa15ruFVFJZoovnRoKYUZLOtvTrcfJkHG0MwBivEpJ/rcOLlOWhAHeG +N6q5teyOrG1kCXNcS8uGHqzm+QfMA3xCUqCpYHWOtZ60I9T3O+8Y6Xyzb+oc6+CY +w1pXeq0doJa9tFnZpVvhCPTol4LPL8KkTLoMmpRA5dRMrVYH3f45fdixABn3HSFx +Ea/CiMeGvIfZI0X119Txufw2Yi8/NMicf/iZBEmvvHUG49/tFX2Vmj4sxUkL4gY/ +qqXEkD7oQsVEUj3X12ITyOqj6CtfiJcOgJIzTVas3vD4QR51nRSY+IGYuH7zQUSf +qVSCFKdLY2NlRwK6VSBVOxN5Ye31qwPEok6WgGgBy2+mWY+FvAm4Z4sIBeyX2QT/ +A0+42GuFErMne7Ppd9Pb+cCKhaIDC4i3vM/lA8kvMvhz+peqKux6MbD9Ab79hSuV +HCZzAzFPsuaHxP1m6wRWYgeGUZWA89uTbwGa5iiAmiXXqhHswzxBCgfKXyUjuObn +pH+XTeZ59qTgQZT3bdyj0QrmCM0JfvFEt2OkuBIDvAnoVcb0smyLrizYaZLo+0of +6OLW76WW2GSjzvfT4RlDP5B3ns3PdjrCKaKji3aIUD7G/oYr7zA= +=TsjB +-----END PGP SIGNATURE----- diff --git a/bind-9.11.6.tar.gz.asc b/bind-9.11.6.tar.gz.asc deleted file mode 100644 index 02ebf56..0000000 --- a/bind-9.11.6.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - http://gpgtools.org - -iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlx4dTcACgkQF8xdsfAI -hAc9QA/9FaZaH6OxWxjxdU2VdTzZzrxIn5VcTnrSLzeKapBgfH22dmmJZBPHqkCE -uch+d4eWH3CwcVjDs5auW7o69q0KnUDObpg1aGXVjRnBHKyH88Ziny4sd1kMXcZz -lk3HW3Cl+WQBxrA3l+QUQrW+IYIUM36ZpkMxbvgZOwGj8H8rzUjeszDqY86JH/QF -7RekyZwQ/Mb21sJTNntYufOn1KnKm4WZ52jihLVEaNLzQQLRxPIajSOVo+77LPpI -SJWo+iH4vz+5jEQUhDQ1eivDaKxRj/LcrVHQLB9JgCM+ZiRvxZRwqs6mANfDnpke -Ohzwf9Lh255bfq3xNQLYwwDbUpQ8JoEQ91Qw6F1MQ/32uhiBlUnWd2Yua22oSlOg -IcjXYW9i23Zyuuf1GLIENNaXNnVgxM44mmxQh0/Okf7Npake4kxKGEGtPkAdbWUk -NSghxHu8/0h5rwth7Rox4mWvp1vjRMjOGAjqMr5eVjXvFnFSazkY47fmliZCTDFm -O3Otqib4Z35hvXOZJvTIP/IOfjo4g3zNVcfxQHNCpyRSKqBs1smWPc3VbwlOr/nI -g/BxY595ylLIW7Ln46/3mkqZJPQO5F8AqQ+YPr+6ts908qQbA+P8nXRrZ/tcxFaM -N+LbjmvgzCtbReoKhS17PdTDqu8p61LIDdrtxZP02Fr4fcIRRQk= -=uY61 ------END PGP SIGNATURE----- diff --git a/bind.spec b/bind.spec index 870da24..d80a7e0 100644 --- a/bind.spec +++ b/bind.spec @@ -2,7 +2,7 @@ # Red Hat BIND package .spec file # -#%%global PATCHVER P4 +%global PATCHVER P1 #%%global PREVER rc1 %global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}} @@ -53,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.6 -Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -141,6 +141,7 @@ Patch171:bind-9.11-tests-variants.patch Patch172:bind-9.11-tests-pkcs11.patch Patch173: bind-9.11-unit-dnstap-pkcs11.patch Patch174: bind-9.11-unit-timer-nothread.patch +Patch175: bind-9.11-CVE-2018-5741-atomic.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -523,6 +524,7 @@ are used for building ISC DHCP. %patch172 -p1 -b .test-pkcs11 %patch173 -p1 -b .unit-dnstap %patch174 -p1 -b .unit-timer +%patch175 -p1 -b .CVE-2018-5741-atomic mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1517,6 +1519,9 @@ fi; %changelog +* Thu May 02 2019 Petr Menšík - 32:9.11.6-3.P1 +- Fix inefective limit of TCP clients (CVE-2018-5743) + * Thu Mar 14 2019 Petr Menšík - 32:9.11.6-2 - Fix dnstap and timer issues in unit test - Enable DLZ modules diff --git a/sources b/sources index cae8504..413be45 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.6.tar.gz) = 17a76ad4aafddeb86e330c4ca9b5fecb8df9e1109df4ff8d7a31d1da406f2597050d569460529b710f213360642842fcb9bdaa4eb79be10fcb093872fe75fdfd +SHA512 (bind-9.11.6-P1.tar.gz) = 419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03 SHA512 (config-19.tar.bz2) = 36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c