From 5bfe51e649a253180cff0d0ce0b9a57bb1b1e0e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 26 Feb 2024 20:12:36 +0100 Subject: [PATCH] Do not use header_prev in expire_lru_headers dns__cacherbt_expireheader can unlink / free header_prev underneath it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader instead to get the next pointer to be processed. (cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab) (cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63) This is related to CVE-2023-2828 fix change and fixes small part of it. ; Related: CVE-2023-4408 Related: RHEL-25691 --- bind-9.11-CVE-2023-2828-fixup.patch | 46 +++++++++++++++++++++++++++++ bind.spec | 4 +++ 2 files changed, 50 insertions(+) create mode 100644 bind-9.11-CVE-2023-2828-fixup.patch diff --git a/bind-9.11-CVE-2023-2828-fixup.patch b/bind-9.11-CVE-2023-2828-fixup.patch new file mode 100644 index 0000000..b1865ed --- /dev/null +++ b/bind-9.11-CVE-2023-2828-fixup.patch @@ -0,0 +1,46 @@ +From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 23 Feb 2024 10:12:47 +1100 +Subject: [PATCH] Do not use header_prev in expire_lru_headers + +dns__cacherbt_expireheader can unlink / free header_prev underneath +it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader +instead to get the next pointer to be processed. + +(cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab) +(cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63) +--- + lib/dns/rbtdb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index cc40eaec60..ee59c1b18b 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + static size_t + expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, + bool tree_locked) { +- rdatasetheader_t *header, *header_prev; ++ rdatasetheader_t *header; + size_t purged = 0; + + for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); +- header != NULL && purged <= purgesize; header = header_prev) ++ header != NULL && purged <= purgesize; ++ header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum])) + { +- header_prev = ISC_LIST_PREV(header, link); + /* + * Unlink the entry at this point to avoid checking it + * again even if it's currently used someone else and + * cannot be purged at this moment. This entry won't be + * referenced any more (so unlinking is safe) since the +- * TTL was reset to 0. ++ * TTL will be reset to 0. + */ + ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); + size_t header_size = rdataset_size(header); +-- +2.43.2 + diff --git a/bind.spec b/bind.spec index 03bf065..e8d080a 100644 --- a/bind.spec +++ b/bind.spec @@ -183,6 +183,8 @@ Patch200: bind-9.16-update-b.root-servers.net.patch Patch201: bind-9.11-CVE-2023-4408.patch # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8769 Patch202: bind-9.11-CVE-2023-50387.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8778 +Patch203: bind-9.11-CVE-2023-2828-fixup.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -595,6 +597,7 @@ are used for building ISC DHCP. %patch200 -p1 -b .b.root-servers.net %patch201 -p1 -b .CVE-2023-4408 %patch202 -p1 -b .CVE-2023-50387+50868 +%patch203 -p1 -b .CVE-2023-2828-fixup mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1650,6 +1653,7 @@ rm -rf ${RPM_BUILD_ROOT} * Mon Feb 26 2024 Petr Menšík - 32:9.11.36-14 - Speed up parsing of DNS messages with many different names (CVE-2023-4408) - Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387 CVE-2023-50868) +- Do not use header_prev in expire_lru_headers * Thu Dec 07 2023 Petr Menšík - 32:9.11.36-13 - Update addresses of b.root-servers.net (RHEL-18449)