From 5dc319b2a81242866ec3f0954f2435398efa6438 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 19 Feb 2024 12:35:59 +0100 Subject: [PATCH] Import tests for large DNS messages fix Tests part of fixes of CVE-2023-4408. Related: RHEL-25342 ; Related: CVE-2023-4408 --- bind-9.16-CVE-2023-4408-test1.patch | 88 +++++++++++++++++++++++++++++ bind-9.16-CVE-2023-4408-test2.patch | 75 ++++++++++++++++++++++++ bind.spec | 11 +++- 3 files changed, 173 insertions(+), 1 deletion(-) create mode 100644 bind-9.16-CVE-2023-4408-test1.patch create mode 100644 bind-9.16-CVE-2023-4408-test2.patch diff --git a/bind-9.16-CVE-2023-4408-test1.patch b/bind-9.16-CVE-2023-4408-test1.patch new file mode 100644 index 0000000..53c42bb --- /dev/null +++ b/bind-9.16-CVE-2023-4408-test1.patch @@ -0,0 +1,88 @@ +From d258422d3e653621ce6340ba9af0153f8d4e8c07 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Sun, 11 Feb 2024 00:49:32 +0100 +Subject: [PATCH] Test case insensitive matching in isc_ht hash table + implementation + +The case insensitive matching in isc_ht was basically completely broken +as only the hashvalue computation was case insensitive, but the key +comparison was always case sensitive. + +Import only test part from upstream. + +(cherry picked from commit 175655b771fd17b06dfb8cfb29eaadf0f3b6a8b5) +(cherry picked from upstream commit f493a8394102b0aeb101d5dc2f963004c8741175) +--- + lib/isc/tests/ht_test.c | 53 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c +index 74d95c1..65502b5 100644 +--- a/lib/isc/tests/ht_test.c ++++ b/lib/isc/tests/ht_test.c +@@ -334,9 +334,62 @@ isc_ht_iterator_test(void **state) { + test_ht_iterator(); + } + ++static void ++isc_ht_case(void **state) { ++ UNUSED(state); ++ ++ isc_ht_t *ht = NULL; ++ void *f = NULL; ++ isc_result_t result = ISC_R_UNSET; ++ ++ unsigned char lower[16] = { "test case" }; ++ unsigned char same[16] = { "test case" }; ++ unsigned char upper[16] = { "TEST CASE" }; ++ unsigned char mixed[16] = { "tEsT CaSe" }; ++ ++ isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_SENSITIVE); ++ assert_non_null(ht); ++ ++ result = isc_ht_add(ht, lower, 16, (void *)lower); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ result = isc_ht_add(ht, same, 16, (void *)same); ++ assert_int_equal(result, ISC_R_EXISTS); ++ ++ result = isc_ht_add(ht, upper, 16, (void *)upper); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ result = isc_ht_find(ht, mixed, 16, &f); ++ assert_int_equal(result, ISC_R_NOTFOUND); ++ assert_null(f); ++ ++ isc_ht_destroy(&ht); ++ assert_null(ht); ++ ++ isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_INSENSITIVE); ++ assert_non_null(ht); ++ ++ result = isc_ht_add(ht, lower, 16, (void *)lower); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ ++ result = isc_ht_add(ht, same, 16, (void *)same); ++ assert_int_equal(result, ISC_R_EXISTS); ++ ++ result = isc_ht_add(ht, upper, 16, (void *)upper); ++ assert_int_equal(result, ISC_R_EXISTS); ++ ++ result = isc_ht_find(ht, mixed, 16, &f); ++ assert_int_equal(result, ISC_R_SUCCESS); ++ assert_ptr_equal(f, &lower); ++ ++ isc_ht_destroy(&ht); ++ assert_null(ht); ++} ++ + int + main(void) { + const struct CMUnitTest tests[] = { ++ cmocka_unit_test(isc_ht_case), + cmocka_unit_test(isc_ht_20), + cmocka_unit_test(isc_ht_8), + cmocka_unit_test(isc_ht_1), +-- +2.43.0 + diff --git a/bind-9.16-CVE-2023-4408-test2.patch b/bind-9.16-CVE-2023-4408-test2.patch new file mode 100644 index 0000000..2fdc9cc --- /dev/null +++ b/bind-9.16-CVE-2023-4408-test2.patch @@ -0,0 +1,75 @@ +From aa1b0fc4b24d26233db30c85ae3609e54e9fa6d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Sun, 11 Feb 2024 09:13:43 +0100 +Subject: [PATCH] Add a system test for mixed-case data for the same owner + +We were missing a test where a single owner name would have multiple +types with a different case. The generated RRSIGs and NSEC records will +then have different case than the signed records and message parser have +to cope with that and treat everything as the same owner. + +(cherry picked from commit a114042059ecbbc94ae0f604ca681323a75af480) +(cherry picked from upstream commit b9c10a194da3358204f5ba7d91e55332db435614) +--- + bin/tests/system/dnssec/ns3/secure.example.db.in | 5 +++++ + bin/tests/system/dnssec/ns3/sign.sh | 4 +++- + bin/tests/system/dnssec/tests.sh | 15 +++++++++++++++ + 3 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in +index 27f2b24..599566e 100644 +--- a/bin/tests/system/dnssec/ns3/secure.example.db.in ++++ b/bin/tests/system/dnssec/ns3/secure.example.db.in +@@ -45,3 +45,8 @@ rrsigonly A 10.0.0.29 + cnameandkey CNAME @ + cnamenokey CNAME @ + dnameandkey DNAME @ ++ ++mixedcase A 10.0.0.30 ++mixedCASE TXT "mixed case" ++MIXEDcase AAAA 2002:: ++mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m +diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh +index 80d412e..d94f382 100644 +--- a/bin/tests/system/dnssec/ns3/sign.sh ++++ b/bin/tests/system/dnssec/ns3/sign.sh +@@ -86,7 +86,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone + + cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" + +-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null ++"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null ++cat "$zonefile" "$zonefile".signed >"$zonefile".tmp ++mv "$zonefile".tmp "$zonefile".signed + + zone=bogus.example. + infile=bogus.example.db.in +diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh +index fe95c8d..0c03970 100644 +--- a/bin/tests/system/dnssec/tests.sh ++++ b/bin/tests/system/dnssec/tests.sh +@@ -762,6 +762,21 @@ n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + ++echo_i "checking mixed-case positive validation ($n)" ++ret=0 ++for type in a txt aaaa loc; do ++ dig_with_opts +noauth mixedcase.secure.example. \ ++ @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 ++ dig_with_opts +noauth mixedcase.secure.example. \ ++ @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 ++ digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 ++ grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 ++ grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 ++done ++n=$((n + 1)) ++test "$ret" -eq 0 || echo_i "failed" ++status=$((status + ret)) ++ + echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" + ret=0 + dig_with_opts +noauth a.nsec3.example. \ +-- +2.43.0 + diff --git a/bind.spec b/bind.spec index 7ba05e5..c23f107 100644 --- a/bind.spec +++ b/bind.spec @@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -140,6 +140,10 @@ Patch195: bind-9.16-CVE-2023-5517.patch Patch196: bind-9.16-CVE-2023-5679.patch Patch197: bind-9.16-CVE-2023-6516.patch Patch198: bind-9.16-CVE-2023-50387.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/f493a8394102b0aeb101d5dc2f963004c8741175 +Patch199: bind-9.16-CVE-2023-4408-test1.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/b9c10a194da3358204f5ba7d91e55332db435614 +Patch200: bind-9.16-CVE-2023-4408-test2.patch %{?systemd_ordering} Requires: coreutils @@ -466,6 +470,8 @@ in HTML and PDF format. %patch196 -p1 -b .CVE-2023-5679 %patch197 -p1 -b .CVE-2023-6516 %patch198 -p1 -b .CVE-2023-50387 +%patch199 -p1 +%patch200 -p1 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1189,6 +1195,9 @@ fi; %endif %changelog +* Mon Feb 19 2024 Petr Menšík - 32:9.16.23-17 +- Import tests for large DNS messages fix + * Mon Feb 12 2024 Petr Menšík - 32:9.16.23-16 - Prevent increased CPU load on large DNS messages (CVE-2023-4408) - Prevent assertion failure when nxdomain-redirect is used with