Import tests for large DNS messages fix
Tests part of fixes of CVE-2023-4408. Related: RHEL-25342 ; Related: CVE-2023-4408
This commit is contained in:
parent
e919059dfa
commit
5dc319b2a8
88
bind-9.16-CVE-2023-4408-test1.patch
Normal file
88
bind-9.16-CVE-2023-4408-test1.patch
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
From d258422d3e653621ce6340ba9af0153f8d4e8c07 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||||
|
Date: Sun, 11 Feb 2024 00:49:32 +0100
|
||||||
|
Subject: [PATCH] Test case insensitive matching in isc_ht hash table
|
||||||
|
implementation
|
||||||
|
|
||||||
|
The case insensitive matching in isc_ht was basically completely broken
|
||||||
|
as only the hashvalue computation was case insensitive, but the key
|
||||||
|
comparison was always case sensitive.
|
||||||
|
|
||||||
|
Import only test part from upstream.
|
||||||
|
|
||||||
|
(cherry picked from commit 175655b771fd17b06dfb8cfb29eaadf0f3b6a8b5)
|
||||||
|
(cherry picked from upstream commit f493a8394102b0aeb101d5dc2f963004c8741175)
|
||||||
|
---
|
||||||
|
lib/isc/tests/ht_test.c | 53 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 53 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c
|
||||||
|
index 74d95c1..65502b5 100644
|
||||||
|
--- a/lib/isc/tests/ht_test.c
|
||||||
|
+++ b/lib/isc/tests/ht_test.c
|
||||||
|
@@ -334,9 +334,62 @@ isc_ht_iterator_test(void **state) {
|
||||||
|
test_ht_iterator();
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+isc_ht_case(void **state) {
|
||||||
|
+ UNUSED(state);
|
||||||
|
+
|
||||||
|
+ isc_ht_t *ht = NULL;
|
||||||
|
+ void *f = NULL;
|
||||||
|
+ isc_result_t result = ISC_R_UNSET;
|
||||||
|
+
|
||||||
|
+ unsigned char lower[16] = { "test case" };
|
||||||
|
+ unsigned char same[16] = { "test case" };
|
||||||
|
+ unsigned char upper[16] = { "TEST CASE" };
|
||||||
|
+ unsigned char mixed[16] = { "tEsT CaSe" };
|
||||||
|
+
|
||||||
|
+ isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_SENSITIVE);
|
||||||
|
+ assert_non_null(ht);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_add(ht, lower, 16, (void *)lower);
|
||||||
|
+ assert_int_equal(result, ISC_R_SUCCESS);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_add(ht, same, 16, (void *)same);
|
||||||
|
+ assert_int_equal(result, ISC_R_EXISTS);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_add(ht, upper, 16, (void *)upper);
|
||||||
|
+ assert_int_equal(result, ISC_R_SUCCESS);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_find(ht, mixed, 16, &f);
|
||||||
|
+ assert_int_equal(result, ISC_R_NOTFOUND);
|
||||||
|
+ assert_null(f);
|
||||||
|
+
|
||||||
|
+ isc_ht_destroy(&ht);
|
||||||
|
+ assert_null(ht);
|
||||||
|
+
|
||||||
|
+ isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_INSENSITIVE);
|
||||||
|
+ assert_non_null(ht);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_add(ht, lower, 16, (void *)lower);
|
||||||
|
+ assert_int_equal(result, ISC_R_SUCCESS);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_add(ht, same, 16, (void *)same);
|
||||||
|
+ assert_int_equal(result, ISC_R_EXISTS);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_add(ht, upper, 16, (void *)upper);
|
||||||
|
+ assert_int_equal(result, ISC_R_EXISTS);
|
||||||
|
+
|
||||||
|
+ result = isc_ht_find(ht, mixed, 16, &f);
|
||||||
|
+ assert_int_equal(result, ISC_R_SUCCESS);
|
||||||
|
+ assert_ptr_equal(f, &lower);
|
||||||
|
+
|
||||||
|
+ isc_ht_destroy(&ht);
|
||||||
|
+ assert_null(ht);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
main(void) {
|
||||||
|
const struct CMUnitTest tests[] = {
|
||||||
|
+ cmocka_unit_test(isc_ht_case),
|
||||||
|
cmocka_unit_test(isc_ht_20),
|
||||||
|
cmocka_unit_test(isc_ht_8),
|
||||||
|
cmocka_unit_test(isc_ht_1),
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
75
bind-9.16-CVE-2023-4408-test2.patch
Normal file
75
bind-9.16-CVE-2023-4408-test2.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
From aa1b0fc4b24d26233db30c85ae3609e54e9fa6d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||||
|
Date: Sun, 11 Feb 2024 09:13:43 +0100
|
||||||
|
Subject: [PATCH] Add a system test for mixed-case data for the same owner
|
||||||
|
|
||||||
|
We were missing a test where a single owner name would have multiple
|
||||||
|
types with a different case. The generated RRSIGs and NSEC records will
|
||||||
|
then have different case than the signed records and message parser have
|
||||||
|
to cope with that and treat everything as the same owner.
|
||||||
|
|
||||||
|
(cherry picked from commit a114042059ecbbc94ae0f604ca681323a75af480)
|
||||||
|
(cherry picked from upstream commit b9c10a194da3358204f5ba7d91e55332db435614)
|
||||||
|
---
|
||||||
|
bin/tests/system/dnssec/ns3/secure.example.db.in | 5 +++++
|
||||||
|
bin/tests/system/dnssec/ns3/sign.sh | 4 +++-
|
||||||
|
bin/tests/system/dnssec/tests.sh | 15 +++++++++++++++
|
||||||
|
3 files changed, 23 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
|
||||||
|
index 27f2b24..599566e 100644
|
||||||
|
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
|
||||||
|
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
|
||||||
|
@@ -45,3 +45,8 @@ rrsigonly A 10.0.0.29
|
||||||
|
cnameandkey CNAME @
|
||||||
|
cnamenokey CNAME @
|
||||||
|
dnameandkey DNAME @
|
||||||
|
+
|
||||||
|
+mixedcase A 10.0.0.30
|
||||||
|
+mixedCASE TXT "mixed case"
|
||||||
|
+MIXEDcase AAAA 2002::
|
||||||
|
+mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m
|
||||||
|
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
|
||||||
|
index 80d412e..d94f382 100644
|
||||||
|
--- a/bin/tests/system/dnssec/ns3/sign.sh
|
||||||
|
+++ b/bin/tests/system/dnssec/ns3/sign.sh
|
||||||
|
@@ -86,7 +86,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||||
|
|
||||||
|
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
|
||||||
|
|
||||||
|
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||||
|
+"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
|
||||||
|
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
|
||||||
|
+mv "$zonefile".tmp "$zonefile".signed
|
||||||
|
|
||||||
|
zone=bogus.example.
|
||||||
|
infile=bogus.example.db.in
|
||||||
|
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
||||||
|
index fe95c8d..0c03970 100644
|
||||||
|
--- a/bin/tests/system/dnssec/tests.sh
|
||||||
|
+++ b/bin/tests/system/dnssec/tests.sh
|
||||||
|
@@ -762,6 +762,21 @@ n=$((n+1))
|
||||||
|
test "$ret" -eq 0 || echo_i "failed"
|
||||||
|
status=$((status+ret))
|
||||||
|
|
||||||
|
+echo_i "checking mixed-case positive validation ($n)"
|
||||||
|
+ret=0
|
||||||
|
+for type in a txt aaaa loc; do
|
||||||
|
+ dig_with_opts +noauth mixedcase.secure.example. \
|
||||||
|
+ @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1
|
||||||
|
+ dig_with_opts +noauth mixedcase.secure.example. \
|
||||||
|
+ @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1
|
||||||
|
+ digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1
|
||||||
|
+ grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1
|
||||||
|
+ grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1
|
||||||
|
+done
|
||||||
|
+n=$((n + 1))
|
||||||
|
+test "$ret" -eq 0 || echo_i "failed"
|
||||||
|
+status=$((status + ret))
|
||||||
|
+
|
||||||
|
echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
|
||||||
|
ret=0
|
||||||
|
dig_with_opts +noauth a.nsec3.example. \
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
11
bind.spec
11
bind.spec
@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
|||||||
Name: bind
|
Name: bind
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
Version: 9.16.23
|
Version: 9.16.23
|
||||||
Release: 16%{?dist}
|
Release: 17%{?dist}
|
||||||
Epoch: 32
|
Epoch: 32
|
||||||
Url: https://www.isc.org/downloads/bind/
|
Url: https://www.isc.org/downloads/bind/
|
||||||
#
|
#
|
||||||
@ -140,6 +140,10 @@ Patch195: bind-9.16-CVE-2023-5517.patch
|
|||||||
Patch196: bind-9.16-CVE-2023-5679.patch
|
Patch196: bind-9.16-CVE-2023-5679.patch
|
||||||
Patch197: bind-9.16-CVE-2023-6516.patch
|
Patch197: bind-9.16-CVE-2023-6516.patch
|
||||||
Patch198: bind-9.16-CVE-2023-50387.patch
|
Patch198: bind-9.16-CVE-2023-50387.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/f493a8394102b0aeb101d5dc2f963004c8741175
|
||||||
|
Patch199: bind-9.16-CVE-2023-4408-test1.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/commit/b9c10a194da3358204f5ba7d91e55332db435614
|
||||||
|
Patch200: bind-9.16-CVE-2023-4408-test2.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -466,6 +470,8 @@ in HTML and PDF format.
|
|||||||
%patch196 -p1 -b .CVE-2023-5679
|
%patch196 -p1 -b .CVE-2023-5679
|
||||||
%patch197 -p1 -b .CVE-2023-6516
|
%patch197 -p1 -b .CVE-2023-6516
|
||||||
%patch198 -p1 -b .CVE-2023-50387
|
%patch198 -p1 -b .CVE-2023-50387
|
||||||
|
%patch199 -p1
|
||||||
|
%patch200 -p1
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
%patch135 -p1 -b .config-pkcs11
|
%patch135 -p1 -b .config-pkcs11
|
||||||
@ -1189,6 +1195,9 @@ fi;
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 19 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-17
|
||||||
|
- Import tests for large DNS messages fix
|
||||||
|
|
||||||
* Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
|
* Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
|
||||||
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
|
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
|
||||||
- Prevent assertion failure when nxdomain-redirect is used with
|
- Prevent assertion failure when nxdomain-redirect is used with
|
||||||
|
Loading…
Reference in New Issue
Block a user