From 7ea3346926a0345021d175f10b408a781c674d59 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 18 May 2021 13:11:22 -0400
Subject: [PATCH] import bind-9.11.26-4.el8_4

---
 SOURCES/bind-9.11-CVE-2021-25215.patch | 40 ++++++++++++++++++++++++++
 SPECS/bind.spec                        |  7 ++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/bind-9.11-CVE-2021-25215.patch

diff --git a/SOURCES/bind-9.11-CVE-2021-25215.patch b/SOURCES/bind-9.11-CVE-2021-25215.patch
new file mode 100644
index 0000000..4f62a10
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2021-25215.patch
@@ -0,0 +1,40 @@
+From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 27 Apr 2021 10:56:12 +0200
+Subject: [PATCH 2/2] CVE-2021-25215
+
+5616.	[security]	named crashed when a DNAME record placed in the ANSWER
+			section during DNAME chasing turned out to be the final
+			answer to a client query. (CVE-2021-25215) [GL #2540]
+---
+ bin/named/query.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index a95f5ad..11a888e 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
+ 		if (noqname != NULL)
+ 			query_addnoqnameproof(client, noqname);
+ 		/*
+-		 * We shouldn't ever fail to add 'rdataset'
+-		 * because it's already in the answer.
++		 * 'rdataset' will only be non-NULL here if the ANSWER section
++		 * of the message to be sent to the client already contains an
++		 * RRset with the same owner name and the same type as
++		 * 'rdataset'.  This should never happen, with one exception:
++		 * when chasing DNAME records, one of the DNAME records placed
++		 * in the ANSWER section may turn out to be the final answer to
++		 * the client's query, but we have no way of knowing that until
++		 * now.  In such a case, 'rdataset' will be freed later, so we
++		 * do not need to free it here.
+ 		 */
+-		INSIST(rdataset == NULL);
++		INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
+ 	}
+ 
+  addauth:
+-- 
+2.26.3
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 12a5ad1..3279f66 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -68,7 +68,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.26
-Release:  3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -155,6 +155,7 @@ Patch175:bind-9.11-json-c.patch
 Patch177:bind-9.11-serve-stale.patch
 Patch178:bind-9.11-dhcp-time-monotonic.patch
 Patch179:bind-9.11-CVE-2020-8625.patch
+Patch180:bind-9.11-CVE-2021-25215.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -550,6 +551,7 @@ are used for building ISC DHCP.
 %patch177 -p1 -b .serve-stale
 %patch178 -p1 -b .time-monotonic
 %patch179 -p1 -b .CVE-2020-8625
+%patch180 -p1 -b .CVE-2021-25215
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1601,6 +1603,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Tue Apr 27 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-4
+- Possible assertion failure on DNAME processing (CVE-2021-25215)
+
 * Mon Feb 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-3
 - Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625)