import bind-9.16.23-4.el9
This commit is contained in:
parent
13a9717633
commit
8dc5c2990f
1144
SOURCES/bind-9.16-CVE-2021-25220-test.patch
Normal file
1144
SOURCES/bind-9.16-CVE-2021-25220-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
251
SOURCES/bind-9.16-CVE-2021-25220.patch
Normal file
251
SOURCES/bind-9.16-CVE-2021-25220.patch
Normal file
@ -0,0 +1,251 @@
|
||||
From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 19 Jan 2022 17:38:18 +1100
|
||||
Subject: [PATCH] Add additional name checks when using a forwarder
|
||||
|
||||
When using a forwarder, check that the owner name of response
|
||||
records are within the bailiwick of the forwarded name space.
|
||||
|
||||
(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b)
|
||||
|
||||
Check that the forward declaration is unchanged and not overridden
|
||||
|
||||
If we are using a fowarder, in addition to checking that names to
|
||||
be cached are subdomains of the forwarded namespace, we must also
|
||||
check that there are no subsidiary forwarded namespaces which would
|
||||
take precedence. To be safe, we don't cache any responses if the
|
||||
forwarding configuration has changed since the query was sent.
|
||||
|
||||
(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3)
|
||||
|
||||
Check cached names for possible "forward only" clause
|
||||
|
||||
When caching additional and glue data *not* from a forwarder, we must
|
||||
check that there is no "forward only" clause covering the owner name
|
||||
that would take precedence. Such names would normally be allowed by
|
||||
baliwick rules, but a "forward only" zone introduces a new baliwick
|
||||
scope.
|
||||
|
||||
(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78)
|
||||
|
||||
Look for zones deeper than the current domain or forward name
|
||||
|
||||
When caching glue, we need to ensure that there is no closer
|
||||
source of truth for the name. If the owner name for the glue
|
||||
record would be answered by a locally configured zone, do not
|
||||
cache.
|
||||
|
||||
(cherry picked from commit 71b24210542730355149130770deea3e58d8527a)
|
||||
---
|
||||
lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 123 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index a7bc661bb7..7603a07b7b 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -63,6 +63,8 @@
|
||||
#include <dns/stats.h>
|
||||
#include <dns/tsig.h>
|
||||
#include <dns/validator.h>
|
||||
+#include <dns/zone.h>
|
||||
+
|
||||
#ifdef WANT_QUERYTRACE
|
||||
#define RTRACE(m) \
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \
|
||||
@@ -337,6 +339,8 @@ struct fetchctx {
|
||||
dns_fetch_t *qminfetch;
|
||||
dns_rdataset_t qminrrset;
|
||||
dns_name_t qmindcname;
|
||||
+ dns_fixedname_t fwdfname;
|
||||
+ dns_name_t *fwdname;
|
||||
|
||||
/*%
|
||||
* The number of events we're waiting for.
|
||||
@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
|
||||
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||
+ dns_name_copynf(domain, fctx->fwdname);
|
||||
if (fctx->fwdpolicy == dns_fwdpolicy_only &&
|
||||
isstrictsubdomain(domain, &fctx->domain))
|
||||
{
|
||||
@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
|
||||
fctx->restarts = 0;
|
||||
fctx->querysent = 0;
|
||||
fctx->referrals = 0;
|
||||
+
|
||||
+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
|
||||
+
|
||||
TIME_NOW(&fctx->start);
|
||||
fctx->timeouts = 0;
|
||||
fctx->lamecount = 0;
|
||||
@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
|
||||
fname, &forwarders);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||
+ dns_name_copynf(fname, fctx->fwdname);
|
||||
}
|
||||
|
||||
if (fctx->fwdpolicy != dns_fwdpolicy_only) {
|
||||
@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
|
||||
}
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Returns true if 'name' is external to the namespace for which
|
||||
+ * the server being queried can answer, either because it's not a
|
||||
+ * subdomain or because it's below a forward declaration or a
|
||||
+ * locally served zone.
|
||||
+ */
|
||||
+static inline bool
|
||||
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
|
||||
+ isc_result_t result;
|
||||
+ dns_forwarders_t *forwarders = NULL;
|
||||
+ dns_fixedname_t fixed, zfixed;
|
||||
+ dns_name_t *fname = dns_fixedname_initname(&fixed);
|
||||
+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
|
||||
+ dns_name_t *apex = NULL;
|
||||
+ dns_name_t suffix;
|
||||
+ dns_zone_t *zone = NULL;
|
||||
+ unsigned int labels;
|
||||
+ dns_namereln_t rel;
|
||||
+
|
||||
+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
|
||||
+
|
||||
+ /*
|
||||
+ * The name is outside the queried namespace.
|
||||
+ */
|
||||
+ rel = dns_name_fullcompare(name, apex, &(int){ 0 },
|
||||
+ &(unsigned int){ 0U });
|
||||
+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If the record lives in the parent zone, adjust the name so we
|
||||
+ * look for the correct zone or forward clause.
|
||||
+ */
|
||||
+ labels = dns_name_countlabels(name);
|
||||
+ if (dns_rdatatype_atparent(type) && labels > 1U) {
|
||||
+ dns_name_init(&suffix, NULL);
|
||||
+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
|
||||
+ name = &suffix;
|
||||
+ } else if (rel == dns_namereln_equal) {
|
||||
+ /* If 'name' is 'apex', no further checking is needed. */
|
||||
+ return (false);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If there is a locally served zone between 'apex' and 'name'
|
||||
+ * then don't cache.
|
||||
+ */
|
||||
+ LOCK(&fctx->res->view->lock);
|
||||
+ if (fctx->res->view->zonetable != NULL) {
|
||||
+ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
|
||||
+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
|
||||
+ zfname, &zone);
|
||||
+ if (zone != NULL) {
|
||||
+ dns_zone_detach(&zone);
|
||||
+ }
|
||||
+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
|
||||
+ if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
|
||||
+ &(unsigned int){ 0U }) ==
|
||||
+ dns_namereln_subdomain)
|
||||
+ {
|
||||
+ UNLOCK(&fctx->res->view->lock);
|
||||
+ return (true);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ UNLOCK(&fctx->res->view->lock);
|
||||
+
|
||||
+ /*
|
||||
+ * Look for a forward declaration below 'name'.
|
||||
+ */
|
||||
+ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
|
||||
+ &forwarders);
|
||||
+
|
||||
+ if (ISFORWARDER(fctx->addrinfo)) {
|
||||
+ /*
|
||||
+ * See if the forwarder declaration is better.
|
||||
+ */
|
||||
+ if (result == ISC_R_SUCCESS) {
|
||||
+ return (!dns_name_equal(fname, fctx->fwdname));
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If the lookup failed, the configuration must have
|
||||
+ * changed: play it safe and don't cache.
|
||||
+ */
|
||||
+ return (true);
|
||||
+ } else if (result == ISC_R_SUCCESS &&
|
||||
+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
|
||||
+ !ISC_LIST_EMPTY(forwarders->fwdrs))
|
||||
+ {
|
||||
+ /*
|
||||
+ * If 'name' is covered by a 'forward only' clause then we
|
||||
+ * can't cache this repsonse.
|
||||
+ */
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ return (false);
|
||||
+}
|
||||
+
|
||||
static isc_result_t
|
||||
check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
|
||||
dns_section_t section) {
|
||||
@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
|
||||
result = dns_message_findname(rctx->query->rmessage, section, addname,
|
||||
dns_rdatatype_any, 0, &name, NULL);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||
+ external = name_external(name, type, fctx);
|
||||
if (type == dns_rdatatype_a) {
|
||||
for (rdataset = ISC_LIST_HEAD(name->list);
|
||||
rdataset != NULL;
|
||||
@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) {
|
||||
break;
|
||||
|
||||
case dns_namereln_subdomain:
|
||||
+ /*
|
||||
+ * Don't accept DNAME from parent namespace.
|
||||
+ */
|
||||
+ if (name_external(name, dns_rdatatype_dname, fctx)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* In-scope DNAME records must have at least
|
||||
* as many labels as the domain being queried.
|
||||
@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) {
|
||||
DNS_SECTION_AUTHORITY);
|
||||
while (!done && result == ISC_R_SUCCESS) {
|
||||
dns_name_t *name = NULL;
|
||||
- bool external;
|
||||
|
||||
dns_message_currentname(rctx->query->rmessage,
|
||||
DNS_SECTION_AUTHORITY, &name);
|
||||
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||
|
||||
- if (!external) {
|
||||
+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
|
||||
dns_rdataset_t *rdataset = NULL;
|
||||
|
||||
/*
|
||||
@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
|
||||
}
|
||||
|
||||
if (!dns_name_issubdomain(name, &fctx->domain)) {
|
||||
- /* Invalid name found; preserve it for logging later */
|
||||
+ /*
|
||||
+ * Invalid name found; preserve it for logging
|
||||
+ * later.
|
||||
+ */
|
||||
rctx->found_name = name;
|
||||
rctx->found_type = ISC_LIST_HEAD(name->list)->type;
|
||||
continue;
|
||||
--
|
||||
2.34.1
|
||||
|
81
SOURCES/bind-9.16-CVE-2022-0396.patch
Normal file
81
SOURCES/bind-9.16-CVE-2022-0396.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Tue, 8 Feb 2022 12:42:34 +0100
|
||||
Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
|
||||
|
||||
When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
|
||||
asynchronously to ensure correct order of multiple packets processing in
|
||||
the isc__nm_process_sock_buffer(). When not run asynchronously, it
|
||||
would cause:
|
||||
|
||||
a) out-of-order processing of the return codes from processbuffer();
|
||||
|
||||
b) stack growth because the next TCP DNS message read callback will
|
||||
be called from within the current TCP DNS message read callback.
|
||||
|
||||
The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
|
||||
sockets which calls isc__nm_process_sock_buffer(). If the read callback
|
||||
(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
|
||||
attach to the nmhandle (f.e. because it wants to drop the processing or
|
||||
we send the response directly via uv_try_write()), the
|
||||
isc__nm_resume_processing() (via .closehandle_cb) would call
|
||||
isc__nm_process_sock_buffer() recursively.
|
||||
|
||||
The below shortened code path shows how the stack can grow:
|
||||
|
||||
1: ns__client_request(handle, ...);
|
||||
2: isc_nm_tcpdns_sequential(handle);
|
||||
3: ns_query_start(client, handle);
|
||||
4: query_lookup(qctx);
|
||||
5: query_send(qctcx->client);
|
||||
6: isc__nmhandle_detach(&client->reqhandle);
|
||||
7: nmhandle_detach_cb(&handle);
|
||||
8: sock->closehandle_cb(sock); // isc__nm_resume_processing
|
||||
9: isc__nm_process_sock_buffer(sock);
|
||||
10: processbuffer(sock); // isc__nm_tcpdns_processbuffer
|
||||
11: isc_nmhandle_attach(req->handle, &handle);
|
||||
12: isc__nm_readcb(sock, req, ISC_R_SUCCESS);
|
||||
13: isc__nm_async_readcb(NULL, ...);
|
||||
14: uvreq->cb.recv(...); // ns__client_request
|
||||
|
||||
Instead, if 'sock->closehandle_cb' is set, we need to run detach the
|
||||
handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
|
||||
the code flow above does not start this recursion. This ensures the
|
||||
correct order when processing multiple packets in the function
|
||||
'isc__nm_process_sock_buffer()' and prevents the stack growth.
|
||||
|
||||
When not run asynchronously, the out-of-order processing leaves the
|
||||
first TCP socket open until all requests on the stream have been
|
||||
processed.
|
||||
|
||||
If the pipelining is disabled on the TCP via `keep-response-order`
|
||||
configuration option, named would keep the first socket in lingering
|
||||
CLOSE_WAIT state when the client sends an incomplete packet and then
|
||||
closes the connection from the client side.
|
||||
|
||||
(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17)
|
||||
---
|
||||
lib/isc/netmgr/netmgr.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
|
||||
index 3283eb6e4f..0ed3182fb6 100644
|
||||
--- a/lib/isc/netmgr/netmgr.c
|
||||
+++ b/lib/isc/netmgr/netmgr.c
|
||||
@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
|
||||
handle = *handlep;
|
||||
*handlep = NULL;
|
||||
|
||||
+ /*
|
||||
+ * If the closehandle_cb is set, it needs to run asynchronously to
|
||||
+ * ensure correct ordering of the isc__nm_process_sock_buffer().
|
||||
+ */
|
||||
sock = handle->sock;
|
||||
- if (sock->tid == isc_nm_tid()) {
|
||||
+ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
|
||||
nmhandle_detach_cb(&handle FLARG_PASS);
|
||||
} else {
|
||||
isc__netievent_detach_t *event =
|
||||
--
|
||||
2.34.1
|
||||
|
@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.16.23
|
||||
Release: 1%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -101,6 +101,10 @@ Patch157:bind-9.11-fips-tests.patch
|
||||
Patch164:bind-9.11-rh1666814.patch
|
||||
Patch170:bind-9.11-feature-test-named.patch
|
||||
Patch171:bind-9.11-tests-variants.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987
|
||||
Patch172:bind-9.16-CVE-2022-0396.patch
|
||||
Patch173:bind-9.16-CVE-2021-25220.patch
|
||||
Patch174:bind-9.16-CVE-2021-25220-test.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -401,6 +405,9 @@ in HTML and PDF format.
|
||||
%patch164 -p1 -b .rh1666814
|
||||
%patch170 -p1 -b .featuretest-named
|
||||
%patch171 -p1 -b .test-variant
|
||||
%patch172 -p1 -b .CVE-2022-0396
|
||||
%patch173 -p1 -b .CVE-2021-25220
|
||||
%patch174 -p1 -b .CVE-2021-25220-test
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1123,6 +1130,17 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jul 14 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-4
|
||||
- Export bind-doc package (#2104863)
|
||||
|
||||
* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
|
||||
- Tighten cache protection against record from forwarders (CVE-2021-25220)
|
||||
- Include test of forwarders
|
||||
|
||||
* Fri Mar 25 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-2
|
||||
- TCP connections with 'keep-response-order' are properly close in all cases
|
||||
(CVE-2022-0396)
|
||||
|
||||
* Fri Nov 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-1
|
||||
- Update to 9.16.23 (#2024210)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user