rpms/bind
5
0
Fork 1
Code Issues Pull Requests Releases Activity

Import from CS git

Browse Source
This commit is contained in:
eabdullin 2025-02-20 07:41:44 +00:00
parent 26550e8f2c
commit 91b3f76a26
6 changed files with 310 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch Normal file
View File

@ -0,0 +1,85 @@
From 8a9b9ff5a8b2443f7df4f60397ad215931ba44f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 7 Jan 2025 15:22:40 +0100
Subject: [PATCH] Isolate using the -T noaa flag only for part of the resolver
test
Instead of running the whole resolver/ns4 server with -T noaa flag,
use it only for the part where it is actually needed. The -T noaa
could interfere with other parts of the test because the answers don't
have the authoritative-answer bit set, and we could have false
positives (or false negatives) in the test because the authoritative
server doesn't follow the DNS protocol for all the tests in the resolver
system test.
(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
---
bin/tests/system/conf.sh.in | 12 ++++++++++++
bin/tests/system/resolver/ns4/named.noaa | 5 -----
bin/tests/system/resolver/tests.sh | 8 ++++++++
3 files changed, 20 insertions(+), 5 deletions(-)
delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 06852f5..f77f7de 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -305,6 +305,18 @@ digcomp() {
return $result
}
+start_server() {
+ $PERL "$SYSTEMTESTTOP/start.pl" "$SYSTESTDIR" "$@"
+}
+
+stop_server() {
+ $PERL "$SYSTEMTESTTOP/stop.pl" "$SYSTESTDIR" "$@"
+}
+
+send() {
+ $PERL "$SYSTEMTESTTOP/send.pl" "$@"
+}
+
#
# Useful functions in test scripts
#
diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
deleted file mode 100644
index 3b121ad..0000000
--- a/bin/tests/system/resolver/ns4/named.noaa
+++ /dev/null
@@ -1,5 +0,0 @@
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
-
-Add -T noaa.
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 6eb52fe..bf37467 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -281,6 +281,10 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+touch ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+rm ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
ret=0
--
2.48.1

151
SOURCES/bind-9.18-CVE-2024-11187.patch Normal file
View File

@ -0,0 +1,151 @@
From ca6c3446ef07d89fd3a28b6979d947af2ab5754f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 14 Nov 2024 10:37:29 +0100
Subject: [PATCH] Limit the additional processing for large RDATA sets
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.
Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.
(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
PatchNumber: 47
---
bin/named/query.c | 14 ++++++++------
bin/tests/system/additional/tests.sh | 2 +-
lib/dns/include/dns/rdataset.h | 12 ++++++++++++
lib/dns/rdataset.c | 12 ++++++++++++
4 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/bin/named/query.c b/bin/named/query.c
index 51a29a8..e023d74 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1835,9 +1835,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
* section, it's helpful if we add the SRV additional data
* as well.
*/
- eresult = dns_rdataset_additionaldata(trdataset,
- query_addadditional,
- client);
+ eresult = dns_rdataset_additionaldata2(trdataset,
+ query_addadditional,
+ client,
+ DNS_RDATASET_MAXADDITIONAL);
}
cleanup:
@@ -2432,7 +2433,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
rdataset->rdclass);
rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
- if (NOADDITIONAL(client))
+ if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
return;
/*
@@ -2442,8 +2443,9 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
*/
additionalctx.client = client;
additionalctx.rdataset = rdataset;
- (void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
- &additionalctx);
+ (void)dns_rdataset_additionaldata2(rdataset, query_addadditional2,
+ &additionalctx,
+ DNS_RDATASET_MAXADDITIONAL);
CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
}
diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
index 6400723..a33cc8a 100644
--- a/bin/tests/system/additional/tests.sh
+++ b/bin/tests/system/additional/tests.sh
@@ -261,7 +261,7 @@ n=`expr $n + 1`
echo_i "testing with 'minimal-any no;' ($n)"
ret=0
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
+grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=`expr status + 1`
fi
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 710e97c..b3532f6 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -53,6 +53,8 @@
#include <dns/types.h>
#include <dns/rdatastruct.h>
+#define DNS_RDATASET_MAXADDITIONAL 13
+
ISC_LANG_BEGINDECLS
typedef enum {
@@ -501,13 +503,23 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
*\li If a call to dns_rdata_additionaldata() is not successful, the
* result returned will be the result of dns_rdataset_additionaldata().
*
+ *\li If 'limit' is non-zero and the number of the rdatasets is larger
+ * than 'limit', no additional data will be processed.
+ *
* Returns:
*
*\li #ISC_R_SUCCESS
*
+ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
+ *
*\li Any error that dns_rdata_additionaldata() can return.
*/
+isc_result_t
+dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ dns_additionaldatafunc_t add, void *arg,
+ size_t limit);
+
isc_result_t
dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
dns_rdataset_t *neg, dns_rdataset_t *negsig);
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index b42dea5..5160acf 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -28,6 +28,7 @@
#include <dns/ncache.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
+#include <dns/result.h>
static const char *trustnames[] = {
"none",
@@ -608,6 +609,13 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
dns_additionaldatafunc_t add, void *arg)
+{
+ return dns_rdataset_additionaldata2(rdataset, add, arg, 0);
+}
+
+isc_result_t
+dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ dns_additionaldatafunc_t add, void *arg, size_t limit)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
@@ -620,6 +628,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+ return DNS_R_TOOMANYRECORDS;
+ }
+
result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS)
return (result);
--
2.48.1

0
SOURCES/generate-rndc-key.sh Normal file → Executable file
View File

0
SOURCES/setup-named-chroot.sh Normal file → Executable file
View File

0
SOURCES/setup-named-softhsm.sh Normal file → Executable file
View File

136
SPECS/bind.spec
View File

@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.36
Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2
Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.4
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -197,6 +197,9 @@ Patch205: bind-9.11-CVE-2024-1975.patch
Patch206: bind-9.11-CVE-2024-1737.patch
# RH downstream, allow changing by environment
Patch208: bind-9.11-CVE-2024-1737-runtime-env.patch
# https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
Patch209: bind-9.18-CVE-2024-11187-pre-test.patch
Patch210: bind-9.18-CVE-2024-11187.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@ -568,58 +571,60 @@ are used for building ISC DHCP.
%setup -q -n %{name}-%{BINDVERSION}
# Common patches
%patch10 -p1 -b .PIE
%patch16 -p1 -b .redhat_doc
%patch -P 10 -p1 -b .PIE
%patch -P 16 -p1 -b .redhat_doc
%ifnarch alpha ia64
%patch72 -p1 -b .64bit
%patch -P 72 -p1 -b .64bit
%endif
%patch102 -p1 -b .rh452060
%patch106 -p1 -b .rh490837
%patch109 -p1 -b .rh478718
%patch112 -p1 -b .rh645544
%patch130 -p1 -b .libdb
%patch131 -p1 -b .multlib-conflict
%patch140 -p1 -b .rh1410433
%patch145 -p1 -b .rh1205168
%patch153 -p1 -b .export_suffix
%patch154 -p1 -b .oot-man
%patch155 -p1 -b .pk11-internal
%patch156 -p1 -b .fips-code
%patch157 -p1 -b .fips-tests
%patch159 -p1 -b .host-idn-disable
%patch164 -p1 -b .fips-includes
%patch165 -p1 -b .rt31459
%patch166 -p1 -b .rt46047
%patch167 -p1 -b .rh1668682
%patch168 -p1 -b .random_test-disable
%patch174 -p1 -b .rh1737407
%patch175 -p1 -b .json-c
%patch177 -p1 -b .serve-stale
%patch178 -p1 -b .time-monotonic
%patch183 -p1 -b .rh1980757
%patch184 -p1 -b .rh2030239
%patch185 -p1 -b .CVE-2021-25220
%patch186 -p1 -b .CVE-2021-25220-test
%patch188 -p1 -b .CVE-2022-38177
%patch189 -p1 -b .CVE-2022-38178
%patch190 -p1 -b .rh2101712
%patch191 -p1 -b .CVE-2022-2795
%patch192 -p1 -b .rh2133889
%patch193 -p1 -b .CVE-2022-3094
%patch194 -p1 -b .CVE-2022-3094
%patch195 -p1 -b .CVE-2022-3094
%patch196 -p1 -b .CVE-2022-3094-test
%patch197 -p1 -b .CVE-2023-2828
%patch198 -p1 -b .CVE-2023-3341
%patch199 -p1 -b .RHEL-11785
%patch200 -p1 -b .b.root-servers.net
%patch201 -p1 -b .CVE-2023-4408
%patch202 -p1 -b .CVE-2023-50387+50868
%patch203 -p1 -b .CVE-2023-2828-fixup
%patch204 -p1 -b .CVE-2023-50387-fixup
%patch205 -p1 -b .CVE-2024-1975
%patch206 -p1 -b .CVE-2024-1737
%patch208 -p1 -b .CVE-2024-1737-env
%patch -P 102 -p1 -b .rh452060
%patch -P 106 -p1 -b .rh490837
%patch -P 109 -p1 -b .rh478718
%patch -P 112 -p1 -b .rh645544
%patch -P 130 -p1 -b .libdb
%patch -P 131 -p1 -b .multlib-conflict
%patch -P 140 -p1 -b .rh1410433
%patch -P 145 -p1 -b .rh1205168
%patch -P 153 -p1 -b .export_suffix
%patch -P 154 -p1 -b .oot-man
%patch -P 155 -p1 -b .pk11-internal
%patch -P 156 -p1 -b .fips-code
%patch -P 157 -p1 -b .fips-tests
%patch -P 159 -p1 -b .host-idn-disable
%patch -P 164 -p1 -b .fips-includes
%patch -P 165 -p1 -b .rt31459
%patch -P 166 -p1 -b .rt46047
%patch -P 167 -p1 -b .rh1668682
%patch -P 168 -p1 -b .random_test-disable
%patch -P 174 -p1 -b .rh1737407
%patch -P 175 -p1 -b .json-c
%patch -P 177 -p1 -b .serve-stale
%patch -P 178 -p1 -b .time-monotonic
%patch -P 183 -p1 -b .rh1980757
%patch -P 184 -p1 -b .rh2030239
%patch -P 185 -p1 -b .CVE-2021-25220
%patch -P 186 -p1 -b .CVE-2021-25220-test
%patch -P 188 -p1 -b .CVE-2022-38177
%patch -P 189 -p1 -b .CVE-2022-38178
%patch -P 190 -p1 -b .rh2101712
%patch -P 191 -p1 -b .CVE-2022-2795
%patch -P 192 -p1 -b .rh2133889
%patch -P 193 -p1 -b .CVE-2022-3094
%patch -P 194 -p1 -b .CVE-2022-3094
%patch -P 195 -p1 -b .CVE-2022-3094
%patch -P 196 -p1 -b .CVE-2022-3094-test
%patch -P 197 -p1 -b .CVE-2023-2828
%patch -P 198 -p1 -b .CVE-2023-3341
%patch -P 199 -p1 -b .RHEL-11785
%patch -P 200 -p1 -b .b.root-servers.net
%patch -P 201 -p1 -b .CVE-2023-4408
%patch -P 202 -p1 -b .CVE-2023-50387+50868
%patch -P 203 -p1 -b .CVE-2023-2828-fixup
%patch -P 204 -p1 -b .CVE-2023-50387-fixup
%patch -P 205 -p1 -b .CVE-2024-1975
%patch -P 206 -p1 -b .CVE-2024-1737
%patch -P 208 -p1 -b .CVE-2024-1737-env
%patch -P 209 -p1 -b .CVE-2024-11187-pre-test
%patch -P 210 -p1 -b .CVE-2024-11187
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -635,20 +640,20 @@ find bin lib/lwres/man -name '*.docbook' -exec \
-i '{}' ';'
%if %{with PKCS11}
%patch150 -p1 -b .engine-pkcs11
%patch -P 150 -p1 -b .engine-pkcs11
cp -r bin/named{,-pkcs11}
cp -r bin/dnssec{,-pkcs11}
cp -r lib/isc{,-pkcs11}
cp -r lib/dns{,-pkcs11}
%patch136 -p1 -b .dist_pkcs11
%patch149 -p1 -b .kyua-pkcs11
%patch -P 136 -p1 -b .dist_pkcs11
%patch -P 149 -p1 -b .kyua-pkcs11
%endif
%if %{with SDB}
%patch101 -p1 -b .old-api
%patch -P 101 -p1 -b .old-api
mkdir bin/named-sdb
cp -r bin/named/* bin/named-sdb
%patch11 -p1 -b .sdbsrc
%patch -P 11 -p1 -b .sdbsrc
# SDB ldap
cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb
# SDB postgreSQL
@ -667,14 +672,14 @@ cp -fp %{SOURCE7} bin/sdb_tools/Makefile.in
cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools
cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools
cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
%patch12 -p1 -b .sdb
%patch17 -p1 -b .fix_sdb_ldap
%patch18 -p1 -b .fix_zone2ldap
%patch137 -p1 -b .strlcat_fix
%patch -P 12 -p1 -b .sdb
%patch -P 17 -p1 -b .fix_sdb_ldap
%patch -P 18 -p1 -b .fix_zone2ldap
%patch -P 137 -p1 -b .strlcat_fix
%endif
%patch133 -p1 -b .rh640538
%patch134 -p1 -b .rh669163
%patch -P 133 -p1 -b .rh640538
%patch -P 134 -p1 -b .rh669163
# Sparc and s390 arches need to use -fPIE
%ifarch sparcv9 sparc64 s390 s390x
@ -1672,6 +1677,13 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
* Thu Feb 06 2025 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.4
- Change patches applying to use -P parameter
* Wed Feb 05 2025 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.3
- Limit additional section records CPU processing (CVE-2024-11187)
- Correct ANY queries to not have additional data appended
* Tue Aug 06 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.2
- Rebuild after CI change