rpms/bind
6
0
Fork 1
Code Issues Pull Requests Releases Activity

import UBI bind-9.16.23-31.el9_6

Browse Source
This commit is contained in:
eabdullin 2025-07-29 20:34:40 +00:00
parent eeaa229f36
commit 924887246a
3 changed files with 232 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
SOURCES/bind-9.18-configurable-additional-records.patch Normal file
View File

@ -0,0 +1,168 @@
From bddd8950ff3d82d503dfb64e67d24ce364e5a5af Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 16 Jun 2025 19:36:13 +0200
Subject: [PATCH] Support runtime configurable limit of additional records
Use environment variable NAMED_MAXADDITIONAL to change default built-in
limit. Uses environment variable to avoid the need to support the variable
option in the more recent versions and after upgrades.
Use debug 1 verbosity for logging parsed limit at the start, but not
changing production logs.
---
bin/named/main.c | 5 +++++
bin/named/named.rst | 9 +++++++++
lib/ns/include/ns/server.h | 13 +++++++++++++
lib/ns/query.c | 4 ++--
lib/ns/server.c | 25 +++++++++++++++++++++++++
5 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/bin/named/main.c b/bin/named/main.c
index f62f82c..0de658a 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -1327,6 +1327,11 @@ setup(void) {
if (sigvalinsecs) {
ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, true);
}
+ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+ NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+ "using max %u additional records",
+ ns_server_getmaxadditionalrecords(sctx));
+
}
static void
diff --git a/bin/named/named.rst b/bin/named/named.rst
index 3cd6350..06af140 100644
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -228,6 +228,15 @@ Files
``/var/run/named/named.pid``
The default process-id file.
+Environment
+~~~~~~~~~~~
+
+NAMED_MAXADDITIONAL
+ Red Hat specific extension. Accepts numeric value of maximal NS
+ records, which would get fetched additional addresses. Default
+ value is 13. Allows runtime configurable limit introduced in
+ CVE-2024-11187 fixes.
+
Notes
~~~~~
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
index 0abb579..4864ba4 100644
--- a/lib/ns/include/ns/server.h
+++ b/lib/ns/include/ns/server.h
@@ -122,6 +122,8 @@ struct ns_server {
isc_stats_t *tcpoutstats4;
isc_stats_t *tcpinstats6;
isc_stats_t *tcpoutstats6;
+
+ unsigned int max_additional_records;
};
struct ns_altsecret {
@@ -166,6 +168,17 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid);
*\li 'sctx' is valid.
*/
+unsigned int
+ns_server_getmaxadditionalrecords(ns_server_t *sctx);
+/*%<
+ * Returns the maximal number of records with additional addresses
+ * provided.
+ *
+ * Requires:
+ *\li 'sctx' is valid.
+ */
+
+
void
ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value);
/*%<
diff --git a/lib/ns/query.c b/lib/ns/query.c
index ce1d710..37893e2 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -2032,7 +2032,7 @@ addname:
if (trdataset != NULL && dns_rdatatype_followadditional(type)) {
eresult = dns_rdataset_additionaldata2(
trdataset, query_additional_cb, qctx,
- DNS_RDATASET_MAXADDITIONAL);
+ client->sctx->max_additional_records);
}
cleanup:
@@ -2124,7 +2124,7 @@ regular:
* We don't care if dns_rdataset_additionaldata() fails.
*/
(void)dns_rdataset_additionaldata2(rdataset, query_additional_cb,
- qctx, DNS_RDATASET_MAXADDITIONAL);
+ qctx, client->sctx->max_additional_records);
CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
}
diff --git a/lib/ns/server.c b/lib/ns/server.c
index 540bc2e..0a4abb3 100644
--- a/lib/ns/server.c
+++ b/lib/ns/server.c
@@ -17,6 +17,7 @@
#include <isc/stats.h>
#include <isc/util.h>
+#include <dns/rdataset.h>
#include <dns/stats.h>
#include <dns/tkey.h>
@@ -33,6 +34,22 @@
RUNTIME_CHECK(result == ISC_R_SUCCESS); \
} while (0)
+/*
+ * CVE-2024-11187 introduced a limit on maximal number of records,
+ * for which additional records would be fetched. Make this limit
+ * configurable runtime only by environment.
+ */
+static size_t
+initialize_maxadditional(void) {
+ const char *limits;
+
+ limits = getenv("NAMED_MAXADDITIONAL");
+ if (limits != NULL) {
+ return strtol(limits, NULL, 10);
+ }
+ return DNS_RDATASET_MAXADDITIONAL;
+}
+
isc_result_t
ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
ns_server_t **sctxp) {
@@ -90,6 +107,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
sctx->udpsize = 1232;
sctx->transfer_tcp_message_size = 20480;
+ sctx->max_additional_records = initialize_maxadditional();
sctx->fuzztype = isc_fuzz_none;
sctx->fuzznotify = NULL;
@@ -213,6 +231,13 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid) {
return (ISC_R_SUCCESS);
}
+unsigned int
+ns_server_getmaxadditionalrecords(ns_server_t *sctx) {
+ REQUIRE(SCTX_VALID(sctx));
+
+ return sctx->max_additional_records;
+}
+
void
ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value) {
REQUIRE(SCTX_VALID(sctx));
--
2.49.0

54
SOURCES/bind-9.18-partial-additional-records.patch Normal file
View File

@ -0,0 +1,54 @@
From 9140eac85cda21fa86f2768f7ccaf6800776c726 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 19 Jun 2025 19:51:43 +0200
Subject: [PATCH] Limit number of additional records fetched
Limit number of started fetches for additional zone instead of doing
none. Keep limit of NS filled with additional records, but present at
least some if possible.
Might help broken implementations relying on receiving addresses in the
response for NS query in authoritative zone.
---
lib/dns/rdataset.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index ffe6163..cfdb7d5 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -586,6 +586,7 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
dns_additionaldatafunc_t add, void *arg, size_t limit) {
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
+ size_t n = 0;
/*
* For each rdata in rdataset, call 'add' for each name and type in the
@@ -595,10 +596,6 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
- if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
- return DNS_R_TOOMANYRECORDS;
- }
-
result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS) {
return (result);
@@ -608,7 +605,11 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_additionaldata(&rdata, add, arg);
if (result == ISC_R_SUCCESS) {
- result = dns_rdataset_next(rdataset);
+ if (limit != 0 && ++n >= limit) {
+ result = DNS_R_TOOMANYRECORDS;
+ } else {
+ result = dns_rdataset_next(rdataset);
+ }
}
dns_rdata_reset(&rdata);
} while (result == ISC_R_SUCCESS);
--
2.49.0

11
SPECS/bind.spec
View File

@ -56,7 +56,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 29%{?dist}
Release: 31%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -185,6 +185,9 @@ Patch216: bind-9.18-CVE-2024-11187.patch
Patch217: bind-9.21-resume-qmin-cname.patch
# downstream only, extra check for above change, RHEL-30407
Patch218: bind-9.18-query-fname-relative.patch
Patch219: bind-9.18-partial-additional-records.patch
# downstream only, RHEL-84006
Patch220: bind-9.18-configurable-additional-records.patch
%{?systemd_ordering}
Requires: coreutils
@ -1229,6 +1232,12 @@ fi;
%endif
%changelog
* Wed Jul 09 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-31
- Add runtime tunable limit by environment NAMED_MAXADDITIONAL (RHEL-84006)
* Fri Jun 20 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-30
- Change additional NS to be served partially (RHEL-84006)
* Tue Jun 10 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.23-29
- Prevent name.c:670 attributes assertion failed (RHEL-30407)
- Add extra checks for relative names