Stop crashes at masterformat system tests
Fix of CVE-2023-6516 has changed format of map file and masterformat has started crashing. Adjust test values to pass cleanly. Related: RHEL-25375 ; Related: CVE-2023-6516
This commit is contained in:
parent
02426200e2
commit
c3e15c4a64
52
bind-9.16-CVE-2023-6516-test.patch
Normal file
52
bind-9.16-CVE-2023-6516-test.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From e91ab7758bed0cf3dcf8ed745f91063d7ec4011c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Thu, 4 Jan 2024 13:39:27 +0100
|
||||
Subject: [PATCH] Fix map offsets in the "masterformat" system test
|
||||
|
||||
The "masterformat" system test attempts to check named-checkzone
|
||||
behavior when it is fed corrupt map-format zone files. However, despite
|
||||
the RBTDB and RBT structures having evolved over the years, the offsets
|
||||
at which a valid map-format zone file is malformed by the "masterformat"
|
||||
test have not been updated accordingly, causing the relevant checks to
|
||||
introduce a different type of corruption than they were originally meant
|
||||
to cause:
|
||||
|
||||
- the "bad node header" check originally mangled the 'type' member of
|
||||
the rdatasetheader_t structure for cname.example.nil,
|
||||
|
||||
- the "bad node data" check originally mangled the 'serial' and
|
||||
'rdh_ttl' members of the rdatasetheader_t structure for
|
||||
aaaa.example.nil.
|
||||
|
||||
Update the offsets at which the map-format zone file is malformed at by
|
||||
the "masterformat" system test so that the relevant checks fulfill their
|
||||
original purpose again.
|
||||
---
|
||||
bin/tests/system/masterformat/tests.sh | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh
|
||||
index 364a0d2..bb4e6ec 100755
|
||||
--- a/bin/tests/system/masterformat/tests.sh
|
||||
+++ b/bin/tests/system/masterformat/tests.sh
|
||||
@@ -295,7 +295,7 @@ status=$((status+ret))
|
||||
echo_i "checking corrupt map files fail to load (bad node header) ($n)"
|
||||
ret=0
|
||||
cp map.5 badmap
|
||||
-stomp badmap 2754 2 99
|
||||
+stomp badmap 3706 2 99
|
||||
$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null
|
||||
[ $? = 1 ] || ret=1
|
||||
n=$((n+1))
|
||||
@@ -305,7 +305,7 @@ status=$((status+ret))
|
||||
echo_i "checking corrupt map files fail to load (bad node data) ($n)"
|
||||
ret=0
|
||||
cp map.5 badmap
|
||||
-stomp badmap 2897 5 127
|
||||
+stomp badmap 3137 5 127
|
||||
$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null
|
||||
[ $? = 1 ] || ret=1
|
||||
n=$((n+1))
|
||||
--
|
||||
2.44.0
|
||||
|
@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.16.23
|
||||
Release: 17%{?dist}
|
||||
Release: 18%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -150,6 +150,8 @@ Patch201: bind-9.16-system-test-cds.patch
|
||||
Patch202: bind-9.16-isc-mempool-attach.patch
|
||||
# Downstream only change, complements patch 198
|
||||
Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/1237d73cd1120b146ee699bbae7b2fe837cf2f98
|
||||
Patch204: bind-9.16-CVE-2023-6516-test.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -482,6 +484,7 @@ in HTML and PDF format.
|
||||
%patch201 -p1 -b .test-variant-def
|
||||
%patch202 -p1 -b .mempool-attach
|
||||
%patch203 -p1 -b .isc_hp-CVE-2023-50387
|
||||
%patch204 -p1 -b .CVE-2023-6516-test
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1210,6 +1213,9 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Mar 25 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18
|
||||
- Prevent crashing at masterformat system test (CVE-2023-6516)
|
||||
|
||||
* Mon Feb 19 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-17
|
||||
- Import tests for large DNS messages fix
|
||||
- Add downstream change complementing CVE-2023-50387
|
||||
|
Loading…
Reference in New Issue
Block a user