From d6121a1d3f811ac9f92feca3edd7690ce7fc8a07 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:15:16 +0000 Subject: [PATCH] import bind-9.11.36-8.el8 --- SOURCES/bind-9.11-CVE-2022-2795.patch | 61 +++++++++++++++++++++++++++ SPECS/bind.spec | 17 +++++--- 2 files changed, 73 insertions(+), 5 deletions(-) create mode 100644 SOURCES/bind-9.11-CVE-2022-2795.patch diff --git a/SOURCES/bind-9.11-CVE-2022-2795.patch b/SOURCES/bind-9.11-CVE-2022-2795.patch new file mode 100644 index 0000000..2175637 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2022-2795.patch @@ -0,0 +1,61 @@ +From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8ae9a993bb..ac9a9ef5d0 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -180,6 +180,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.37.3 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 206e693..8745dbb 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.36 -Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2 +Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -164,6 +164,8 @@ Patch188: bind-9.16-CVE-2022-38177.patch Patch189: bind-9.16-CVE-2022-38178.patch # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695 Patch190: bind-9.11-rh2101712.patch +Patch191: bind-9.11-CVE-2022-2795.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376 Patch192: bind-9.11-rh2133889.patch # SDB patches @@ -565,6 +567,7 @@ are used for building ISC DHCP. %patch188 -p1 -b .CVE-2022-38177 %patch189 -p1 -b .CVE-2022-38178 %patch190 -p1 -b .rh2101712 +%patch191 -p1 -b .CVE-2022-2795 %patch192 -p1 -b .rh2133889 mkdir lib/dns/tests/testdata/dstrandom @@ -1618,11 +1621,15 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog -* Thu Oct 13 2022 Petr Menšík - 32:9.11.36-5.2 -- Correct regression preventing bind-dyndb-ldap build (#2130272) +* Thu Oct 13 2022 Petr Menšík - 32:9.11.36-8 +- Correct regression preventing bind-dyndb-ldap build (#2133889) -* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-5.1 -- Prevent freeing zone during statistics rendering (#2130272) +* Thu Sep 29 2022 Petr Menšík - 32:9.11.36-7 +- Prevent excessive resource use while processing large delegations. + (CVE-2022-2795) + +* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-6 +- Prevent freeing zone during statistics rendering (#2101712) * Thu Sep 22 2022 Petr Menšík - 32:9.11.36-5 - Fix memory leak in ECDSA verify processing (CVE-2022-38177)