From dc3f4d28ab985704401de9b5e1d6095c4b99526b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Sat, 25 Feb 2023 03:00:30 +0100 Subject: [PATCH] Fix small differences to upstream patches Some small differences went unnoticed and cause system test upforwd failure. Fix both code change and test to pass. Resolves: CVE-2022-3094 --- bind-9.16-CVE-2022-3094-1.patch | 21 ++++++++++----------- bind-9.16-CVE-2022-3094-test.patch | 8 ++++---- bind.spec | 5 ++++- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/bind-9.16-CVE-2022-3094-1.patch b/bind-9.16-CVE-2022-3094-1.patch index 53f6629..86fbf76 100644 --- a/bind-9.16-CVE-2022-3094-1.patch +++ b/bind-9.16-CVE-2022-3094-1.patch @@ -1,4 +1,4 @@ -From 0c0dc08d3ef26b7411cfe089e8144454831e8af5 Mon Sep 17 00:00:00 2001 +From 18036bb3f435eaa20d60093738c61e5da42a6cfe Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 1 Sep 2022 16:05:04 -0700 Subject: [PATCH] add an update quota @@ -19,8 +19,8 @@ has been exceeded. lib/ns/include/ns/server.h | 1 + lib/ns/include/ns/stats.h | 4 +++- lib/ns/server.c | 2 ++ - lib/ns/update.c | 38 +++++++++++++++++++++++++++++++++++++- - 8 files changed, 59 insertions(+), 6 deletions(-) + lib/ns/update.c | 37 ++++++++++++++++++++++++++++++++++++- + 8 files changed, 58 insertions(+), 6 deletions(-) diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl index 5078115..194625b 100644 @@ -148,7 +148,7 @@ index a970a28..540bc2e 100644 isc_quota_destroy(&sctx->tcpquota); isc_quota_destroy(&sctx->xfroutquota); diff --git a/lib/ns/update.c b/lib/ns/update.c -index 546b70a..9a8c309 100644 +index 546b70a..1871438 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) { @@ -171,7 +171,7 @@ index 546b70a..9a8c309 100644 event = (update_event_t *)isc_event_allocate( client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL, sizeof(*event)); -@@ -1676,12 +1689,19 @@ failure: +@@ -1676,12 +1689,18 @@ failure: dns_zone_gettype(zone) == dns_zone_mirror); inc_stats(client, zone, ns_statscounter_updaterej); } @@ -184,7 +184,6 @@ index 546b70a..9a8c309 100644 - respond(client, result); + if (result == DNS_R_DROP) { + ns_client_drop(client, result); -+ isc_nmhandle_detach(&client->reqhandle); + } else { + respond(client, result); + } @@ -192,7 +191,7 @@ index 546b70a..9a8c309 100644 if (zone != NULL) { dns_zone_detach(&zone); } -@@ -3489,6 +3509,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { +@@ -3489,6 +3508,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { respond(client, uev->result); @@ -200,7 +199,7 @@ index 546b70a..9a8c309 100644 isc_event_free(&event); isc_nmhandle_detach(&client->updatehandle); } -@@ -3505,6 +3526,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) { +@@ -3505,6 +3525,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) { INSIST(client->nupdates > 0); client->nupdates--; respond(client, DNS_R_SERVFAIL); @@ -209,7 +208,7 @@ index 546b70a..9a8c309 100644 isc_event_free(&event); isc_nmhandle_detach(&client->updatehandle); } -@@ -3542,6 +3565,8 @@ forward_done(isc_task_t *task, isc_event_t *event) { +@@ -3542,6 +3564,8 @@ forward_done(isc_task_t *task, isc_event_t *event) { client->nupdates--; ns_client_sendraw(client, uev->answer); dns_message_detach(&uev->answer); @@ -218,7 +217,7 @@ index 546b70a..9a8c309 100644 isc_event_free(&event); isc_nmhandle_detach(&client->updatehandle); } -@@ -3576,6 +3601,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) { +@@ -3576,6 +3600,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) { update_event_t *event = NULL; isc_task_t *zonetask = NULL; @@ -237,5 +236,5 @@ index 546b70a..9a8c309 100644 client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL, sizeof(*event)); -- -2.39.1 +2.39.2 diff --git a/bind-9.16-CVE-2022-3094-test.patch b/bind-9.16-CVE-2022-3094-test.patch index 37b64de..e2ed49e 100644 --- a/bind-9.16-CVE-2022-3094-test.patch +++ b/bind-9.16-CVE-2022-3094-test.patch @@ -1,4 +1,4 @@ -From 630529ea7d4587703008de1465021bdde2a3a971 Mon Sep 17 00:00:00 2001 +From 54e281c11ee13eabc3c51d6391a58fc90836000c Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 9 Nov 2022 21:56:16 -0800 Subject: [PATCH] test failure conditions @@ -132,7 +132,7 @@ index 7bd13d3..2f690ff 100644 diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in new file mode 100644 -index 0000000..86d7469 +index 0000000..e15459a --- /dev/null +++ b/bin/tests/system/upforwd/ns3/named2.conf.in @@ -0,0 +1,41 @@ @@ -164,7 +164,7 @@ index 0000000..86d7469 + +key rndc_key { + secret "1234abcd8765"; -+ algorithm @DEFAULT_HMAC@; ++ algorithm hmac-sha256; +}; + +controls { @@ -268,5 +268,5 @@ index 8062d68..20fc46f 100644 echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 -- -2.39.1 +2.39.2 diff --git a/bind.spec b/bind.spec index 5bf7d83..2be021c 100644 --- a/bind.spec +++ b/bind.spec @@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -1162,6 +1162,9 @@ fi; %endif %changelog +* Sat Feb 25 2023 Petr Menšík - 32:9.16.23-10 +- Handle subtle difference between upstream and rhel (CVE-2022-3094) + * Wed Feb 08 2023 Petr Menšík - 32:9.16.23-9 - Prevent flooding with UPDATE requests (CVE-2022-3094) - Handle RRSIG queries when server-stale is active (CVE-2022-3736)