Prevent assertion failure when nxdomain-redirect is used with

RFC 1918 reverse zones 6316. [security] Specific queries could trigger an assertion check with nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] Resolves: RHEL-25353 ; Resolves: CVE-2023-5517
2024-02-12 20:39:47 +01:00 · 2024-02-12 20:39:47 +01:00 · e09e829119
commit e09e829119
parent deeca182e3
2 changed files with 115 additions and 0 deletions
--- a/bind-9.16-CVE-2023-5517.patch
+++ b/bind-9.16-CVE-2023-5517.patch
@ -0,0 +1,111 @@
+From bef141d5795429cab745f29f7d080d1e2ea8f164 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 12 Feb 2024 20:33:41 +0100
+Subject: [PATCH] Prevent assertion failure when nxdomain-redirect is used with
+ RFC 1918 reverse zones
+
+6316.	[security]	Specific queries could trigger an assertion check with
+			nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
+---
+ lib/ns/query.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index 4fe3e30..cc1d179 100644
+--- a/lib/ns/query.c
+++ b/lib/ns/query.c
+@@ -453,10 +453,10 @@ static void
+ query_addnxrrsetnsec(query_ctx_t *qctx);
+ 
+ static isc_result_t
+-query_nxdomain(query_ctx_t *qctx, bool empty_wild);
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);
+ 
+ static isc_result_t
+-query_redirect(query_ctx_t *qctx);
+query_redirect(query_ctx_t *qctx, isc_result_t result);
+ 
+ static isc_result_t
+ query_ncache(query_ctx_t *qctx, isc_result_t result);
+@@ -7262,8 +7262,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
+  * result from the search.
+  */
+ static isc_result_t
+-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
+-	isc_result_t result = res;
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
+ 	char errmsg[256];
+ 
+ 	CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
+@@ -7333,16 +7332,16 @@ root_key_sentinel:
+ 		return (query_nodata(qctx, DNS_R_NXRRSET));
+ 
+ 	case DNS_R_EMPTYWILD:
+-		return (query_nxdomain(qctx, true));
+		return (query_nxdomain(qctx, DNS_R_EMPTYWILD));
+ 
+ 	case DNS_R_NXDOMAIN:
+-		return (query_nxdomain(qctx, false));
+		return (query_nxdomain(qctx, DNS_R_NXDOMAIN));
+ 
+ 	case DNS_R_COVERINGNSEC:
+ 		return (query_coveringnsec(qctx));
+ 
+ 	case DNS_R_NCACHENXDOMAIN:
+-		result = query_redirect(qctx);
+		result = query_redirect(qctx, result);
+ 		if (result != ISC_R_COMPLETE) {
+ 			return (result);
+ 		}
+@@ -9155,10 +9154,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
+  * Handle NXDOMAIN and empty wildcard responses.
+  */
+ static isc_result_t
+-query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
+ 	dns_section_t section;
+ 	uint32_t ttl;
+-	isc_result_t result;
+	bool empty_wild = (result == DNS_R_EMPTYWILD);
+ 
+ 	CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
+ 
+@@ -9167,7 +9166,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
+ 	INSIST(qctx->is_zone || REDIRECT(qctx->client));
+ 
+ 	if (!empty_wild) {
+-		result = query_redirect(qctx);
+		result = query_redirect(qctx, result);
+ 		if (result != ISC_R_COMPLETE) {
+ 			return (result);
+ 		}
+@@ -9253,7 +9252,7 @@ cleanup:
+  * redirecting, so query processing should continue past it.
+  */
+ static isc_result_t
+-query_redirect(query_ctx_t *qctx) {
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
+ 	isc_result_t result;
+ 
+ 	CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
+@@ -9294,7 +9293,7 @@ query_redirect(query_ctx_t *qctx) {
+ 		SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
+ 		SAVE(qctx->client->query.redirect.sigrdataset,
+ 		     qctx->sigrdataset);
+-		qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
+		qctx->client->query.redirect.result = saved_result;
+ 		dns_name_copynf(qctx->fname,
+ 				qctx->client->query.redirect.fname);
+ 		qctx->client->query.redirect.authoritative =
+@@ -9908,7 +9907,7 @@ query_coveringnsec(query_ctx_t *qctx) {
+ 	 * We now have the proof that we have an NXDOMAIN.  Apply
+ 	 * NXDOMAIN redirection if configured.
+ 	 */
+-	result = query_redirect(qctx);
+	result = query_redirect(qctx, DNS_R_COVERINGNSEC);
+ 	if (result != ISC_R_COMPLETE) {
+ 		redirected = true;
+ 		goto cleanup;
+-- 
+2.43.0
+
--- a/bind.spec
+++ b/bind.spec
@ -136,6 +136,7 @@ Patch192: bind-9.16-CVE-2023-3341.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/8924adca613ca9daea63786563cce6fdbd742c56
 Patch193: bind-9.16-update-b.root-servers.net.patch
 Patch194: bind-9.16-CVE-2023-4408.patch
+Patch195: bind-9.16-CVE-2023-5517.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -458,6 +459,7 @@ in HTML and PDF format.
 %patch192 -p1 -b .CVE-2023-3341
 %patch193 -p1 -b .b.root-servers.net
 %patch194 -p1 -b .CVE-2023-4408
+%patch195 -p1 -b .CVE-2023-5517

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1183,6 +1185,8 @@ fi;
 %changelog
 * Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
 - Prevent increased CPU load on large DNS messages (CVE-2023-4408)
+- Prevent assertion failure when nxdomain-redirect is used with
+ RFC 1918 reverse zones (CVE-2023-5517)

 * Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15
 - Update addresses of b.root-servers.net (RHEL-18188)