Prevent assertion failure when nxdomain-redirect is used with
RFC 1918 reverse zones 6316. [security] Specific queries could trigger an assertion check with nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] Resolves: RHEL-25353 ; Resolves: CVE-2023-5517
This commit is contained in:
parent
deeca182e3
commit
e09e829119
111
bind-9.16-CVE-2023-5517.patch
Normal file
111
bind-9.16-CVE-2023-5517.patch
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
From bef141d5795429cab745f29f7d080d1e2ea8f164 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Mon, 12 Feb 2024 20:33:41 +0100
|
||||||
|
Subject: [PATCH] Prevent assertion failure when nxdomain-redirect is used with
|
||||||
|
RFC 1918 reverse zones
|
||||||
|
|
||||||
|
6316. [security] Specific queries could trigger an assertion check with
|
||||||
|
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
|
||||||
|
---
|
||||||
|
lib/ns/query.c | 25 ++++++++++++-------------
|
||||||
|
1 file changed, 12 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||||
|
index 4fe3e30..cc1d179 100644
|
||||||
|
--- a/lib/ns/query.c
|
||||||
|
+++ b/lib/ns/query.c
|
||||||
|
@@ -453,10 +453,10 @@ static void
|
||||||
|
query_addnxrrsetnsec(query_ctx_t *qctx);
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
-query_nxdomain(query_ctx_t *qctx, bool empty_wild);
|
||||||
|
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
-query_redirect(query_ctx_t *qctx);
|
||||||
|
+query_redirect(query_ctx_t *qctx, isc_result_t result);
|
||||||
|
|
||||||
|
static isc_result_t
|
||||||
|
query_ncache(query_ctx_t *qctx, isc_result_t result);
|
||||||
|
@@ -7262,8 +7262,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
|
||||||
|
* result from the search.
|
||||||
|
*/
|
||||||
|
static isc_result_t
|
||||||
|
-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
|
||||||
|
- isc_result_t result = res;
|
||||||
|
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
|
||||||
|
char errmsg[256];
|
||||||
|
|
||||||
|
CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
|
||||||
|
@@ -7333,16 +7332,16 @@ root_key_sentinel:
|
||||||
|
return (query_nodata(qctx, DNS_R_NXRRSET));
|
||||||
|
|
||||||
|
case DNS_R_EMPTYWILD:
|
||||||
|
- return (query_nxdomain(qctx, true));
|
||||||
|
+ return (query_nxdomain(qctx, DNS_R_EMPTYWILD));
|
||||||
|
|
||||||
|
case DNS_R_NXDOMAIN:
|
||||||
|
- return (query_nxdomain(qctx, false));
|
||||||
|
+ return (query_nxdomain(qctx, DNS_R_NXDOMAIN));
|
||||||
|
|
||||||
|
case DNS_R_COVERINGNSEC:
|
||||||
|
return (query_coveringnsec(qctx));
|
||||||
|
|
||||||
|
case DNS_R_NCACHENXDOMAIN:
|
||||||
|
- result = query_redirect(qctx);
|
||||||
|
+ result = query_redirect(qctx, result);
|
||||||
|
if (result != ISC_R_COMPLETE) {
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
@@ -9155,10 +9154,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
|
||||||
|
* Handle NXDOMAIN and empty wildcard responses.
|
||||||
|
*/
|
||||||
|
static isc_result_t
|
||||||
|
-query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
|
||||||
|
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
|
||||||
|
dns_section_t section;
|
||||||
|
uint32_t ttl;
|
||||||
|
- isc_result_t result;
|
||||||
|
+ bool empty_wild = (result == DNS_R_EMPTYWILD);
|
||||||
|
|
||||||
|
CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
|
||||||
|
|
||||||
|
@@ -9167,7 +9166,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
|
||||||
|
INSIST(qctx->is_zone || REDIRECT(qctx->client));
|
||||||
|
|
||||||
|
if (!empty_wild) {
|
||||||
|
- result = query_redirect(qctx);
|
||||||
|
+ result = query_redirect(qctx, result);
|
||||||
|
if (result != ISC_R_COMPLETE) {
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
@@ -9253,7 +9252,7 @@ cleanup:
|
||||||
|
* redirecting, so query processing should continue past it.
|
||||||
|
*/
|
||||||
|
static isc_result_t
|
||||||
|
-query_redirect(query_ctx_t *qctx) {
|
||||||
|
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
|
||||||
|
isc_result_t result;
|
||||||
|
|
||||||
|
CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
|
||||||
|
@@ -9294,7 +9293,7 @@ query_redirect(query_ctx_t *qctx) {
|
||||||
|
SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
|
||||||
|
SAVE(qctx->client->query.redirect.sigrdataset,
|
||||||
|
qctx->sigrdataset);
|
||||||
|
- qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
|
||||||
|
+ qctx->client->query.redirect.result = saved_result;
|
||||||
|
dns_name_copynf(qctx->fname,
|
||||||
|
qctx->client->query.redirect.fname);
|
||||||
|
qctx->client->query.redirect.authoritative =
|
||||||
|
@@ -9908,7 +9907,7 @@ query_coveringnsec(query_ctx_t *qctx) {
|
||||||
|
* We now have the proof that we have an NXDOMAIN. Apply
|
||||||
|
* NXDOMAIN redirection if configured.
|
||||||
|
*/
|
||||||
|
- result = query_redirect(qctx);
|
||||||
|
+ result = query_redirect(qctx, DNS_R_COVERINGNSEC);
|
||||||
|
if (result != ISC_R_COMPLETE) {
|
||||||
|
redirected = true;
|
||||||
|
goto cleanup;
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -136,6 +136,7 @@ Patch192: bind-9.16-CVE-2023-3341.patch
|
|||||||
# https://gitlab.isc.org/isc-projects/bind9/commit/8924adca613ca9daea63786563cce6fdbd742c56
|
# https://gitlab.isc.org/isc-projects/bind9/commit/8924adca613ca9daea63786563cce6fdbd742c56
|
||||||
Patch193: bind-9.16-update-b.root-servers.net.patch
|
Patch193: bind-9.16-update-b.root-servers.net.patch
|
||||||
Patch194: bind-9.16-CVE-2023-4408.patch
|
Patch194: bind-9.16-CVE-2023-4408.patch
|
||||||
|
Patch195: bind-9.16-CVE-2023-5517.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -458,6 +459,7 @@ in HTML and PDF format.
|
|||||||
%patch192 -p1 -b .CVE-2023-3341
|
%patch192 -p1 -b .CVE-2023-3341
|
||||||
%patch193 -p1 -b .b.root-servers.net
|
%patch193 -p1 -b .b.root-servers.net
|
||||||
%patch194 -p1 -b .CVE-2023-4408
|
%patch194 -p1 -b .CVE-2023-4408
|
||||||
|
%patch195 -p1 -b .CVE-2023-5517
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
%patch135 -p1 -b .config-pkcs11
|
%patch135 -p1 -b .config-pkcs11
|
||||||
@ -1183,6 +1185,8 @@ fi;
|
|||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
|
* Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
|
||||||
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
|
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
|
||||||
|
- Prevent assertion failure when nxdomain-redirect is used with
|
||||||
|
RFC 1918 reverse zones (CVE-2023-5517)
|
||||||
|
|
||||||
* Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15
|
* Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15
|
||||||
- Update addresses of b.root-servers.net (RHEL-18188)
|
- Update addresses of b.root-servers.net (RHEL-18188)
|
||||||
|
Loading…
Reference in New Issue
Block a user