From e51b6b2b7038975103e8c394c6c8513d3f8c16ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 20:57:02 +0100
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used

Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.

6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
			(CVE-2023-5679) [GL #4334]

Resolves: RHEL-25364
; Resolves: CVE-2023-5679
---
 bind-9.16-CVE-2023-5679.patch | 37 +++++++++++++++++++++++++++++++++++
 bind.spec                     |  3 +++
 2 files changed, 40 insertions(+)
 create mode 100644 bind-9.16-CVE-2023-5679.patch

diff --git a/bind-9.16-CVE-2023-5679.patch b/bind-9.16-CVE-2023-5679.patch
new file mode 100644
index 0000000..0b05b9b
--- /dev/null
+++ b/bind-9.16-CVE-2023-5679.patch
@@ -0,0 +1,37 @@
+From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 12 Feb 2024 20:41:43 +0100
+Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used
+
+Enabling both DNS64 and serve-stale may cause an assertion failure
+during recursive resolution.
+
+6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
+			(CVE-2023-5679) [GL #4334]
+
+Resolves: CVE-2023-5679
+---
+ lib/ns/query.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index cc1d179..1993800 100644
+--- a/lib/ns/query.c
++++ b/lib/ns/query.c
+@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
+ 	query_ctx_t qctx;
+ 
+ 	qctx_init(client, NULL, client->query.qtype, &qctx);
++	if (DNS64(client)) {
++		qctx.qtype = qctx.type = dns_rdatatype_a;
++		qctx.dns64 = true;
++	}
++	if (DNS64EXCLUDE(client)) {
++		qctx.dns64_exclude = true;
++	}
+ 	dns_db_attach(client->view->cachedb, &qctx.db);
+ 	client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
+ 	client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
+-- 
+2.43.0
+
diff --git a/bind.spec b/bind.spec
index e6ffef1..20ee295 100644
--- a/bind.spec
+++ b/bind.spec
@@ -137,6 +137,7 @@ Patch192: bind-9.16-CVE-2023-3341.patch
 Patch193: bind-9.16-update-b.root-servers.net.patch
 Patch194: bind-9.16-CVE-2023-4408.patch
 Patch195: bind-9.16-CVE-2023-5517.patch
+Patch196: bind-9.16-CVE-2023-5679.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -460,6 +461,7 @@ in HTML and PDF format.
 %patch193 -p1 -b .b.root-servers.net
 %patch194 -p1 -b .CVE-2023-4408
 %patch195 -p1 -b .CVE-2023-5517
+%patch196 -p1 -b .CVE-2023-5679
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -1187,6 +1189,7 @@ fi;
 - Prevent increased CPU load on large DNS messages (CVE-2023-4408)
 - Prevent assertion failure when nxdomain-redirect is used with
  RFC 1918 reverse zones (CVE-2023-5517)
+- Prevent assertion failure if DNS64 and serve-stale is used (CVE-2023-5679)
 
 * Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-15
 - Update addresses of b.root-servers.net (RHEL-18188)