import UBI bind-9.16.23-29.el9_6

This commit is contained in:
eabdullin 2025-06-24 11:10:35 +00:00
parent b7d155151e
commit eeaa229f36
3 changed files with 145 additions and 1 deletions

View File

@ -0,0 +1,90 @@
From 5bc7cd7a7b9c37e5c70ccf74c5485a02411aaef5 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 25 Apr 2025 02:00:00 +0200
Subject: [PATCH] Insert additional checks ensuring name is not relative
Mitigation for crashes put in various places, where obviously relative
uninitialized name must not appear. This seems unnecessary once true
cause were identified, but may prevent similar places.
---
lib/ns/query.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 11d2520..7e8a4d2 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -2203,6 +2203,20 @@ regular:
CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
}
+static void
+log_query_relative(query_ctx_t *qctx, const char *func, const dns_name_t *name) {
+ if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) {
+ char namebuf[DNS_NAME_FORMATSIZE] = "!";
+ dns_name_format(name, namebuf, sizeof(namebuf));
+ ns_client_log(
+ qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
+ ISC_LOG_DEBUG(1),
+ "%s: fname=%s leading to relative name, aborting query.",
+ func, namebuf
+ );
+ }
+}
+
static void
query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
@@ -2275,6 +2289,11 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
client->query.attributes &= ~NS_QUERYATTR_SECURE;
}
+ if (!qctx->is_zone && mname && !dns_name_isabsolute(mname)) {
+ log_query_relative(qctx, "query_addrrset", mname);
+ QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+ return;
+ }
/*
* Update message name, set rdataset order, and do additional
* section processing if needed.
@@ -8074,6 +8093,11 @@ query_respond_any(query_ctx_t *qctx) {
: qctx->tname;
query_prefetch(qctx->client, name,
qctx->rdataset);
+ if (name && !dns_name_isabsolute(name)) {
+ log_query_relative(qctx, "query_respond_any", name);
+ result = DNS_R_DROP;
+ break;
+ }
}
/*
@@ -10696,6 +10720,11 @@ query_cname(query_ctx_t *qctx) {
if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
+ if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
+ log_query_relative(qctx, "query_cname", qctx->fname);
+ QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+ return (ns_query_done(qctx));
+ }
}
query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
@@ -10801,7 +10830,13 @@ query_dname(query_ctx_t *qctx) {
if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
+ if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
+ log_query_relative(qctx, "query_dname", qctx->fname);
+ QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+ return (ns_query_done(qctx));
+ }
}
+
query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
qctx->dbuf, DNS_SECTION_ANSWER);
--
2.49.0

View File

@ -0,0 +1,44 @@
From dc97bfa842b9f0d59db075bdcade599f3767f1ba Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 3 Jun 2025 21:00:58 +0200
Subject: [PATCH] Handle CNAME and DNAME in resume_min in a special way
When authoritative zone is loaded when query minimization query for the
same zone is already pending, it might receive unexpected result codes.
Normally DNS_R_CNAME would follow to query_cname after processing sent
events, but dns_view_findzonecut does not fill CNAME target into
event->foundevent. Usual lookup via query_lookup would always have that
filled.
Ideally we would restart the query with unmodified search name, if
unexpected change from recursing to local zone cut were detected. Until
dns_view_findzonecut is modified to export zone/cache source of the cut,
at least fail queries which went into unexpected state.
---
lib/dns/resolver.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index be1d735..ad0a1b8 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4508,6 +4508,15 @@ resume_qmin(isc_task_t *task, isc_event_t *event) {
if (result == DNS_R_NXDOMAIN) {
result = DNS_R_SERVFAIL;
}
+ /*
+ * CNAME or DNAME means zone were added with that record
+ * after the start of query minimization queries. It means
+ * we do not have initialized correct hevent->foundname
+ * and have to fail.
+ */
+ if (result == DNS_R_CNAME || result == DNS_R_DNAME) {
+ result = DNS_R_SERVFAIL;
+ }
if (result != ISC_R_SUCCESS) {
fctx_done(fctx, result, __LINE__);
--
2.49.0

View File

@ -56,7 +56,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 28%{?dist}
Release: 29%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -179,6 +179,12 @@ Patch214: bind-9.16-CVE-2024-1737-records-test2.patch
# https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
Patch215: bind-9.18-CVE-2024-11187-pre-test.patch
Patch216: bind-9.18-CVE-2024-11187.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10562
# https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
# downstream patch fixing bind-dyndb-ldap causing issue
Patch217: bind-9.21-resume-qmin-cname.patch
# downstream only, extra check for above change, RHEL-30407
Patch218: bind-9.18-query-fname-relative.patch
%{?systemd_ordering}
Requires: coreutils
@ -1223,6 +1229,10 @@ fi;
%endif
%changelog
* Tue Jun 10 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.23-29
- Prevent name.c:670 attributes assertion failed (RHEL-30407)
- Add extra checks for relative names
* Sat Feb 15 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-28
- Fix test backport changes