From 221d0bd319681324e32f54fc92e2fad307ebcbc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 25 Mar 2024 10:44:24 +0100 Subject: [PATCH] Stop crashes at masterformat system tests Fix of CVE-2023-6516 has changed format of map file and masterformat has started crashing. Adjust test values to pass cleanly. ; Resolves: CVE-2023-6516 Resolves: RHEL-25381 --- bind-9.16-CVE-2023-6516-test.patch | 52 ++++++++++++++++++++++++++++++ bind9.16.spec | 8 ++++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 bind-9.16-CVE-2023-6516-test.patch diff --git a/bind-9.16-CVE-2023-6516-test.patch b/bind-9.16-CVE-2023-6516-test.patch new file mode 100644 index 0000000..8ce8ec2 --- /dev/null +++ b/bind-9.16-CVE-2023-6516-test.patch @@ -0,0 +1,52 @@ +From e91ab7758bed0cf3dcf8ed745f91063d7ec4011c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 4 Jan 2024 13:39:27 +0100 +Subject: [PATCH] Fix map offsets in the "masterformat" system test + +The "masterformat" system test attempts to check named-checkzone +behavior when it is fed corrupt map-format zone files. However, despite +the RBTDB and RBT structures having evolved over the years, the offsets +at which a valid map-format zone file is malformed by the "masterformat" +test have not been updated accordingly, causing the relevant checks to +introduce a different type of corruption than they were originally meant +to cause: + + - the "bad node header" check originally mangled the 'type' member of + the rdatasetheader_t structure for cname.example.nil, + + - the "bad node data" check originally mangled the 'serial' and + 'rdh_ttl' members of the rdatasetheader_t structure for + aaaa.example.nil. + +Update the offsets at which the map-format zone file is malformed at by +the "masterformat" system test so that the relevant checks fulfill their +original purpose again. +--- + bin/tests/system/masterformat/tests.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh +index 364a0d2..bb4e6ec 100755 +--- a/bin/tests/system/masterformat/tests.sh ++++ b/bin/tests/system/masterformat/tests.sh +@@ -295,7 +295,7 @@ status=$((status+ret)) + echo_i "checking corrupt map files fail to load (bad node header) ($n)" + ret=0 + cp map.5 badmap +-stomp badmap 2754 2 99 ++stomp badmap 3706 2 99 + $CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null + [ $? = 1 ] || ret=1 + n=$((n+1)) +@@ -305,7 +305,7 @@ status=$((status+ret)) + echo_i "checking corrupt map files fail to load (bad node data) ($n)" + ret=0 + cp map.5 badmap +-stomp badmap 2897 5 127 ++stomp badmap 3137 5 127 + $CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null + [ $? = 1 ] || ret=1 + n=$((n+1)) +-- +2.44.0 + diff --git a/bind9.16.spec b/bind9.16.spec index 9ab87f1..f108032 100644 --- a/bind9.16.spec +++ b/bind9.16.spec @@ -57,7 +57,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind9.16 License: MPLv2.0 Version: 9.16.23 -Release: 0.17%{?dist} +Release: 0.18%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -144,6 +144,8 @@ Patch201: bind-9.16-system-test-cds.patch Patch202: bind-9.16-isc-mempool-attach.patch # Downstream only change, complements patch 198 Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/1237d73cd1120b146ee699bbae7b2fe837cf2f98 +Patch204: bind-9.16-CVE-2023-6516-test.patch %{?systemd_ordering} Requires: coreutils @@ -468,6 +470,7 @@ in HTML and PDF format. %patch201 -p1 -b .test-variant-def %patch202 -p1 -b .mempool-attach %patch203 -p1 -b .isc_hp-CVE-2023-50387 +%patch204 -p1 -b .CVE-2023-6516-test %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1192,6 +1195,9 @@ fi; %endif %changelog +* Mon Mar 25 2024 Petr Menšík - 32:9.16.23-0.18 +- Prevent crashing at masterformat system test (CVE-2023-6516) + * Mon Feb 12 2024 Petr Menšík - 32:9.16.23-0.17 - Prevent increased CPU load on large DNS messages (CVE-2023-4408) - Prevent assertion failure when nxdomain-redirect is used with