Prevent assertion failure if DNS64 and serve-stale is used

Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.

6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
			(CVE-2023-5679) [GL #4334]

Resolves: RHEL-25370
; Resolves: CVE-2023-5679
This commit is contained in:
Petr Menšík 2024-02-12 20:57:02 +01:00
parent b734ab50d3
commit 3fb3b2d2bd
2 changed files with 40 additions and 0 deletions

View File

@ -0,0 +1,37 @@
From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 20:41:43 +0100
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
Resolves: CVE-2023-5679
---
lib/ns/query.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index cc1d179..1993800 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
query_ctx_t qctx;
qctx_init(client, NULL, client->query.qtype, &qctx);
+ if (DNS64(client)) {
+ qctx.qtype = qctx.type = dns_rdatatype_a;
+ qctx.dns64 = true;
+ }
+ if (DNS64EXCLUDE(client)) {
+ qctx.dns64_exclude = true;
+ }
dns_db_attach(client->view->cachedb, &qctx.db);
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
--
2.43.0

View File

@ -131,6 +131,7 @@ Patch188: bind-9.16-CVE-2023-2828.patch
Patch189: bind-9.16-CVE-2023-3341.patch
Patch194: bind-9.16-CVE-2023-4408.patch
Patch195: bind-9.16-CVE-2023-5517.patch
Patch196: bind-9.16-CVE-2023-5679.patch
%{?systemd_ordering}
Requires: coreutils
@ -446,6 +447,7 @@ in HTML and PDF format.
%patch189 -p1 -b .CVE-2023-3341
%patch194 -p1 -b .CVE-2023-4408
%patch195 -p1 -b .CVE-2023-5517
%patch196 -p1 -b .CVE-2023-5679
%if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11
@ -1169,6 +1171,7 @@ fi;
- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
- Prevent assertion failure when nxdomain-redirect is used with
RFC 1918 reverse zones (CVE-2023-5517)
- Prevent assertion failure if DNS64 and serve-stale is used (CVE-2023-5679)
* Wed Sep 20 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.16
- Limit the amount of recursion possible in control channel (CVE-2023-3341)