From 3fb3b2d2bdec2f09aea4e79c811bd9778fcbc06e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 12 Feb 2024 20:57:02 +0100 Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. 6317. [security] Restore DNS64 state when handling a serve-stale timeout. (CVE-2023-5679) [GL #4334] Resolves: RHEL-25370 ; Resolves: CVE-2023-5679 --- bind-9.16-CVE-2023-5679.patch | 37 +++++++++++++++++++++++++++++++++++ bind9.16.spec | 3 +++ 2 files changed, 40 insertions(+) create mode 100644 bind-9.16-CVE-2023-5679.patch diff --git a/bind-9.16-CVE-2023-5679.patch b/bind-9.16-CVE-2023-5679.patch new file mode 100644 index 0000000..0b05b9b --- /dev/null +++ b/bind-9.16-CVE-2023-5679.patch @@ -0,0 +1,37 @@ +From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 12 Feb 2024 20:41:43 +0100 +Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used + +Enabling both DNS64 and serve-stale may cause an assertion failure +during recursive resolution. + +6317. [security] Restore DNS64 state when handling a serve-stale timeout. + (CVE-2023-5679) [GL #4334] + +Resolves: CVE-2023-5679 +--- + lib/ns/query.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index cc1d179..1993800 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) { + query_ctx_t qctx; + + qctx_init(client, NULL, client->query.qtype, &qctx); ++ if (DNS64(client)) { ++ qctx.qtype = qctx.type = dns_rdatatype_a; ++ qctx.dns64 = true; ++ } ++ if (DNS64EXCLUDE(client)) { ++ qctx.dns64_exclude = true; ++ } + dns_db_attach(client->view->cachedb, &qctx.db); + client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; + client->query.dboptions |= DNS_DBFIND_STALETIMEOUT; +-- +2.43.0 + diff --git a/bind9.16.spec b/bind9.16.spec index f65614c..0123823 100644 --- a/bind9.16.spec +++ b/bind9.16.spec @@ -131,6 +131,7 @@ Patch188: bind-9.16-CVE-2023-2828.patch Patch189: bind-9.16-CVE-2023-3341.patch Patch194: bind-9.16-CVE-2023-4408.patch Patch195: bind-9.16-CVE-2023-5517.patch +Patch196: bind-9.16-CVE-2023-5679.patch %{?systemd_ordering} Requires: coreutils @@ -446,6 +447,7 @@ in HTML and PDF format. %patch189 -p1 -b .CVE-2023-3341 %patch194 -p1 -b .CVE-2023-4408 %patch195 -p1 -b .CVE-2023-5517 +%patch196 -p1 -b .CVE-2023-5679 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1169,6 +1171,7 @@ fi; - Prevent increased CPU load on large DNS messages (CVE-2023-4408) - Prevent assertion failure when nxdomain-redirect is used with RFC 1918 reverse zones (CVE-2023-5517) +- Prevent assertion failure if DNS64 and serve-stale is used (CVE-2023-5679) * Wed Sep 20 2023 Petr Menšík - 32:9.16.23-0.16 - Limit the amount of recursion possible in control channel (CVE-2023-3341)