diff --git a/bind-9.16-CVE-2023-5517.patch b/bind-9.16-CVE-2023-5517.patch new file mode 100644 index 0000000..86a8cfd --- /dev/null +++ b/bind-9.16-CVE-2023-5517.patch @@ -0,0 +1,111 @@ +From bef141d5795429cab745f29f7d080d1e2ea8f164 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 12 Feb 2024 20:33:41 +0100 +Subject: [PATCH] Prevent assertion failure when nxdomain-redirect is used with + RFC 1918 reverse zones + +6316. [security] Specific queries could trigger an assertion check with + nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] +--- + lib/ns/query.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 4fe3e30..cc1d179 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -453,10 +453,10 @@ static void + query_addnxrrsetnsec(query_ctx_t *qctx); + + static isc_result_t +-query_nxdomain(query_ctx_t *qctx, bool empty_wild); ++query_nxdomain(query_ctx_t *qctx, isc_result_t result); + + static isc_result_t +-query_redirect(query_ctx_t *qctx); ++query_redirect(query_ctx_t *qctx, isc_result_t result); + + static isc_result_t + query_ncache(query_ctx_t *qctx, isc_result_t result); +@@ -7262,8 +7262,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) { + * result from the search. + */ + static isc_result_t +-query_gotanswer(query_ctx_t *qctx, isc_result_t res) { +- isc_result_t result = res; ++query_gotanswer(query_ctx_t *qctx, isc_result_t result) { + char errmsg[256]; + + CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer"); +@@ -7333,16 +7332,16 @@ root_key_sentinel: + return (query_nodata(qctx, DNS_R_NXRRSET)); + + case DNS_R_EMPTYWILD: +- return (query_nxdomain(qctx, true)); ++ return (query_nxdomain(qctx, DNS_R_EMPTYWILD)); + + case DNS_R_NXDOMAIN: +- return (query_nxdomain(qctx, false)); ++ return (query_nxdomain(qctx, DNS_R_NXDOMAIN)); + + case DNS_R_COVERINGNSEC: + return (query_coveringnsec(qctx)); + + case DNS_R_NCACHENXDOMAIN: +- result = query_redirect(qctx); ++ result = query_redirect(qctx, result); + if (result != ISC_R_COMPLETE) { + return (result); + } +@@ -9155,10 +9154,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) { + * Handle NXDOMAIN and empty wildcard responses. + */ + static isc_result_t +-query_nxdomain(query_ctx_t *qctx, bool empty_wild) { ++query_nxdomain(query_ctx_t *qctx, isc_result_t result) { + dns_section_t section; + uint32_t ttl; +- isc_result_t result; ++ bool empty_wild = (result == DNS_R_EMPTYWILD); + + CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain"); + +@@ -9167,7 +9166,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) { + INSIST(qctx->is_zone || REDIRECT(qctx->client)); + + if (!empty_wild) { +- result = query_redirect(qctx); ++ result = query_redirect(qctx, result); + if (result != ISC_R_COMPLETE) { + return (result); + } +@@ -9253,7 +9252,7 @@ cleanup: + * redirecting, so query processing should continue past it. + */ + static isc_result_t +-query_redirect(query_ctx_t *qctx) { ++query_redirect(query_ctx_t *qctx, isc_result_t saved_result) { + isc_result_t result; + + CCTRACE(ISC_LOG_DEBUG(3), "query_redirect"); +@@ -9294,7 +9293,7 @@ query_redirect(query_ctx_t *qctx) { + SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset); + SAVE(qctx->client->query.redirect.sigrdataset, + qctx->sigrdataset); +- qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN; ++ qctx->client->query.redirect.result = saved_result; + dns_name_copynf(qctx->fname, + qctx->client->query.redirect.fname); + qctx->client->query.redirect.authoritative = +@@ -9908,7 +9907,7 @@ query_coveringnsec(query_ctx_t *qctx) { + * We now have the proof that we have an NXDOMAIN. Apply + * NXDOMAIN redirection if configured. + */ +- result = query_redirect(qctx); ++ result = query_redirect(qctx, DNS_R_COVERINGNSEC); + if (result != ISC_R_COMPLETE) { + redirected = true; + goto cleanup; +-- +2.43.0 + diff --git a/bind9.16.spec b/bind9.16.spec index 4a3288e..f65614c 100644 --- a/bind9.16.spec +++ b/bind9.16.spec @@ -130,6 +130,7 @@ Patch187: bind-9.16-CVE-2022-3924.patch Patch188: bind-9.16-CVE-2023-2828.patch Patch189: bind-9.16-CVE-2023-3341.patch Patch194: bind-9.16-CVE-2023-4408.patch +Patch195: bind-9.16-CVE-2023-5517.patch %{?systemd_ordering} Requires: coreutils @@ -444,6 +445,7 @@ in HTML and PDF format. %patch188 -p1 -b .CVE-2023-2828 %patch189 -p1 -b .CVE-2023-3341 %patch194 -p1 -b .CVE-2023-4408 +%patch195 -p1 -b .CVE-2023-5517 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1165,6 +1167,8 @@ fi; %changelog * Mon Feb 12 2024 Petr Menšík - 32:9.16.23-0.17 - Prevent increased CPU load on large DNS messages (CVE-2023-4408) +- Prevent assertion failure when nxdomain-redirect is used with + RFC 1918 reverse zones (CVE-2023-5517) * Wed Sep 20 2023 Petr Menšík - 32:9.16.23-0.16 - Limit the amount of recursion possible in control channel (CVE-2023-3341)