import bind9.16-9.16.23-0.11.el8

2022-11-11 04:10:45 +00:00 · 2022-11-11 04:10:45 +00:00 · d256eea481
parent 90072b38c5
commit d256eea481
2 changed files with 69 additions and 2 deletions
--- a/SOURCES/bind-9.16-CVE-2022-2795.patch
+++ b/SOURCES/bind-9.16-CVE-2022-2795.patch
@ -0,0 +1,60 @@
+From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH] Bound the amount of work performed for delegations
+
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index d2cf14bbc8..73a0ee9f77 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -195,6 +195,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
+	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3902,6 +3909,11 @@ normal_nses:
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
+
+		if (++ns_processed >= NS_PROCESSING_LIMIT) {
+			result = ISC_R_NOMORE;
+			break;
+		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);
+-- 
+2.37.3
+
--- a/SPECS/bind9.16.spec
+++ b/SPECS/bind9.16.spec
@ -57,7 +57,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind9.16
 License:  MPLv2.0
 Version:  9.16.23
-Release:  0.9%{?dist}.1
+Release:  0.11%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -114,6 +114,9 @@ Patch174:bind-9.16-CVE-2021-25220-test.patch
 Patch175:bind-9.16-CVE-2022-3080.patch
 Patch176:bind-9.16-CVE-2022-38177.patch
 Patch177:bind-9.16-CVE-2022-38178.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6793
+# https://gitlab.isc.org/isc-projects/bind9/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
+Patch178:bind-9.16-CVE-2022-2795.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -418,6 +421,7 @@ in HTML and PDF format.
 %patch175 -p1 -b .CVE-2022-3080
 %patch176 -p1 -b .CVE-2022-38177
 %patch177 -p1 -b .CVE-2022-38178
+%patch178 -p1 -b .CVE-2022-2795

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1137,7 +1141,10 @@ fi;
 %endif

 %changelog
-* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.9.1
+* Tue Oct 04 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.11
+- Bound the amount of work performed for delegations (CVE-2022-2795)
+
+* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.10
 - Fix possible serve-stale related crash (CVE-2022-3080)
 - Fix memory leak in ECDSA verify processing (CVE-2022-38177)
 - Fix memory leak in EdDSA verify processing (CVE-2022-38178)