import CS bind9.18-9.18.29-4.el9_6

2025-09-16 08:05:45 +00:00 · 2025-09-16 08:05:45 +00:00 · b9e5ae32ea
commit b9e5ae32ea
parent 4386d23bdb
3 changed files with 145 additions and 1 deletions
--- a/SOURCES/bind-9.18-query-fname-relative.patch
+++ b/SOURCES/bind-9.18-query-fname-relative.patch
@ -0,0 +1,90 @@
+From 5bc7cd7a7b9c37e5c70ccf74c5485a02411aaef5 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 25 Apr 2025 02:00:00 +0200
+Subject: [PATCH] Insert additional checks ensuring name is not relative
+
+Mitigation for crashes put in various places, where obviously relative
+uninitialized name must not appear. This seems unnecessary once true
+cause were identified, but may prevent similar places.
+---
+ lib/ns/query.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index 11d2520..7e8a4d2 100644
+--- a/lib/ns/query.c
+++ b/lib/ns/query.c
+@@ -2203,6 +2203,20 @@ regular:
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
+ }
+ 
+static void
+log_query_relative(query_ctx_t *qctx, const char *func, const dns_name_t *name) {
+	if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) {
+		char namebuf[DNS_NAME_FORMATSIZE] = "!";
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		ns_client_log(
+			qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
+			ISC_LOG_DEBUG(1),
+			"%s: fname=%s leading to relative name, aborting query.",
+			func, namebuf
+		);
+	}
+}
+
+ static void
+ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
+@@ -2275,6 +2289,11 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+ 	}
+ 
+	if (!qctx->is_zone && mname && !dns_name_isabsolute(mname)) {
+		log_query_relative(qctx, "query_addrrset", mname);
+		QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+		return;
+	}
+ 	/*
+ 	 * Update message name, set rdataset order, and do additional
+ 	 * section processing if needed.
+@@ -8074,6 +8093,11 @@ query_respond_any(query_ctx_t *qctx) {
+ 							     : qctx->tname;
+ 				query_prefetch(qctx->client, name,
+ 					       qctx->rdataset);
+				if (name && !dns_name_isabsolute(name)) {
+					log_query_relative(qctx, "query_respond_any", name);
+					result = DNS_R_DROP;
+					break;
+				}
+ 			}
+ 
+ 			/*
+@@ -10696,6 +10720,11 @@ query_cname(query_ctx_t *qctx) {
+ 
+ 	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+ 		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
+		if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
+			log_query_relative(qctx, "query_cname", qctx->fname);
+			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+			return (ns_query_done(qctx));
+		}
+ 	}
+ 
+ 	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+@@ -10801,7 +10830,13 @@ query_dname(query_ctx_t *qctx) {
+ 
+ 	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+ 		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
+		if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
+			log_query_relative(qctx, "query_dname", qctx->fname);
+			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+			return (ns_query_done(qctx));
+		}
+ 	}
+
+ 	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+ 		       qctx->dbuf, DNS_SECTION_ANSWER);
+ 
+-- 
+2.49.0
+
--- a/SOURCES/bind-9.21-resume-qmin-cname.patch
+++ b/SOURCES/bind-9.21-resume-qmin-cname.patch
@ -0,0 +1,44 @@
+From ac0c3b0477d97fe5c968910f603bb8d04c740da7 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 3 Jun 2025 21:00:58 +0200
+Subject: [PATCH] Handle CNAME and DNAME in resume_min in a special way
+
+When authoritative zone is loaded when query minimization query for the
+same zone is already pending, it might receive unexpected result codes.
+
+Normally DNS_R_CNAME would follow to query_cname after processing sent
+events, but dns_view_findzonecut does not fill CNAME target into
+event->foundevent. Usual lookup via query_lookup would always have that
+filled.
+
+Ideally we would restart the query with unmodified search name, if
+unexpected change from recursing to local zone cut were detected. Until
+dns_view_findzonecut is modified to export zone/cache source of the cut,
+at least fail queries which went into unexpected state.
+---
+ lib/dns/resolver.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 795791246b..39a294437e 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -4497,6 +4497,15 @@ resume_qmin(isc_task_t *task, isc_event_t *event) {
+ 	if (result == DNS_R_NXDOMAIN) {
+ 		result = DNS_R_SERVFAIL;
+ 	}
+	/*
+	 * CNAME or DNAME means zone were added with that record
+	 * after the start of query minimization queries. It means
+	 * we do not have initialized correct hevent->foundname
+	 * and have to fail.
+	 */
+	if (result == DNS_R_CNAME || result == DNS_R_DNAME) {
+		result = DNS_R_SERVFAIL;
+	}
+ 
+ 	if (result != ISC_R_SUCCESS) {
+ 		goto cleanup;
+-- 
+2.49.0
+
--- a/SPECS/bind9.18.spec
+++ b/SPECS/bind9.18.spec
@ -77,7 +77,7 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
 Version:  9.18.29
-Release:  3%{?dist}
+Release:  4%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -124,6 +124,12 @@ Patch30: bind-9.18-CVE-2024-11187-pre-test.patch
 Patch31: bind-9.18-CVE-2024-11187.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/commit/e733e624147155d6cbee7f0f150c79c7ac6b54bb
 Patch32: bind-9.18-CVE-2024-12705.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10562
+# https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
+# downstream patch fixing bind-dyndb-ldap causing issue
+Patch33: bind-9.21-resume-qmin-cname.patch
+# downstream only, extra check for above change, RHEL-30407
+Patch34: bind-9.18-query-fname-relative.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -971,6 +977,10 @@ fi;
 %endif

 %changelog
+* Tue Jun 10 2025 Petr Mensik <pemensik@redhat.com> - 32:9.18.29-4
+- Prevent name.c:670 attributes assertion failed (RHEL-30407)
+- Add extra checks for relative names
+
 * Mon Feb 03 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-3
 - Limit additional section records CPU processing (CVE-2024-11187)
 - Read HTTPS requests in limited chunks and prevent overload (CVE-2024-12705)