rpms/dhcp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix for CVE-2021-25220

Browse Source
This commit is contained in:
Martin Osvald 2022-04-12 13:56:01 +02:00
parent fa1179c358
commit a8f6fd046f
2 changed files with 233 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
CVE-2021-25220.patch Normal file
View File

@ -0,0 +1,200 @@
diff --git a/bind/bind-9.11.36/lib/dns/resolver.c b/bind/bind-9.11.36/lib/dns/resolver.c
index b34cb12..8ae9a99 100644
--- a/bind/bind-9.11.36/lib/dns/resolver.c
+++ b/bind/bind-9.11.36/lib/dns/resolver.c
@@ -63,6 +63,7 @@
#include <dns/stats.h>
#include <dns/tsig.h>
#include <dns/validator.h>
+#include <dns/zone.h>
#ifdef WANT_QUERYTRACE
#define RTRACE(m) isc_log_write(dns_lctx, \
@@ -311,6 +312,8 @@ struct fetchctx {
bool ns_ttl_ok;
uint32_t ns_ttl;
isc_counter_t * qc;
+ dns_fixedname_t fwdfname;
+ dns_name_t *fwdname;
/*%
* The number of events we're waiting for.
@@ -3389,6 +3392,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
if (result == ISC_R_SUCCESS) {
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
fctx->fwdpolicy = forwarders->fwdpolicy;
+ dns_name_copy(domain, fctx->fwdname, NULL);
if (fctx->fwdpolicy == dns_fwdpolicy_only &&
isstrictsubdomain(domain, &fctx->domain)) {
fcount_decr(fctx);
@@ -4418,6 +4422,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
fctx->restarts = 0;
fctx->querysent = 0;
fctx->referrals = 0;
+
+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
+
TIME_NOW(&fctx->start);
fctx->timeouts = 0;
fctx->lamecount = 0;
@@ -4476,8 +4483,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
domain = dns_fixedname_initname(&fixed);
result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
domain, &forwarders);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
fctx->fwdpolicy = forwarders->fwdpolicy;
+ dns_name_copy(domain, fctx->fwdname, NULL);
+ }
if (fctx->fwdpolicy != dns_fwdpolicy_only) {
/*
@@ -6226,6 +6235,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
}
+/*
+ * Returns true if 'name' is external to the namespace for which
+ * the server being queried can answer, either because it's not a
+ * subdomain or because it's below a forward declaration or a
+ * locally served zone.
+ */
+static inline bool
+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_forwarders_t *forwarders = NULL;
+ dns_fixedname_t fixed, zfixed;
+ dns_name_t *fname = dns_fixedname_initname(&fixed);
+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
+ dns_name_t *apex = NULL;
+ dns_name_t suffix;
+ dns_zone_t *zone = NULL;
+ unsigned int labels;
+ dns_namereln_t rel;
+ /*
+ * The following two variables do not influence code flow; they are
+ * only necessary for calling dns_name_fullcompare().
+ */
+ int _orderp = 0;
+ unsigned int _nlabelsp = 0;
+
+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
+
+ /*
+ * The name is outside the queried namespace.
+ */
+ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
+ return (true);
+ }
+
+ /*
+ * If the record lives in the parent zone, adjust the name so we
+ * look for the correct zone or forward clause.
+ */
+ labels = dns_name_countlabels(name);
+ if (dns_rdatatype_atparent(type) && labels > 1U) {
+ dns_name_init(&suffix, NULL);
+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+ name = &suffix;
+ } else if (rel == dns_namereln_equal) {
+ /* If 'name' is 'apex', no further checking is needed. */
+ return (false);
+ }
+
+ /*
+ * If there is a locally served zone between 'apex' and 'name'
+ * then don't cache.
+ */
+ LOCK(&fctx->res->view->lock);
+ if (fctx->res->view->zonetable != NULL) {
+ unsigned int options = DNS_ZTFIND_NOEXACT;
+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
+ zfname, &zone);
+ if (zone != NULL) {
+ dns_zone_detach(&zone);
+ }
+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+ if (dns_name_fullcompare(zfname, apex, &_orderp,
+ &_nlabelsp) ==
+ dns_namereln_subdomain)
+ {
+ UNLOCK(&fctx->res->view->lock);
+ return (true);
+ }
+ }
+ }
+ UNLOCK(&fctx->res->view->lock);
+
+ /*
+ * Look for a forward declaration below 'name'.
+ */
+ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
+ &forwarders);
+
+ if (ISFORWARDER(fctx->addrinfo)) {
+ /*
+ * See if the forwarder declaration is better.
+ */
+ if (result == ISC_R_SUCCESS) {
+ return (!dns_name_equal(fname, fctx->fwdname));
+ }
+
+ /*
+ * If the lookup failed, the configuration must have
+ * changed: play it safe and don't cache.
+ */
+ return (true);
+ } else if (result == ISC_R_SUCCESS &&
+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
+ !ISC_LIST_EMPTY(forwarders->fwdrs))
+ {
+ /*
+ * If 'name' is covered by a 'forward only' clause then we
+ * can't cache this repsonse.
+ */
+ return (true);
+ }
+
+ return (false);
+}
+
static isc_result_t
check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
dns_section_t section)
@@ -6254,7 +6369,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
result = dns_message_findname(rmessage, section, addname,
dns_rdatatype_any, 0, &name, NULL);
if (result == ISC_R_SUCCESS) {
- external = !dns_name_issubdomain(name, &fctx->domain);
+ external = name_external(name, type, fctx);
if (type == dns_rdatatype_a) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
@@ -7136,6 +7251,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
break;
case dns_namereln_subdomain:
+ /*
+ * Don't accept DNAME from parent namespace.
+ */
+ if (name_external(name, dns_rdatatype_dname, fctx)) {
+ continue;
+ }
+
/*
* In-scope DNAME records must have at least
* as many labels as the domain being queried.
@@ -7371,11 +7493,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
*/
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
while (!done && result == ISC_R_SUCCESS) {
- bool external;
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
- external = !dns_name_issubdomain(name, &fctx->domain);
- if (!external) {
+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
/*
* We expect to find NS or SIG NS rdatasets, and
* nothing else.

62
dhcp.spec
View File

@ -15,7 +15,7 @@
Summary: Dynamic host configuration protocol software Summary: Dynamic host configuration protocol software
Name: dhcp Name: dhcp
Version: 4.4.3 Version: 4.4.3
Release: 1%{?prever:.%prever}%{?patchver:.%patchver}%{?dist} Release: 2%{?prever:.%prever}%{?patchver:.%patchver}%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and # dcantrell maintaining the package) made incorrect use of the epoch and
@ -35,34 +35,35 @@ Source6: dhcpd.service
Source7: dhcpd6.service Source7: dhcpd6.service
Source8: dhcrelay.service Source8: dhcrelay.service
Patch1 : 0001-change-bug-url.patch Patch1: 0001-change-bug-url.patch
Patch2 : 0002-additional-dhclient-options.patch Patch2: 0002-additional-dhclient-options.patch
Patch3 : 0003-Handle-releasing-interfaces-requested-by-sbin-ifup.patch Patch3: 0003-Handle-releasing-interfaces-requested-by-sbin-ifup.patch
Patch4 : 0004-Support-unicast-BOOTP-for-IBM-pSeries-systems-and-ma.patch Patch4: 0004-Support-unicast-BOOTP-for-IBM-pSeries-systems-and-ma.patch
Patch5 : 0005-Change-default-requested-options.patch Patch5: 0005-Change-default-requested-options.patch
Patch6 : 0006-Various-man-page-only-fixes.patch Patch6: 0006-Various-man-page-only-fixes.patch
Patch7 : 0007-Change-paths-to-conform-to-our-standards.patch Patch7: 0007-Change-paths-to-conform-to-our-standards.patch
Patch8 : 0008-Make-sure-all-open-file-descriptors-are-closed-on-ex.patch Patch8: 0008-Make-sure-all-open-file-descriptors-are-closed-on-ex.patch
Patch9 : 0009-Fix-garbage-in-format-string-error.patch Patch9: 0009-Fix-garbage-in-format-string-error.patch
Patch10 : 0010-Handle-null-timeout.patch Patch10: 0010-Handle-null-timeout.patch
Patch11 : 0011-Drop-unnecessary-capabilities.patch Patch11: 0011-Drop-unnecessary-capabilities.patch
Patch12 : 0012-RFC-3442-Classless-Static-Route-Option-for-DHCPv4-51.patch Patch12: 0012-RFC-3442-Classless-Static-Route-Option-for-DHCPv4-51.patch
Patch13 : 0013-DHCPv6-over-PPP-support-626514.patch Patch13: 0013-DHCPv6-over-PPP-support-626514.patch
Patch14 : 0014-IPoIB-support-660681.patch Patch14: 0014-IPoIB-support-660681.patch
Patch15 : 0015-Add-GUID-DUID-to-dhcpd-logs-1064416.patch Patch15: 0015-Add-GUID-DUID-to-dhcpd-logs-1064416.patch
Patch16 : 0016-Turn-on-creating-sending-of-DUID.patch Patch16: 0016-Turn-on-creating-sending-of-DUID.patch
Patch17 : 0017-Send-unicast-request-release-via-correct-interface.patch Patch17: 0017-Send-unicast-request-release-via-correct-interface.patch
Patch18 : 0018-No-subnet-declaration-for-iface-should-be-info-not-e.patch Patch18: 0018-No-subnet-declaration-for-iface-should-be-info-not-e.patch
Patch19 : 0019-dhclient-write-DUID_LLT-even-in-stateless-mode-11563.patch Patch19: 0019-dhclient-write-DUID_LLT-even-in-stateless-mode-11563.patch
Patch20 : 0020-Discover-all-hwaddress-for-xid-uniqueness.patch Patch20: 0020-Discover-all-hwaddress-for-xid-uniqueness.patch
Patch21 : 0021-Load-leases-DB-in-non-replay-mode-only.patch Patch21: 0021-Load-leases-DB-in-non-replay-mode-only.patch
Patch22 : 0022-dhclient-make-sure-link-local-address-is-ready-in-st.patch Patch22: 0022-dhclient-make-sure-link-local-address-is-ready-in-st.patch
Patch23 : 0023-option-97-pxe-client-id.patch Patch23: 0023-option-97-pxe-client-id.patch
Patch24 : 0024-Detect-system-time-changes.patch Patch24: 0024-Detect-system-time-changes.patch
Patch25 : 0025-bind-Detect-system-time-changes.patch Patch25: 0025-bind-Detect-system-time-changes.patch
Patch26 : 0026-Add-dhclient-5-B-option-description.patch Patch26: 0026-Add-dhclient-5-B-option-description.patch
Patch27: 0027-Add-missed-sd-notify-patch-to-manage-dhcpd-with-syst.patch Patch27: 0027-Add-missed-sd-notify-patch-to-manage-dhcpd-with-syst.patch
Patch28: 0028-Use-system-getaddrinfo-for-dhcp.patch Patch28: 0028-Use-system-getaddrinfo-for-dhcp.patch
Patch29: CVE-2021-25220.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -534,6 +535,9 @@ done
%attr(0644,root,root) %{_mandir}/man8/keama.8.gz %attr(0644,root,root) %{_mandir}/man8/keama.8.gz
%changelog %changelog
* Mon Apr 11 2022 Martin Osvald <mosvald@redhat.com> - 12:4.4.3-2
- Fix for CVE-2021-25220
* Thu Mar 10 2022 Martin Osvald <mosvald@redhat.com> - 12:4.4.3-1 * Thu Mar 10 2022 Martin Osvald <mosvald@redhat.com> - 12:4.4.3-1
- New version 4.4.3 - New version 4.4.3
- Add keama migration utility - Add keama migration utility