Add upstream test for CVE-2026-40622

Resolves-Vulnerability: CVE-2026-40622
Resolves: RHEL-184832
This commit is contained in:
Fedor Vorobev 2026-06-24 11:34:21 +02:00
parent 11440f4964
commit 998627c879
2 changed files with 310 additions and 2 deletions

View File

@ -0,0 +1,305 @@
diff --git a/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
new file mode 100644
index 0000000..2b046a8
--- /dev/null
+++ b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
@@ -0,0 +1,299 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ minimal-responses: yes
+ log-servfail: yes
+ module-config: "iterator"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test for ghost domain with a child apex NS query.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+tld. IN NS
+SECTION AUTHORITY
+tld. IN NS ns.tld.
+SECTION ADDITIONAL
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.tld
+RANGE_BEGIN 0 15
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+tld. IN NS
+SECTION ANSWER
+tld. IN NS ns.tld
+SECTION ADDITIONAL
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN A
+SECTION ANSWER
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN AAAA
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+SECTION AUTHORITY
+mid.tld. 5 IN NS ns.mid.tld.
+SECTION ADDITIONAL
+ns.mid.tld. 5 IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.tld
+RANGE_BEGIN 20 100
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+tld. IN NS
+SECTION ANSWER
+tld. IN NS ns.tld
+SECTION ADDITIONAL
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN A
+SECTION ANSWER
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN AAAA
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+mid.tld. IN NS
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+RANGE_END
+
+; ns.mid.tld.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+SECTION ANSWER
+mid.tld. 86400 IN NS ns.mid.tld.
+SECTION ADDITIONAL
+ns.mid.tld. 86400 IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.mid.tld. IN A
+SECTION ANSWER
+ns.mid.tld. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.mid.tld. IN AAAA
+SECTION AUTHORITY
+mid.tld. 3600 IN SOA ns.mid.tld. host.mid.tld. 20301 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+sub.mid.tld. IN NS
+SECTION AUTHORITY
+sub.mid.tld. 3600 IN NS ns.sub.mid.tld.
+SECTION ADDITIONAL
+ns.sub.mid.tld. 3600 IN A 1.2.3.6
+ENTRY_END
+RANGE_END
+
+; ns.sub.mid.tld.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.6
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+sub.mid.tld. IN NS
+SECTION ANSWER
+sub.mid.tld. IN NS ns.sub.mid.tld.
+SECTION ADDITIONAL
+ns.sub.mid.tld. IN A 1.2.3.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.sub.mid.tld. IN A
+SECTION ANSWER
+ns.sub.mid.tld. IN A 1.2.3.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.sub.mid.tld. IN AAAA
+SECTION AUTHORITY
+sub.mid.tld. 3600 IN SOA ns.sub.mid.tld. host.sub.mid.tld. 20301 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.sub.mid.tld. IN A
+SECTION ANSWER
+a.sub.mid.tld. 3600 IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+b.sub.mid.tld. IN A
+SECTION ANSWER
+b.sub.mid.tld. 3600 IN A 10.20.30.41
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+a.sub.mid.tld. IN A
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.sub.mid.tld. IN A
+SECTION ANSWER
+a.sub.mid.tld. 3600 IN A 10.20.30.40
+ENTRY_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+SECTION ANSWER
+mid.tld. 86400 IN NS ns.mid.tld.
+SECTION ADDITIONAL
+ns.mid.tld. 86400 IN A 1.2.3.4
+ENTRY_END
+
+STEP 20 TIME_PASSES ELAPSE 10
+; The authority for .tld switches to NXDOMAIN for mid.tld.
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+b.sub.mid.tld. IN A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+b.sub.mid.tld. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+
+SCENARIO_END

View File

@ -84,8 +84,10 @@ Patch8: unbound-1.25.1-CVE-2026-42944.patch
Patch9: unbound-1.25.1-CVE-2026-42959.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff
Patch10: unbound-1.25.1-CVE-2026-40622.patch
# https://github.com/NLnetLabs/unbound/commit/b5f21f41658f65d6143df6a3208e8ccf1a01604d
Patch11: unbound-1.25.1-CVE-2026-40622-test.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff
Patch11: unbound-1.25.1-CVE-2026-44390.patch
Patch12: unbound-1.25.1-CVE-2026-44390.patch
BuildRequires: gdb
@ -196,7 +198,8 @@ pushd %{pkgname}
%patch8 -p2 -b .CVE-2026-42944
%patch9 -p2 -b .CVE-2026-42959
%patch10 -p2 -b .CVE-2026-40622
%patch11 -p2 -b .CVE-2026-44390
%patch11 -p2 -b .CVE-2026-40622-test
%patch12 -p2 -b .CVE-2026-44390
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../