import CS unbound-1.16.2-21.el9

2025-09-15 12:54:33 +00:00 · 2025-09-15 12:54:33 +00:00 · add20fbb15
commit add20fbb15
parent cbf7fe1da8
4 changed files with 2558 additions and 2 deletions
--- a/SOURCES/unbound-1.16-control-key-perms.patch
+++ b/SOURCES/unbound-1.16-control-key-perms.patch
@ -0,0 +1,14 @@
 diff --git a/unbound-1.16.2/smallapp/unbound-control-setup.sh.in b/unbound-1.16.2/smallapp/unbound-control-setup.sh.in
 index 4a358f6bd..c2a79a242 100644
 --- a/unbound-1.16.2/smallapp/unbound-control-setup.sh.in
 +++ b/unbound-1.16.2/smallapp/unbound-control-setup.sh.in
@@ -204,7 +204,8 @@ fi
 # remove unused permissions
 chmod o-rw \
       "$SVR_BASE.pem" \
 -      "$SVR_BASE.key" \
 +      "$SVR_BASE.key"
 +chmod g+r,o-rw \
       "$CTL_BASE.pem" \
       "$CTL_BASE.key"
--- a/SOURCES/unbound-1.21-CVE-2024-8508.patch
+++ b/SOURCES/unbound-1.21-CVE-2024-8508.patch
@ -0,0 +1,249 @@
 From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
 From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
 Date: Thu, 3 Oct 2024 14:46:57 +0200
 Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
 denial of service.
 ---
 unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
 1 file changed, 46 insertions(+), 31 deletions(-)
 diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
 index fe21cfb..f9e95e6 100644
 --- a/unbound-1.16.2/util/data/msgencode.c
 +++ b/unbound-1.16.2/util/data/msgencode.c
@@ -62,6 +62,10 @@
 #define RETVAL_TRUNC	-4
 /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
 #define RETVAL_OK	0
 +/** Max compressions we are willing to perform; more than that will result
 + *  in semi-compressed messages, or truncated even on TCP for huge messages, to
 + *  avoid locking the CPU for long */
 +#define MAX_COMPRESSION_PER_MESSAGE 120
 /**
  * Data structure to help domain name compression in outgoing messages.
@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
 /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
 static int
 -compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
 -	struct regional* region, struct compress_tree_node** tree, 
 -	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
 +compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 +	struct regional* region, struct compress_tree_node** tree,
 +	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
 +	size_t* compress_count)
 {
 	struct compress_tree_node* p;
 	struct compress_tree_node** insertpt = NULL;
 	if(!*owner_ptr) {
 		/* compress first time dname */
 -		if((p = compress_tree_lookup(tree, key->rk.dname, 
 +		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +			(p = compress_tree_lookup(tree, key->rk.dname,
 			owner_labs, &insertpt))) {
 			if(p->labs == owner_labs) 
 				/* avoid ptr chains, since some software is
@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			if(!write_compressed_dname(pkt, key->rk.dname, 
 				owner_labs, p))
 				return RETVAL_TRUNC;
 +			(*compress_count)++;
 			/* check if typeclass+4 ttl + rdatalen is available */
 			if(sldns_buffer_remaining(pkt) < 4+4+2)
 				return RETVAL_TRUNC;
@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			if(owner_pos <= PTR_MAX_OFFSET)
 				*owner_ptr = htons(PTR_CREATE(owner_pos));
 		}
 -		if(!compress_tree_store(key->rk.dname, owner_labs, 
 +		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +			!compress_tree_store(key->rk.dname, owner_labs,
 			owner_pos, region, p, insertpt))
 			return RETVAL_OUTMEM;
 	} else {
@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 /** compress any domain name to the packet, return RETVAL_* */
 static int
 -compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
 -	struct regional* region, struct compress_tree_node** tree)
 +compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
 +	struct regional* region, struct compress_tree_node** tree,
 +	size_t* compress_count)
 {
 	struct compress_tree_node* p;
 	struct compress_tree_node** insertpt = NULL;
 	size_t pos = sldns_buffer_position(pkt);
 -	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
 +	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
 		if(!write_compressed_dname(pkt, dname, labs, p))
 			return RETVAL_TRUNC;
 +		(*compress_count)++;
 	} else {
 		if(!dname_buffer_write(pkt, dname))
 			return RETVAL_TRUNC;
 	}
 -	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
 +	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +		!compress_tree_store(dname, labs, pos, region, p, insertpt))
 		return RETVAL_OUTMEM;
 	return RETVAL_OK;
 }
@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
 /** compress domain names in rdata, return RETVAL_* */
 static int
 -compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
 -	struct regional* region, struct compress_tree_node** tree, 
 -	const sldns_rr_descriptor* desc)
 +compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
 +	struct regional* region, struct compress_tree_node** tree,
 +	const sldns_rr_descriptor* desc, size_t* compress_count)
 {
 	int labs, r, rdf = 0;
 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
 		switch(desc->_wireformat[rdf]) {
 		case LDNS_RDF_TYPE_DNAME:
 			labs = dname_count_size_labels(rdata, &dname_len);
 -			if((r=compress_any_dname(rdata, pkt, labs, region, 
 -				tree)) != RETVAL_OK)
 +			if((r=compress_any_dname(rdata, pkt, labs, region,
 +				tree, compress_count)) != RETVAL_OK)
 				return r;
 			rdata += dname_len;
 			todolen -= dname_len;
@@ -449,7 +461,8 @@ static int
 packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
 	uint16_t* num_rrs, time_t timenow, struct regional* region,
 	int do_data, int do_sig, struct compress_tree_node** tree,
 -	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
 +	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
 +	size_t* compress_count)
 {
 	size_t i, j, owner_pos;
 	int r, owner_labs;
@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 		for(i=0; i<data->count; i++) {
 			/* rrset roundrobin */
 			j = (i + rr_offset) % data->count;
 -			if((r=compress_owner(key, pkt, region, tree, 
 -				owner_pos, &owner_ptr, owner_labs))
 -				!= RETVAL_OK)
 +			if((r=compress_owner(key, pkt, region, tree,
 +				owner_pos, &owner_ptr, owner_labs,
 +				compress_count)) != RETVAL_OK)
 				return r;
 			sldns_buffer_write(pkt, &key->rk.type, 2);
 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
 			if(c) {
 				if((r=compress_rdata(pkt, data->rr_data[j],
 -					data->rr_len[j], region, tree, c))
 -					!= RETVAL_OK)
 +					data->rr_len[j], region, tree, c,
 +					compress_count)) != RETVAL_OK)
 					return r;
 			} else {
 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 					return RETVAL_TRUNC;
 				sldns_buffer_write(pkt, &owner_ptr, 2);
 			} else {
 -				if((r=compress_any_dname(key->rk.dname, 
 -					pkt, owner_labs, region, tree))
 -					!= RETVAL_OK)
 +				if((r=compress_any_dname(key->rk.dname,
 +					pkt, owner_labs, region, tree,
 +					compress_count)) != RETVAL_OK)
 					return r;
 				if(sldns_buffer_remaining(pkt) < 
 					4+4+data->rr_len[i])
@@ -544,7 +557,8 @@ static int
 insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
 	struct regional* region, struct compress_tree_node** tree,
 -	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
 +	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
 +	size_t* compress_count)
 {
 	int r;
 	size_t i, setstart;
@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 1, 1, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				/* Bad, but if due to size must set TC bit */
 				/* trim off the rrset neatly. */
@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 1, 0, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				sldns_buffer_set_position(pkt, setstart);
 				return r;
@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 0, 1, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				sldns_buffer_set_position(pkt, setstart);
 				return r;
@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 	struct compress_tree_node* tree = 0;
 	int r;
 	size_t rr_offset;
 +	size_t compress_count=0;
 	sldns_buffer_clear(buffer);
 	if(udpsize < sldns_buffer_limit(buffer))
@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 		arep.rrsets = &qinfo->local_alias->rrset;
 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
 			timezero, region, &tree, LDNS_SECTION_ANSWER,
 -			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
 +			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 			if(r == RETVAL_TRUNC) {
 				/* create truncated message */
 				sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 	/* insert answer section */
 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
 -		dnssec, rr_offset)) != RETVAL_OK) {
 +		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 		if(r == RETVAL_TRUNC) {
 			/* create truncated message */
 			sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
 			rep->an_numrrsets, timenow, region, &tree,
 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
 -			dnssec, rr_offset)) != RETVAL_OK) {
 +			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 			if(r == RETVAL_TRUNC) {
 				/* create truncated message */
 				sldns_buffer_write_u16_at(buffer, 8, nscount);
@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
 -				dnssec, rr_offset)) != RETVAL_OK) {
 +				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 				if(r == RETVAL_TRUNC) {
 					/* no need to set TC bit, this is the additional */
 					sldns_buffer_write_u16_at(buffer, 10, arcount);
 -- 
 2.47.0
--- a/SOURCES/unbound-1.23.1-CVE-2025-5994.patch
+++ b/SOURCES/unbound-1.23.1-CVE-2025-5994.patch
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 17%{?extra_version:.%{extra_version}}%{?dist}
+Release: 21%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -65,6 +65,19 @@ Patch1: unbound-1.16-CVE-2022-3204.patch
 Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
 # https://github.com/NLnetLabs/unbound/commit/6d1e61173
 Patch5: unbound-1.16-control-t-flag.patch
 # https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
 Patch6: unbound-1.21-CVE-2024-8508.patch
 # https://github.com/NLnetLabs/unbound/commit/b48958c983f60af40358cca168c403e57bde30d2
 Patch7: unbound-1.16-control-key-perms.patch
 # The patch for CVE-2025-5994 requires certain changes fixing bugs in subnet module
 # that is why we have to backport these commits. They have their respective tests
 # backported with them.
 # https://github.com/NLnetLabs/unbound/commit/0f08cc6d5577ad4747749c55229e16df8711ee32
 # https://github.com/NLnetLabs/unbound/commit/6d0812b56731af130e8bc7e1572388934beb9b3b
 # https://github.com/NLnetLabs/unbound/commit/be626f7c5330dc414a582a04b537ea79d5c452fb
 # https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
 # https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
 Patch8: unbound-1.23.1-CVE-2025-5994.patch
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@ -381,6 +394,16 @@ fi
 %postun libs
 %systemd_postun_with_restart unbound-anchor.timer
 # this trigger ensures that if user changed their config
 # prior the move of root auth-zone to separate file in 1.16.2-18, we do not
 # force the change of root auth-zone on them
 %triggerpostun -- unbound < 1.16.2-18
 if [ -f %{_sysconfdir}/%{name}/unbound.conf.rpmnew ] \
    && [ -L %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf ] \
    && [ "$(readlink -f %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf)" == "%{_sysconfdir}/%{name}/unbound-local-root.conf" ]; then
  rm -f %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf
 fi
 %check
 pushd %{dir_primary}
 #pushd pythonmod
@ -421,7 +444,7 @@ popd
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
-%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
+%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
 %{_sbindir}/unbound
 %{_sbindir}/unbound-checkconf
 %{_sbindir}/unbound-control
@ -486,6 +509,21 @@ popd
 %{_prefix}/lib/dracut/modules.d/99unbound
 %changelog
 * Mon Jul 28 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-21
 - Fix RebirthDay Attack (CVE-2025-5994)
 - Resolves: RHEL-104129
 * Wed Jul 16 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-20
 - Fix verification of unbound-control key files
 - Resolves: RHEL-65396
 * Tue Jun 24 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-19
 - Fix regression on update introduced by local-root symlink
 - Resolves: RHEL-92255
 * Wed May 14 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-18
 - Prevent unbounded name compression (CVE-2024-8508)
 * Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-17
 - Add as112 networks config file
 - Resolves: RHEL-78696