From 0a173687eb497197d3ec1b554226baa000b347e0 Mon Sep 17 00:00:00 2001 From: gaoxingwang Date: Wed, 28 Sep 2022 20:27:13 +0800 Subject: [PATCH] test only Signed-off-by: gaoxingwang --- CVE-2022-2881.patch | 42 +++++++++++++++++ CVE-2022-2906.patch | 110 ++++++++++++++++++++++++++++++++++++++++++++ bind.spec | 4 ++ 3 files changed, 156 insertions(+) create mode 100644 CVE-2022-2881.patch create mode 100644 CVE-2022-2906.patch diff --git a/CVE-2022-2881.patch b/CVE-2022-2881.patch new file mode 100644 index 0000000..45bb83f --- /dev/null +++ b/CVE-2022-2881.patch @@ -0,0 +1,42 @@ +From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Tue, 16 Aug 2022 16:26:02 -0700 +Subject: [PATCH] compression buffer was not reused correctly + +when the compression buffer was reused for multiple statistics +requests, responses could grow beyond the correct size. this was +because the buffer was not cleared before reuse; compressed data +was still written to the beginning of the buffer, but then the size +of used region was increased by the amount written, rather than set +to the amount written. this caused responses to grow larger and +larger, potentially reading past the end of the allocated buffer. + +(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b) +--- + lib/isc/httpd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c +index 776455a..e55330b 100644 +--- a/lib/isc/httpd.c ++++ b/lib/isc/httpd.c +@@ -246,6 +246,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) { + if (r.length > 0) { + isc_mem_put(mctx, r.base, r.length); + } ++ ++ isc_buffer_initnull(buffer); + } + + static void +@@ -910,6 +912,7 @@ isc_httpd_compress(isc_httpd_t *httpd) { + if (result != ISC_R_SUCCESS) { + return (result); + } ++ isc_buffer_clear(&httpd->compbuffer); + isc_buffer_region(&httpd->compbuffer, &r); + + /* +-- +2.23.0 + diff --git a/CVE-2022-2906.patch b/CVE-2022-2906.patch new file mode 100644 index 0000000..3b71413 --- /dev/null +++ b/CVE-2022-2906.patch @@ -0,0 +1,110 @@ +From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Thu, 18 Aug 2022 08:59:09 +0000 +Subject: [PATCH] Fix memory leaks in DH code + +When used with OpenSSL v3.0.0+, the `openssldh_compare()`, +`openssldh_paramcompare()`, and `openssldh_todns()` functions +fail to cleanup the used memory on some error paths. + +Use `DST_RET` instead of `return`, when there is memory to be +released before returning from the functions. + +(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9) +--- + lib/dns/openssldh_link.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index 72b8209..78b3a68 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -180,7 +180,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static bool + openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +@@ -202,23 +203,24 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || + BN_cmp(pub_key1, pub_key2) != 0) + { +- return (false); ++ DST_RET(false); + } + + if (priv_key1 != NULL || priv_key2 != NULL) { +- if (priv_key1 == NULL || priv_key2 == NULL) { +- return (false); +- } +- if (BN_cmp(priv_key1, priv_key2) != 0) { +- return (false); ++ if (priv_key1 == NULL || priv_key2 == NULL || ++ BN_cmp(priv_key1, priv_key2) != 0) { ++ DST_RET(false); + } + } +- return (true); ++ ++err: ++ return (ret); + } + + static bool + openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; + + dh1 = key1->keydata.dh; +@@ -234,9 +236,11 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + DH_get0_pqg(dh2, &p2, NULL, &g2); + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { +- return (false); ++ DST_RET(false); + } +- return (true); ++ ++err: ++ return (ret); + } + + static int +@@ -386,7 +390,8 @@ uint16_fromregion(isc_region_t *region) { + + static isc_result_t + openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +- DH *dh; ++ isc_result_t ret = ISC_R_SUCCESS; ++ DH *dh; + const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + isc_region_t r; + uint16_t dnslen, plen, glen, publen; +@@ -412,7 +417,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + publen = BN_num_bytes(pub_key); + dnslen = plen + glen + publen + 6; + if (r.length < (unsigned int)dnslen) { +- return (ISC_R_NOSPACE); ++ DST_RET(ISC_R_NOSPACE); + } + + uint16_toregion(plen, &r); +@@ -441,7 +446,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_add(data, dnslen); + +- return (ISC_R_SUCCESS); ++err: ++ return (ret); + } + + static isc_result_t +-- +2.23.0 + diff --git a/bind.spec b/bind.spec index 071563d..d8c24a0 100644 --- a/bind.spec +++ b/bind.spec @@ -81,6 +81,8 @@ Patch164:bind-9.11-rh1666814.patch Patch6000: CVE-2022-0396.patch Patch6001: CVE-2021-25220.patch +Patch6002: CVE-2022-2906.patch +Patch6003: CVE-2021-2881.patch Patch9000: bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -379,6 +381,8 @@ in HTML and PDF format. %patch6000 -p1 %patch6001 -p1 +%patch6002 -p1 +%patch6003 -p1 %patch9000 -p1 %if %{with PKCS11} -- Gitee