From 133ba0f52a1522049968e1784e26d4926f7603d2 Mon Sep 17 00:00:00 2001 From: JofDiamonds Date: Tue, 11 Oct 2022 14:52:21 +0800 Subject: [PATCH] fix CVE-2022-2906CVE-2022-38177CVE-2022-38178CVE-2022-2795CVE-2022-2881 Signed-off-by: huangyu --- backport-CVE-2022-2795.patch | 60 +++++++++++++++++ backport-CVE-2022-2881.patch | 41 ++++++++++++ backport-CVE-2022-2906.patch | 121 ++++++++++++++++++++++++++++++++++ backport-CVE-2022-38177.patch | 24 +++++++ backport-CVE-2022-38178.patch | 26 ++++++++ bind.spec | 19 +++++- 6 files changed, 289 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2022-2795.patch create mode 100644 backport-CVE-2022-2881.patch create mode 100644 backport-CVE-2022-2906.patch create mode 100644 backport-CVE-2022-38177.patch create mode 100644 backport-CVE-2022-38178.patch diff --git a/backport-CVE-2022-2795.patch b/backport-CVE-2022-2795.patch new file mode 100644 index 0000000..c978c73 --- /dev/null +++ b/backport-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8b..73a0ee9f779 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +GitLab + diff --git a/backport-CVE-2022-2881.patch b/backport-CVE-2022-2881.patch new file mode 100644 index 0000000..7cfe352 --- /dev/null +++ b/backport-CVE-2022-2881.patch @@ -0,0 +1,41 @@ +From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Tue, 16 Aug 2022 16:26:02 -0700 +Subject: [PATCH] compression buffer was not reused correctly + +when the compression buffer was reused for multiple statistics +requests, responses could grow beyond the correct size. this was +because the buffer was not cleared before reuse; compressed data +was still written to the beginning of the buffer, but then the size +of used region was increased by the amount written, rather than set +to the amount written. this caused responses to grow larger and +larger, potentially reading past the end of the allocated buffer. + +(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b) +--- + lib/isc/httpd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c +index 6259347..88d8716 100644 +--- a/lib/isc/httpd.c ++++ b/lib/isc/httpd.c +@@ -243,6 +243,7 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) { + if (r.length > 0) { + isc_mem_put(mctx, r.base, r.length); + } ++ isc_buffer_initnull(buffer); + } + + static void +@@ -923,6 +924,7 @@ isc_httpd_compress(isc_httpd_t *httpd) { + if (result != ISC_R_SUCCESS) { + return result; + } ++ isc_buffer_clear(&httpd->compbuffer); + isc_buffer_region(&httpd->compbuffer, &r); + + /* +-- +2.23.0 + diff --git a/backport-CVE-2022-2906.patch b/backport-CVE-2022-2906.patch new file mode 100644 index 0000000..a317ce7 --- /dev/null +++ b/backport-CVE-2022-2906.patch @@ -0,0 +1,121 @@ +From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Thu, 18 Aug 2022 08:59:09 +0000 +Subject: [PATCH] Fix memory leaks in DH code + +When used with OpenSSL v3.0.0+, the `openssldh_compare()`, +`openssldh_paramcompare()`, and `openssldh_todns()` functions +fail to cleanup the used memory on some error paths. + +Use `DST_RET` instead of `return`, when there is memory to be +released before returning from the functions. + +(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9) +--- + lib/dns/openssldh_link.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index 30de343..2af1d30 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -68,6 +68,7 @@ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" + ++#define DST_RET(a) {ret = a; goto err;} + + static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data); + +@@ -186,7 +187,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static bool + openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +@@ -206,20 +208,21 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || + BN_cmp(pub_key1, pub_key2) != 0) +- return (false); ++ DST_RET(false); + + if (priv_key1 != NULL || priv_key2 != NULL) { +- if (priv_key1 == NULL || priv_key2 == NULL) +- return (false); +- if (BN_cmp(priv_key1, priv_key2) != 0) +- return (false); ++ if (priv_key1 == NULL || priv_key2 == NULL || ++ BN_cmp(priv_key1, priv_key2) != 0) ++ DST_RET(false); + } +- return (true); ++err: ++ return (ret); + } + + static bool + openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; + + dh1 = key1->keydata.dh; +@@ -234,8 +237,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + DH_get0_pqg(dh2, &p2, NULL, &g2); + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) +- return (false); +- return (true); ++ DST_RET(false); ++ ++err: ++ return (ret); + } + + #if OPENSSL_VERSION_NUMBER > 0x00908000L +@@ -393,7 +398,8 @@ uint16_fromregion(isc_region_t *region) { + + static isc_result_t + openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +- DH *dh; ++ isc_result_t ret = ISC_R_SUCCESS; ++ DH *dh; + const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + isc_region_t r; + uint16_t dnslen, plen, glen, publen; +@@ -420,7 +426,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + publen = BN_num_bytes(pub_key); + dnslen = plen + glen + publen + 6; + if (r.length < (unsigned int) dnslen) +- return (ISC_R_NOSPACE); ++ DST_RET(ISC_R_NOSPACE); + + uint16_toregion(plen, &r); + if (plen == 1) { +@@ -445,7 +451,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_add(data, dnslen); + +- return (ISC_R_SUCCESS); ++err: ++ return (ret); + } + + static isc_result_t +@@ -659,7 +666,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DH *dh = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; + isc_mem_t *mctx; +-#define DST_RET(a) {ret = a; goto err;} + + UNUSED(pub); + mctx = key->mctx; +-- +2.23.0 + diff --git a/backport-CVE-2022-38177.patch b/backport-CVE-2022-38177.patch new file mode 100644 index 0000000..cdb3ee1 --- /dev/null +++ b/backport-CVE-2022-38177.patch @@ -0,0 +1,24 @@ +From 5b2282afff760b1ed3471f6666bdfe8e1d34e590 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:15:34 +1000 +Subject: [PATCH] Free eckey on siglen mismatch +--- + lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index e9ea5ea..6a34981 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ECDSA384SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) + DST_RET (dst__openssl_toresult3(dctx->category, +-- +2.23.0 + diff --git a/backport-CVE-2022-38178.patch b/backport-CVE-2022-38178.patch new file mode 100644 index 0000000..d18bc47 --- /dev/null +++ b/backport-CVE-2022-38178.patch @@ -0,0 +1,26 @@ +From 1af23378ebb11da2eb0f412e4563d6c4165fbd3d Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:28:13 +1000 +Subject: [PATCH] Free ctx on invalid siglen + +(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) +--- + lib/dns/openssleddsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c +index 76c7737..747c7a4 100644 +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ED448SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + isc_buffer_usedregion(buf, &tbsreg); + +-- +2.23.0 + diff --git a/bind.spec b/bind.spec index aea2e34..5b2803f 100644 --- a/bind.spec +++ b/bind.spec @@ -19,7 +19,7 @@ Name: bind Summary: Domain Name System (DNS) Server (named) License: MPLv2.0 Version: 9.11.21 -Release: 13 +Release: 14 Epoch: 32 Url: http://www.isc.org/products/BIND/ Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz @@ -235,7 +235,11 @@ Patch6060: backport-0060-Update-init_count-atomically-to-silence-tsan-errors.pat Patch6061: backport-0061-Refactored-dns_message_t-for-using-attach-detach-sem.patch Patch6062: backport-0062-Fix-invalid-dns-message-state-in-resolver-s-logic.patch Patch6063: backport-0063-Properly-handling-dns_message_t-shared-references.patch - +Patch6064: backport-CVE-2022-2795.patch +Patch6065: backport-CVE-2022-2881.patch +Patch6066: backport-CVE-2022-2906.patch +Patch6067: backport-CVE-2022-38177.patch +Patch6068: backport-CVE-2022-38178.patch %description Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference @@ -510,6 +514,11 @@ cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data %patch6061 -p1 %patch6062 -p1 %patch6063 -p1 +%patch6064 -p1 +%patch6065 -p1 +%patch6066 -p1 +%patch6067 -p1 +%patch6068 -p1 %patch199 -p1 @@ -1291,6 +1300,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Tue Oct 11 2022 huangyu - 32:9.11.21-14 +- Type:CVE +- ID:CVE-2022-2906 CVE-2022-38177 CVE-2022-38178 CVE-2022-2795 CVE-2022-2881 +- SUG:NA +- DESC:FIX CVE-2022-2906CVE-2022-38177CVE-2022-38178CVE-2022-2795CVE-2022-2881 + * Sat Sep 03 2022 jiangheng - 32:9.11.21-13 - Type:bugfix - ID:NA -- Gitee