diff --git a/CVE-2018-5744.patch b/CVE-2018-5744.patch new file mode 100644 index 0000000000000000000000000000000000000000..951ff99129db123ae638f7ea950cae64db00d56b --- /dev/null +++ b/CVE-2018-5744.patch @@ -0,0 +1,63 @@ +From 4c7018a540b0a5521adb2227ecf9dc32722c912e Mon Sep 17 00:00:00 2001 +From: qz_cx +Date: Mon, 24 Oct 2022 14:48:05 +0800 +Subject: [PATCH] check that multiple KEY-TAG trust-anchor-telemetry options + don't leak memory + +authored 3 years ago by Mark Andrews's avatar Mark Andrews Committed by Evan Hunt 3 years ago + +(cherry picked from commit 4b1dc4a5445e9561f2208f9388cf9f9e2cfcbe51) +(cherry picked from commit f545e9dff1f0eadcdea5531ef7062324d232c716) +--- + bin/tests/system/dnssec/tests.sh | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh +index fe95c8d..e2ca846 100644 +--- a/bin/tests/system/dnssec/tests.sh ++++ b/bin/tests/system/dnssec/tests.sh +@@ -3616,18 +3616,18 @@ dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.exa + grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 + grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +-n=$((n+1)) ++n=`expr $n + 1` + test "$ret" -eq 0 || echo_i "failed" +-status=$((status+ret)) ++status=`expr $status + $ret` + + echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" + ret=0 + dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n + grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 + grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1 +-n=$((n+1)) ++n=`expr $n + 1` + test "$ret" -eq 0 || echo_i "failed" +-status=$((status+ret)) ++status=`expr $status + $ret` + + # TODO: test case for GL #1689. + # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) +@@ -3849,6 +3849,18 @@ n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + ++echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" ++ret=0 ++dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 ++grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 ++grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 ++$PERL $SYSTEMTESTTOP/stop.pl dnssec ns1 || ret=1 ++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns1 || ret=1 ++n=`expr $n + 1` ++test "$ret" -eq 0 || echo_i "failed" ++status=`expr $status + $ret` ++ ++ + echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" + ret=0 + dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 +-- +2.33.0 + diff --git a/bind.spec b/bind.spec index 622abac4bac14e78149b543a0eb9fc7a7fb00556..249d10cb75f438e56f0af43c977f7121b60c6da0 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 9 +Release: 10 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -81,6 +81,7 @@ Patch164:bind-9.11-rh1666814.patch Patch6000: CVE-2022-0396.patch Patch6001: CVE-2021-25220.patch +Patch6002: CVE-2018-5744.patch Patch9000: bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -379,6 +380,7 @@ in HTML and PDF format. %patch6000 -p1 %patch6001 -p1 +%patch6002 -p1 %patch9000 -p1 %if %{with PKCS11} @@ -1103,6 +1105,12 @@ fi; %endif %changelog +* Mon Oct 24 2022 qz_cx - 32:9.16.23-10 +- Type:CVE +- ID:NA +- SUG:NA +- DESC: fix CVE-2018-5744.patch + * Wed Aug 31 2022 yangchenguang - 32:9.16.23-9 - DESC: fix downgrade bind-utils conflict bind-dnssec-doc