From ead5f8c87f808e69107f34fba04e5011c6c1730b Mon Sep 17 00:00:00 2001 From: liweiganga Date: Mon, 12 Dec 2022 11:46:37 +0800 Subject: [PATCH] =?UTF-8?q?=E5=90=8C=E6=AD=A5openEuler-22.03-lts=E6=9B=B4?= =?UTF-8?q?=E6=96=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (cherry picked from commit 47cba74216ca5c11f5b275b36fd2ff2120f2c5bb) --- ...x-catalog-zone-reconfiguration-crash.patch | 119 +++++++++ ...ove-the-logging-on-failed-TCP-accept.patch | 162 ++++++++++++ ...ked-parts-of-dns_zone_catz_enable-di.patch | 85 +++++++ ...-metadata-is-modified-before-writing.patch | 235 ++++++++++++++++++ ...76-Concurrent-data-access-violations.patch | 76 ++++++ ...uire-valid-key-for-dst_key-functions.patch | 70 ++++++ backport-CVE-2022-2795.patch | 60 +++++ backport-CVE-2022-2881.patch | 42 ++++ backport-CVE-2022-2906.patch | 135 ++++++++++ backport-CVE-2022-3080.patch | 146 +++++++++++ backport-CVE-2022-38177.patch | 25 ++ backport-CVE-2022-38178.patch | 31 +++ bind.spec | 42 +++- 13 files changed, 1227 insertions(+), 1 deletion(-) create mode 100644 backport-0002-Fix-catalog-zone-reconfiguration-crash.patch create mode 100644 backport-0003-Improve-the-logging-on-failed-TCP-accept.patch create mode 100644 backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch create mode 100644 backport-0036-Check-if-key-metadata-is-modified-before-writing.patch create mode 100644 backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch create mode 100644 backport-0037-Require-valid-key-for-dst_key-functions.patch create mode 100644 backport-CVE-2022-2795.patch create mode 100644 backport-CVE-2022-2881.patch create mode 100644 backport-CVE-2022-2906.patch create mode 100644 backport-CVE-2022-3080.patch create mode 100644 backport-CVE-2022-38177.patch create mode 100644 backport-CVE-2022-38178.patch diff --git a/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch new file mode 100644 index 0000000..20996e4 --- /dev/null +++ b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch @@ -0,0 +1,119 @@ +From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 11 Oct 2021 18:13:39 +0000 +Subject: [PATCH] Fix catalog zone reconfiguration crash + +The following scenario triggers a "named" crash: + +1. Configure a catalog zone. +2. Start "named". +3. Comment out the "catalog-zone" clause. +4. Run `rndc reconfig`. +5. Uncomment the "catalog-zone" clause. +6. Run `rndc reconfig` again. + +Implement the required cleanup of the in-memory catalog zone during +the first `rndc reconfig`, so that the second `rndc reconfig` could +find it in an expected state. + +(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a +--- + bin/named/server.c | 2 ++ + lib/dns/include/dns/zone.h | 20 ++++++++++++++++++++ + lib/dns/win32/libdns.def.in | 2 ++ + lib/dns/zone.c | 18 ++++++++++++++++++ + 4 files changed, 42 insertions(+) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 860ccae8a1..9c0f12f63f 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, + + if (zone_is_catz) { + dns_zone_catz_enable(zone, view->catzs); ++ } else if (dns_zone_catz_is_enabled(zone)) { ++ dns_zone_catz_disable(zone); + } + + /* +diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h +index 08e2263c5b..33ab5c60fd 100644 +--- a/lib/dns/include/dns/zone.h ++++ b/lib/dns/include/dns/zone.h +@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); + * \li prior to calling, zone->catzs is NULL or is equal to 'catzs' + */ + ++void ++dns_zone_catz_disable(dns_zone_t *zone); ++/*%< ++ * Disable zone as catalog zone, if it is one. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone); ++/*%< ++ * Return a boolean indicating whether the zone is enabled as catalog zone. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ + void + dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db); + /*%< +diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in +index 31f511103f..1e0f7cf64a 100644 +--- a/lib/dns/win32/libdns.def.in ++++ b/lib/dns/win32/libdns.def.in +@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown + dns_zone_addnsec3chain + dns_zone_asyncload + dns_zone_attach ++dns_zone_catz_disable + dns_zone_catz_enable + dns_zone_catz_enable_db ++dns_zone_catz_is_enabled + dns_zone_cdscheck + dns_zone_checknames + dns_zone_clearforwardacl +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 65a3aacab7..bc33e6ede8 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + UNLOCK_ZONE(zone); + } + ++void ++dns_zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ LOCK_ZONE(zone); ++ if (zone->catzs != NULL) { ++ dns_catz_catzs_detach(&zone->catzs); ++ } ++ UNLOCK_ZONE(zone); ++} ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ return (zone->catzs != NULL); ++} ++ + /* + * If a zone is a catalog zone, attach it to update notification in database. + */ +-- +2.27.0 + diff --git a/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch b/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch new file mode 100644 index 0000000..aba4616 --- /dev/null +++ b/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch @@ -0,0 +1,162 @@ +From 75c484e36d6d28da820bfcf530a28b4f785049a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 1 Dec 2021 17:41:20 +0100 +Subject: [PATCH] Improve the logging on failed TCP accept + +Previously, when TCP accept failed, we have logged a message with +ISC_LOG_ERROR level. One common case, how this could happen is that the +client hits TCP client quota and is put on hold and when resumed, the +client has already given up and closed the TCP connection. In such +case, the named would log: + + TCP connection failed: socket is not connected + +This message was quite confusing because it actually doesn't say that +it's related to the accepting the TCP connection and also it logs +everything on the ISC_LOG_ERROR level. + +Change the log message to "Accepting TCP connection failed" and for +specific error states lower the severity of the log message to +ISC_LOG_INFO. + +(cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/75c484e36d6d28da820bfcf530a28b4f785049a6 +--- + lib/isc/netmgr/netmgr-int.h | 3 +++ + lib/isc/netmgr/netmgr.c | 27 +++++++++++++++++++++++++++ + lib/isc/netmgr/tcp.c | 20 ++------------------ + lib/isc/netmgr/tcpdns.c | 22 ++-------------------- + 4 files changed, 34 insertions(+), 38 deletions(-) + +diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h +index f7b54f9..b4299d5 100644 +--- a/lib/isc/netmgr/netmgr-int.h ++++ b/lib/isc/netmgr/netmgr-int.h +@@ -1576,4 +1576,7 @@ isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async); + void + isc__nmsocket_connecttimeout_cb(uv_timer_t *timer); + ++void ++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota); ++ + #define STREAM_CLIENTS_PER_CONN 23 +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 3283eb6e4f..54042a9123 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -1967,6 +1967,33 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) { + } + } + ++void ++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) { ++ int level; ++ ++ switch (result) { ++ case ISC_R_SUCCESS: ++ case ISC_R_NOCONN: ++ return; ++ case ISC_R_QUOTA: ++ case ISC_R_SOFTQUOTA: ++ if (!can_log_quota) { ++ return; ++ } ++ level = ISC_LOG_INFO; ++ break; ++ case ISC_R_NOTCONNECTED: ++ level = ISC_LOG_INFO; ++ break; ++ default: ++ level = ISC_LOG_ERROR; ++ } ++ ++ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR, ++ level, "Accepting TCP connection failed: %s", ++ isc_result_totext(result)); ++} ++ + static void + isc__nmsocket_readtimeout_cb(uv_timer_t *timer) { + isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer); +diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c +index 5cca9f5214..1b5e80d3a7 100644 +--- a/lib/isc/netmgr/tcp.c ++++ b/lib/isc/netmgr/tcp.c +@@ -631,15 +631,7 @@ tcp_connection_cb(uv_stream_t *server, int status) { + + result = accept_connection(ssock, quota); + done: +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcp_quota()) { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcp_quota()); + } + + void +@@ -934,15 +926,7 @@ isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) { + REQUIRE(sock->tid == isc_nm_tid()); + + result = accept_connection(sock, ievent->quota); +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcp_quota()) { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcp_quota()); + } + + static isc_result_t +diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c +index 188790c8b4..b76dcbc66c 100644 +--- a/lib/isc/netmgr/tcpdns.c ++++ b/lib/isc/netmgr/tcpdns.c +@@ -600,16 +600,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) { + + result = accept_connection(ssock, quota); + done: +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcpdns_quota()) +- { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); + } + + void +@@ -905,16 +896,7 @@ isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) { + REQUIRE(ievent->sock->tid == isc_nm_tid()); + + result = accept_connection(ievent->sock, ievent->quota); +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcpdns_quota()) +- { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); + } + + static isc_result_t +-- +2.27.0 + diff --git a/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch b/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch new file mode 100644 index 0000000..fcdf675 --- /dev/null +++ b/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch @@ -0,0 +1,85 @@ +From 885e44650b547cff88095d01769e303474582612 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Wed, 5 Jan 2022 09:38:36 +0000 +Subject: [PATCH] Separate the locked parts of dns_zone_catz_enable/disable + functions + +Separate the locked parts of dns_zone_catz_enable() and +dns_zone_catz_disable() functions into static functions. This will +let us perform those tasks from the other parts of the module while +the zone is locked, avoiding one pair of additional unlocking and +locking operations. + +(cherry picked from commit 6b937ed5f67a13cf6ad6249380073a6e647d7897) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/885e44650b547cff88095d01769e303474582612 +--- + lib/dns/zone.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 2faf12519e..9205271574 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -871,6 +871,10 @@ static inline void + zone_attachdb(dns_zone_t *zone, dns_db_t *db); + static inline void + zone_detachdb(dns_zone_t *zone); ++static void ++zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); ++static void ++zone_catz_disable(dns_zone_t *zone); + static isc_result_t + default_journal(dns_zone_t *zone); + static void +@@ -1930,28 +1934,42 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) { + zone->rpzs->zones[zone->rpz_num]); + } + +-void +-dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { ++static void ++zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + REQUIRE(DNS_ZONE_VALID(zone)); + REQUIRE(catzs != NULL); + +- LOCK_ZONE(zone); + INSIST(zone->catzs == NULL || zone->catzs == catzs); + dns_catz_catzs_set_view(catzs, zone->view); + if (zone->catzs == NULL) { + dns_catz_catzs_attach(catzs, &zone->catzs); + } +- UNLOCK_ZONE(zone); + } + + void +-dns_zone_catz_disable(dns_zone_t *zone) { ++dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); ++ zone_catz_enable(zone, catzs); ++ UNLOCK_ZONE(zone); ++} ++ ++static void ++zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ + if (zone->catzs != NULL) { + dns_catz_catzs_detach(&zone->catzs); + } ++} ++ ++void ++dns_zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ LOCK_ZONE(zone); ++ zone_catz_disable(zone); + UNLOCK_ZONE(zone); + } + +-- +2.27.0 + diff --git a/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch b/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch new file mode 100644 index 0000000..f11e7ee --- /dev/null +++ b/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch @@ -0,0 +1,235 @@ +From c2e8c722980cd40e163f748e8502c9637ea55cf3 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 3 May 2022 12:28:31 +0200 +Subject: [PATCH] Check if key metadata is modified before writing + +Add a new parameter to the dst_key structure, mark a key modified if +dst_key_(un)set[bool,num,state,time] is called. Only write out key +files during a keymgr run if the metadata has changed. + +(cherry picked from commit 1da91b3ab46b3d875213a473595e671d9ff9c76f) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c2e8c722980cd40e163f748e8502c9637ea55cf3 +--- + lib/dns/dst_api.c | 26 ++++++++++++++++++++++++++ + lib/dns/dst_internal.h | 1 + + lib/dns/include/dst/dst.h | 20 ++++++++++++++++++++ + lib/dns/keymgr.c | 17 ++++++++++++++++- + 4 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index ab371330f0..8873a041b8 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -490,6 +490,16 @@ dst_key_isexternal(dst_key_t *key) { + return (key->external); + } + ++void ++dst_key_setmodified(dst_key_t *key, bool value) { ++ key->modified = value; ++} ++ ++bool ++dst_key_ismodified(dst_key_t *key) { ++ return (key->modified); ++} ++ + isc_result_t + dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg, + int type, const char *directory, isc_mem_t *mctx, +@@ -637,6 +647,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type, + (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) + { + RETERR(computeid(pubkey)); ++ pubkey->modified = false; + *keyp = pubkey; + pubkey = NULL; + goto out; +@@ -690,6 +701,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type, + RETERR(DST_R_INVALIDPRIVATEKEY); + } + ++ key->modified = false; + *keyp = key; + key = NULL; + +@@ -1047,6 +1059,8 @@ dst_key_setbool(dst_key_t *key, int type, bool value) { + REQUIRE(type <= DST_MAX_BOOLEAN); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->boolset[type] || ++ key->bools[type] != value; + key->bools[type] = value; + key->boolset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1058,6 +1072,7 @@ dst_key_unsetbool(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_BOOLEAN); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->boolset[type]; + key->boolset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1089,6 +1104,8 @@ dst_key_setnum(dst_key_t *key, int type, uint32_t value) { + REQUIRE(type <= DST_MAX_NUMERIC); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->numset[type] || ++ key->nums[type] != value; + key->nums[type] = value; + key->numset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1100,6 +1117,7 @@ dst_key_unsetnum(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_NUMERIC); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->numset[type]; + key->numset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1130,6 +1148,8 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) { + REQUIRE(type <= DST_MAX_TIMES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->timeset[type] || ++ key->times[type] != when; + key->times[type] = when; + key->timeset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1141,6 +1161,7 @@ dst_key_unsettime(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_TIMES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->timeset[type]; + key->timeset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1172,6 +1193,8 @@ dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) { + REQUIRE(type <= DST_MAX_KEYSTATES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->keystateset[type] || ++ key->keystates[type] != state; + key->keystates[type] = state; + key->keystateset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1183,6 +1206,7 @@ dst_key_unsetstate(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_KEYSTATES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->keystateset[type]; + key->keystateset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -2747,4 +2771,6 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) { + dst_key_unsetstate(to, i); + } + } ++ ++ dst_key_setmodified(to, dst_key_ismodified(from)); + } +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index e26837bfe4..4933cfd5aa 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -147,6 +147,7 @@ struct dst_key { + bool inactive; /*%< private key not present as it is + * inactive */ + bool external; /*%< external key */ ++ bool modified; /*%< set to true if key file metadata has changed */ + + int fmt_major; /*%< private key format, major version + * */ +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index d50761a63c..eab5501029 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -1107,6 +1107,26 @@ dst_key_isexternal(dst_key_t *key); + * 'key' to be valid. + */ + ++void ++dst_key_setmodified(dst_key_t *key, bool value); ++/*%< ++ * If 'value' is true, this marks the key to indicate that key file metadata ++ * has been modified. If 'value' is false, this resets the value, for example ++ * after you have written the key to file. ++ * ++ * Requires: ++ * 'key' to be valid. ++ */ ++ ++bool ++dst_key_ismodified(dst_key_t *key); ++/*%< ++ * Check if the key file has been modified. ++ * ++ * Requires: ++ * 'key' to be valid. ++ */ ++ + bool + dst_key_haskasp(dst_key_t *key); + /*%< +diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c +index 965782b1f3..b01286575f 100644 +--- a/lib/dns/keymgr.c ++++ b/lib/dns/keymgr.c +@@ -1512,6 +1512,7 @@ transition: + /* It is safe to make the transition. */ + dst_key_setstate(dkey->key, i, next_state); + dst_key_settime(dkey->key, keystatetimes[i], now); ++ INSIST(dst_key_ismodified(dkey->key)); + changed = true; + } + } +@@ -2183,9 +2184,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, + for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL; + dkey = ISC_LIST_NEXT(dkey, link)) + { +- if (!dkey->purge) { ++ if (dst_key_ismodified(dkey->key) && !dkey->purge) { + dns_dnssec_get_hints(dkey, now); + RETERR(dst_key_tofile(dkey->key, options, directory)); ++ dst_key_setmodified(dkey->key, false); + } + } + +@@ -2205,6 +2207,13 @@ failure: + } + } + ++ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(origin, namebuf, sizeof(namebuf)); ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, ++ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3), ++ "keymgr: %s done", namebuf); ++ } + return (result); + } + +@@ -2282,6 +2291,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, + + dns_dnssec_get_hints(ksk_key, now); + result = dst_key_tofile(ksk_key->key, options, directory); ++ if (result == ISC_R_SUCCESS) { ++ dst_key_setmodified(ksk_key->key, false); ++ } + isc_dir_close(&dir); + + return (result); +@@ -2582,6 +2594,9 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, + + dns_dnssec_get_hints(key, now); + result = dst_key_tofile(key->key, options, directory); ++ if (result == ISC_R_SUCCESS) { ++ dst_key_setmodified(key->key, false); ++ } + isc_dir_close(&dir); + + return (result); +-- +2.27.0 + diff --git a/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch b/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch new file mode 100644 index 0000000..bc17cb6 --- /dev/null +++ b/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch @@ -0,0 +1,76 @@ +From 7c42c04f3fa1c6b936debe48b435b9ef9da464bd Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Mon, 16 May 2022 19:00:47 +0200 +Subject: [PATCH] Fix CID 352776: Concurrent data access violations + +*** CID 352776: Concurrent data access violations (MISSING_LOCK) +/lib/dns/dst_api.c: 474 in dst_key_setmodified() +468 dst_key_isexternal(dst_key_t *key) { +469 return (key->external); +470 } +471 +472 void +473 dst_key_setmodified(dst_key_t *key, bool value) { +>>> CID 352776: Concurrent data access violations (MISSING_LOCK) +>>> Accessing "key->modified" without holding lock +>>> "dst_key.mdlock". Elsewhere, "dst_key.modified" is accessed with +>>> "dst_key.mdlock" held 8 out of 11 times (8 of these accesses +>>> strongly imply that it is necessary). +474 key->modified = value; +475 } +476 +477 bool +478 dst_key_ismodified(dst_key_t *key) { +479 return (key->modified); + +(cherry picked from commit 1fa24d0afbc01d25d71446156758b3a945db5b5f) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7c42c04f3fa1c6b936debe48b435b9ef9da464bd +--- + lib/dns/dst_api.c | 12 ++++++++++-- + lib/dns/include/dst/dst.h | 2 +- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 8873a041b8..e5a52aea37 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -492,12 +492,20 @@ dst_key_isexternal(dst_key_t *key) { + + void + dst_key_setmodified(dst_key_t *key, bool value) { ++ isc_mutex_lock(&key->mdlock); + key->modified = value; ++ isc_mutex_unlock(&key->mdlock); + } + + bool +-dst_key_ismodified(dst_key_t *key) { +- return (key->modified); ++dst_key_ismodified(const dst_key_t *key) { ++ bool modified; ++ ++ isc_mutex_lock(&(((dst_key_t *)key)->mdlock)); ++ modified = key->modified; ++ isc_mutex_unlock(&(((dst_key_t *)key)->mdlock)); ++ ++ return (modified); + } + + isc_result_t +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index eab5501029..3185e9f91b 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -1119,7 +1119,7 @@ dst_key_setmodified(dst_key_t *key, bool value); + */ + + bool +-dst_key_ismodified(dst_key_t *key); ++dst_key_ismodified(const dst_key_t *key); + /*%< + * Check if the key file has been modified. + * +-- +2.27.0 + diff --git a/backport-0037-Require-valid-key-for-dst_key-functions.patch b/backport-0037-Require-valid-key-for-dst_key-functions.patch new file mode 100644 index 0000000..ab19afb --- /dev/null +++ b/backport-0037-Require-valid-key-for-dst_key-functions.patch @@ -0,0 +1,70 @@ +From d3147417c55cb1277cac42034198a3011c8f5cfb Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 17 May 2022 12:02:43 +0200 +Subject: [PATCH] Require valid key for dst_key functions + +Make sure that the key structure is valid when calling the following +functions: +- dst_key_setexternal +- dst_key_isexternal +- dst_key_setmodified +- dst_key_ismodified + +This commit is adapted because 9.16 has a different approach +of deconsting the variable. + +(cherry picked from commit 888ec4e0d407a9333017d6997a2be81a69658e1f) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d3147417c55cb1277cac42034198a3011c8f5cfb +--- + lib/dns/dst_api.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index e5a52aea37..f5741a1af4 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -482,16 +482,22 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) { + + void + dst_key_setexternal(dst_key_t *key, bool value) { ++ REQUIRE(VALID_KEY(key)); ++ + key->external = value; + } + + bool + dst_key_isexternal(dst_key_t *key) { ++ REQUIRE(VALID_KEY(key)); ++ + return (key->external); + } + + void + dst_key_setmodified(dst_key_t *key, bool value) { ++ REQUIRE(VALID_KEY(key)); ++ + isc_mutex_lock(&key->mdlock); + key->modified = value; + isc_mutex_unlock(&key->mdlock); +@@ -500,10 +506,15 @@ dst_key_setmodified(dst_key_t *key, bool value) { + bool + dst_key_ismodified(const dst_key_t *key) { + bool modified; ++ dst_key_t *k; + +- isc_mutex_lock(&(((dst_key_t *)key)->mdlock)); ++ REQUIRE(VALID_KEY(key)); ++ ++ DE_CONST(key, k); ++ ++ isc_mutex_lock(&k->mdlock); + modified = key->modified; +- isc_mutex_unlock(&(((dst_key_t *)key)->mdlock)); ++ isc_mutex_unlock(&k->mdlock); + + return (modified); + } +-- +2.27.0 + diff --git a/backport-CVE-2022-2795.patch b/backport-CVE-2022-2795.patch new file mode 100644 index 0000000..c978c73 --- /dev/null +++ b/backport-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8b..73a0ee9f779 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +GitLab + diff --git a/backport-CVE-2022-2881.patch b/backport-CVE-2022-2881.patch new file mode 100644 index 0000000..45bb83f --- /dev/null +++ b/backport-CVE-2022-2881.patch @@ -0,0 +1,42 @@ +From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Tue, 16 Aug 2022 16:26:02 -0700 +Subject: [PATCH] compression buffer was not reused correctly + +when the compression buffer was reused for multiple statistics +requests, responses could grow beyond the correct size. this was +because the buffer was not cleared before reuse; compressed data +was still written to the beginning of the buffer, but then the size +of used region was increased by the amount written, rather than set +to the amount written. this caused responses to grow larger and +larger, potentially reading past the end of the allocated buffer. + +(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b) +--- + lib/isc/httpd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c +index 776455a..e55330b 100644 +--- a/lib/isc/httpd.c ++++ b/lib/isc/httpd.c +@@ -246,6 +246,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) { + if (r.length > 0) { + isc_mem_put(mctx, r.base, r.length); + } ++ ++ isc_buffer_initnull(buffer); + } + + static void +@@ -910,6 +912,7 @@ isc_httpd_compress(isc_httpd_t *httpd) { + if (result != ISC_R_SUCCESS) { + return (result); + } ++ isc_buffer_clear(&httpd->compbuffer); + isc_buffer_region(&httpd->compbuffer, &r); + + /* +-- +2.23.0 + diff --git a/backport-CVE-2022-2906.patch b/backport-CVE-2022-2906.patch new file mode 100644 index 0000000..704cc52 --- /dev/null +++ b/backport-CVE-2022-2906.patch @@ -0,0 +1,135 @@ +From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Thu, 18 Aug 2022 08:59:09 +0000 +Subject: [PATCH] Fix memory leaks in DH code + +When used with OpenSSL v3.0.0+, the `openssldh_compare()`, +`openssldh_paramcompare()`, and `openssldh_todns()` functions +fail to cleanup the used memory on some error paths. + +Use `DST_RET` instead of `return`, when there is memory to be +released before returning from the functions. + +(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9) +--- + lib/dns/openssldh_link.c | 45 +++++++++++++++++++++++----------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index 72b8209..ece97ea 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -68,6 +68,12 @@ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" + ++#define DST_RET(a) \ ++ { \ ++ ret = a; \ ++ goto err; \ ++ } ++ + static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; + + #if !HAVE_DH_GET0_KEY +@@ -180,7 +186,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static bool + openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +@@ -202,23 +209,24 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || + BN_cmp(pub_key1, pub_key2) != 0) + { +- return (false); ++ DST_RET(false); + } + + if (priv_key1 != NULL || priv_key2 != NULL) { +- if (priv_key1 == NULL || priv_key2 == NULL) { +- return (false); +- } +- if (BN_cmp(priv_key1, priv_key2) != 0) { +- return (false); ++ if (priv_key1 == NULL || priv_key2 == NULL || ++ BN_cmp(priv_key1, priv_key2) != 0) { ++ DST_RET(false); + } + } +- return (true); ++ ++err: ++ return (ret); + } + + static bool + openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +- DH *dh1, *dh2; ++ bool ret = true; ++ DH *dh1, *dh2; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; + + dh1 = key1->keydata.dh; +@@ -234,9 +242,11 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + DH_get0_pqg(dh2, &p2, NULL, &g2); + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { +- return (false); ++ DST_RET(false); + } +- return (true); ++ ++err: ++ return (ret); + } + + static int +@@ -386,7 +396,8 @@ uint16_fromregion(isc_region_t *region) { + + static isc_result_t + openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +- DH *dh; ++ isc_result_t ret = ISC_R_SUCCESS; ++ DH *dh; + const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + isc_region_t r; + uint16_t dnslen, plen, glen, publen; +@@ -412,7 +423,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + publen = BN_num_bytes(pub_key); + dnslen = plen + glen + publen + 6; + if (r.length < (unsigned int)dnslen) { +- return (ISC_R_NOSPACE); ++ DST_RET(ISC_R_NOSPACE); + } + + uint16_toregion(plen, &r); +@@ -441,7 +452,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_add(data, dnslen); + +- return (ISC_R_SUCCESS); ++err: ++ return (ret); + } + + static isc_result_t +@@ -659,11 +671,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DH *dh = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; + isc_mem_t *mctx; +-#define DST_RET(a) \ +- { \ +- ret = a; \ +- goto err; \ +- } + + UNUSED(pub); + mctx = key->mctx; +-- +2.23.0 + diff --git a/backport-CVE-2022-3080.patch b/backport-CVE-2022-3080.patch new file mode 100644 index 0000000..b5bfb56 --- /dev/null +++ b/backport-CVE-2022-3080.patch @@ -0,0 +1,146 @@ +From 3f68e2ad838b3c12a725ccb1082a54b0e8b69562 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Fri, 2 Sep 2022 16:50:39 +0200 +Subject: [PATCH] Only refresh RRset once + +Don't attempt to resolve DNS responses for intermediate results. This +may create multiple refreshes and can cause a crash. + +One scenario is where for the query there is a CNAME and canonical +answer in cache that are both stale. This will trigger a refresh of +the RRsets because we encountered stale data and we prioritized it over +the lookup. It will trigger a refresh of both RRsets. When we start +recursing, it will detect a recursion loop because the recursion +parameters will eventually be the same. In 'dns_resolver_destroyfetch' +the sanity check fails, one of the callers did not get its event back +before trying to destroy the fetch. + +Move the call to 'query_refresh_rrset' to 'ns_query_done', so that it +is only called once per client request. + +Another scenario is where for the query there is a stale CNAME in the +cache that points to a record that is also in cache but not stale. This +will trigger a refresh of the RRset (because we encountered stale data +and we prioritized it over the lookup). + +We mark RRsets that we add to the message with +DNS_RDATASETATTR_STALE_ADDED to prevent adding a duplicate RRset when +a stale lookup and a normal lookup conflict with each other. However, +the other non-stale RRset when following a CNAME chain will be added to +the message without setting that attribute, because it is not stale. + +This is a variant of the bug in #2594. The fix covered the same crash +but for stale-answer-client-timeout > 0. + +Fix this by clearing all RRsets from the message before refreshing. +This requires the refresh to happen after the query is send back to +the client. + +(cherry picked from commit d939d2ecde5639d11acd6eac33a997b3e3c78b02) +--- + lib/ns/include/ns/query.h | 1 + + lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- + 2 files changed, 27 insertions(+), 16 deletions(-) + +diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h +index 142ef8c6c1d..be0dadd5099 100644 +--- a/lib/ns/include/ns/query.h ++++ b/lib/ns/include/ns/query.h +@@ -147,6 +147,7 @@ struct query_ctx { + bool authoritative; /* authoritative query? */ + bool want_restart; /* CNAME chain or other + * restart needed */ ++ bool refresh_rrset; /* stale RRset refresh needed */ + bool need_wildcardproof; /* wildcard proof needed */ + bool nxrewrite; /* negative answer from RPZ */ + bool findcoveringnsec; /* lookup covering NSEC */ +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 5c2701eb718..98cfffe8c36 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5737,7 +5737,6 @@ query_lookup(query_ctx_t *qctx) { + bool dbfind_stale = false; + bool stale_timeout = false; + bool stale_found = false; +- bool refresh_rrset = false; + bool stale_refresh_window = false; + + CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); +@@ -5921,8 +5920,7 @@ query_lookup(query_ctx_t *qctx) { + "%s stale answer used, an attempt to " + "refresh the RRset will still be made", + namebuf); +- refresh_rrset = STALE(qctx->rdataset); +- qctx->client->nodetach = refresh_rrset; ++ qctx->refresh_rrset = STALE(qctx->rdataset); + } + } else { + /* +@@ -5960,17 +5958,6 @@ query_lookup(query_ctx_t *qctx) { + + result = query_gotanswer(qctx, result); + +- if (refresh_rrset) { +- /* +- * If we reached this point then it means that we have found a +- * stale RRset entry in cache and BIND is configured to allow +- * queries to be answered with stale data if no active RRset +- * is available, i.e. "stale-anwer-client-timeout 0". But, we +- * still need to refresh the RRset. +- */ +- query_refresh_rrset(qctx); +- } +- + cleanup: + return (result); + } +@@ -7760,11 +7747,14 @@ query_addanswer(query_ctx_t *qctx) { + + /* + * On normal lookups, clear any rdatasets that were added on a +- * lookup due to stale-answer-client-timeout. ++ * lookup due to stale-answer-client-timeout. Do not clear if we ++ * are going to refresh the RRset, because the stale contents are ++ * prioritized. + */ + if (QUERY_STALEOK(&qctx->client->query) && +- !QUERY_STALETIMEOUT(&qctx->client->query)) ++ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) + { ++ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); + query_clear_stale(qctx->client); + /* + * We can clear the attribute to prevent redundant clearing +@@ -11478,9 +11468,29 @@ ns_query_done(query_ctx_t *qctx) { + /* + * Client may have been detached after query_send(), so + * we test and store the flag state here, for safety. ++ * If we are refreshing the RRSet, we must not detach from the client ++ * in the query_send(), so we need to override the flag. + */ ++ if (qctx->refresh_rrset) { ++ qctx->client->nodetach = true; ++ } + nodetach = qctx->client->nodetach; + query_send(qctx->client); ++ ++ if (qctx->refresh_rrset) { ++ /* ++ * If we reached this point then it means that we have found a ++ * stale RRset entry in cache and BIND is configured to allow ++ * queries to be answered with stale data if no active RRset ++ * is available, i.e. "stale-anwer-client-timeout 0". But, we ++ * still need to refresh the RRset. To prevent adding duplicate ++ * RRsets, clear the RRsets from the message before doing the ++ * refresh. ++ */ ++ message_clearrdataset(qctx->client->message, 0); ++ query_refresh_rrset(qctx); ++ } ++ + if (!nodetach) { + qctx->detach_client = true; + } +-- +GitLab + diff --git a/backport-CVE-2022-38177.patch b/backport-CVE-2022-38177.patch new file mode 100644 index 0000000..dc8cb41 --- /dev/null +++ b/backport-CVE-2022-38177.patch @@ -0,0 +1,25 @@ +From 5b2282afff760b1ed3471f6666bdfe8e1d34e590 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:15:34 +1000 +Subject: [PATCH] Free eckey on siglen mismatch + +--- + lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 1f16ca70738..5ee4342b387 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -230,7 +230,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + } + + if (sig->length != siglen) { +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + } + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) { +-- +GitLab + diff --git a/backport-CVE-2022-38178.patch b/backport-CVE-2022-38178.patch new file mode 100644 index 0000000..a0ab793 --- /dev/null +++ b/backport-CVE-2022-38178.patch @@ -0,0 +1,31 @@ +From 1af23378ebb11da2eb0f412e4563d6c4165fbd3d Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:28:13 +1000 +Subject: [PATCH] Free ctx on invalid siglen + +(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) +--- + lib/dns/openssleddsa_link.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c +index b5ab3b3d8a2..12fdf650eb6 100644 +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -236,11 +236,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + } + #endif /* if HAVE_OPENSSL_ED448 */ + if (siglen == 0) { +- return (ISC_R_NOTIMPLEMENTED); ++ DST_RET(ISC_R_NOTIMPLEMENTED); + } + + if (sig->length != siglen) { +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + } + + isc_buffer_usedregion(buf, &tbsreg); +-- +GitLab + diff --git a/bind.spec b/bind.spec index a2c8e42..f80e8ce 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 9 +Release: 11 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -81,6 +81,19 @@ Patch164:bind-9.11-rh1666814.patch Patch6000:backport-CVE-2022-0396.patch Patch6001:backport-CVE-2021-25220.patch +Patch6002:backport-CVE-2022-2795.patch +Patch6003:backport-CVE-2022-3080.patch +Patch6004:backport-CVE-2022-38177.patch +Patch6005:backport-CVE-2022-38178.patch +Patch6006:backport-CVE-2022-2906.patch +Patch6007:backport-CVE-2022-2881.patch +Patch6008:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch +Patch6009:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch +Patch6010:backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch +Patch6011:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch +Patch6012:backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch +Patch6013:backport-0037-Require-valid-key-for-dst_key-functions.patch + Patch9000:bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -379,6 +392,18 @@ in HTML and PDF format. %patch9000 -p1 %patch6000 -p1 %patch6001 -p1 +%patch6002 -p1 +%patch6003 -p1 +%patch6004 -p1 +%patch6005 -p1 +%patch6006 -p1 +%patch6007 -p1 +%patch6008 -p1 +%patch6009 -p1 +%patch6010 -p1 +%patch6011 -p1 +%patch6012 -p1 +%patch6013 -p1 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1101,6 +1126,21 @@ fi; %endif %changelog +* Thu Sep 29 2022 huangyu - 32:9.16.23-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: Fix catalog zone reconfiguration crash +Improve the logging on failed TCP accept +Separate the locked parts of dns_zone_catz_enable-di +Check if key-metadata is modified before writing +Fix CID-352776 Concurrent data access violations +Require valid key for dst_key functions + +* Wed Sep 28 2022 huangyu - 32:9.16.23-10 +- DESC:fix CVE-2022-2881 CVE-2022-2906 CVE-2022-2795 CVE-2022-38177 CVE-2022-38178 +CVE-2022-3080 + * Wed Aug 31 2022 yangchenguang - 32:9.16.23-9 - DESC: fix downgrade bind-utils conflict bind-dnssec-doc -- Gitee