diff --git a/backport-CVE-2024-11187.patch b/backport-CVE-2024-11187.patch new file mode 100644 index 0000000000000000000000000000000000000000..d4e926f7ef094ca12650abb23fae1673fe25ef04 --- /dev/null +++ b/backport-CVE-2024-11187.patch @@ -0,0 +1,268 @@ +From f59faf9d92acde0be9510e7d182fc1735b9f4a7e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 8 Jan 2025 16:46:48 +0100 +Subject: [PATCH 1/2] Isolate using the -T noaa flag only for part of the + resolver test + +Instead of running the whole resolver/ns4 server with -T noaa flag, +use it only for the part where it is actually needed. The -T noaa +could interfere with other parts of the test because the answers don't +have the authoritative-answer bit set, and we could have false +positives (or false negatives) in the test because the authoritative +server doesn't follow the DNS protocol for all the tests in the resolver +system test. + +(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c) +--- + bin/tests/system/resolver/ns4/named.noaa | 5 ----- + 1 file changed, 5 deletions(-) + delete mode 100644 bin/tests/system/resolver/ns4/named.noaa + +diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa +deleted file mode 100644 +index 3b121ad9da7..00000000000 +--- a/bin/tests/system/resolver/ns4/named.noaa ++++ /dev/null +@@ -1,5 +0,0 @@ +-Copyright (C) Internet Systems Consortium, Inc. ("ISC") +- +-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. +- +-Add -T noaa. +-- +GitLab + + +From 89b256efae2d7ed61690fc241a661194481c815d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Thu, 19 Dec 2024 16:40:52 +0100 +Subject: [PATCH 2/2] Limit the additional processing for large RDATA sets + +When answering queries, don't add data to the additional section if +the answer has more than 13 names in the RDATA. This limits the +number of lookups into the database(s) during a single client query, +reducing query processing load. + +Also, don't append any additional data to type=ANY queries. The +answer to ANY is already big enough. + +(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408) +--- + bin/named/query.c | 8 +++++--- + bin/tests/system/additional/tests.sh | 2 +- + bin/tests/system/resolver/tests.sh | 8 ++++++++ + lib/dns/include/dns/rdataset.h | 10 +++++++++- + lib/dns/rdataset.c | 8 +++++++- + lib/dns/resolver.c | 16 ++++++++++------ + 6 files changed, 40 insertions(+), 12 deletions(-) + +diff --git a/bin/named/query.c b/bin/named/query.c +index 897beb7313e..5cba4a22c6b 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -1827,7 +1827,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { + */ + eresult = dns_rdataset_additionaldata(trdataset, + query_addadditional, +- client); ++ client, ++ DNS_RDATASET_MAXADDITIONAL); + } + + cleanup: +@@ -2422,7 +2423,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, + rdataset->rdclass); + rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; + +- if (NOADDITIONAL(client)) ++ if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any) + return; + + /* +@@ -2433,7 +2434,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, + additionalctx.client = client; + additionalctx.rdataset = rdataset; + (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, +- &additionalctx); ++ &additionalctx, ++ DNS_RDATASET_MAXADDITIONAL); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done"); + } + +diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh +index 6400723a557..a33cc8aed26 100644 +--- a/bin/tests/system/additional/tests.sh ++++ b/bin/tests/system/additional/tests.sh +@@ -261,7 +261,7 @@ n=`expr $n + 1` + echo_i "testing with 'minimal-any no;' ($n)" + ret=0 + $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 +-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 ++grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=`expr status + 1` + fi +diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh +index b3c9f2179c7..e727c887bf2 100755 +--- a/bin/tests/system/resolver/tests.sh ++++ b/bin/tests/system/resolver/tests.sh +@@ -281,6 +281,10 @@ done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++$PERL $SYSTEMTESTTOP/stop.pl resolver ns4 ++touch ns4/named.noaa ++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1 ++ + n=`expr $n + 1` + echo_i "RT21594 regression test check setup ($n)" + ret=0 +@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++$PERL $SYSTEMTESTTOP/stop.pl resolver ns4 ++rm ns4/named.noaa ++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1 ++ + n=`expr $n + 1` + echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" + ret=0 +diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h +index ed9119a62d4..cd9b014205e 100644 +--- a/lib/dns/include/dns/rdataset.h ++++ b/lib/dns/include/dns/rdataset.h +@@ -53,6 +53,8 @@ + #include + #include + ++#define DNS_RDATASET_MAXADDITIONAL 13 ++ + ISC_LANG_BEGINDECLS + + typedef enum { +@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset, + + isc_result_t + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, +- dns_additionaldatafunc_t add, void *arg); ++ dns_additionaldatafunc_t add, void *arg, ++ size_t limit); + /*%< + * For each rdata in rdataset, call 'add' for each name and type in the + * rdata which is subject to additional section processing. +@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + *\li If a call to dns_rdata_additionaldata() is not successful, the + * result returned will be the result of dns_rdataset_additionaldata(). + * ++ *\li If 'limit' is non-zero and the number of the rdatasets is larger ++ * than 'limit', no additional data will be processed. ++ * + * Returns: + * + *\li #ISC_R_SUCCESS + * ++ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit' ++ * + *\li Any error that dns_rdata_additionaldata() can return. + */ + +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c +index b42dea5cd37..75f07c9e579 100644 +--- a/lib/dns/rdataset.c ++++ b/lib/dns/rdataset.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + static const char *trustnames[] = { + "none", +@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, + + isc_result_t + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, +- dns_additionaldatafunc_t add, void *arg) ++ dns_additionaldatafunc_t add, void *arg, ++ size_t limit) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; +@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); + ++ if (limit != 0 && dns_rdataset_count(rdataset) > limit) { ++ return (DNS_R_TOOMANYRECORDS); ++ } ++ + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) + return (result); +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index a4e4f4c6f6a..ed3d0b1b95f 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -6472,7 +6472,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) { + rdataset->attributes &= ~DNS_RDATASETATTR_CHASE; + (void)dns_rdataset_additionaldata(rdataset, + check_related, +- &chkarg); ++ &chkarg, 0); + rescan = true; + } + } +@@ -7106,8 +7106,12 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message, + FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING); + chkarg.fctx = fctx; + chkarg.rmessage = message; ++ ++ /* ++ * Mark the glue records in the additional section to be cached. ++ */ + (void)dns_rdataset_additionaldata(ns_rdataset, check_related, +- &chkarg); ++ &chkarg, 0); + #if CHECK_FOR_GLUE_IN_ANSWER + /* + * Look in the answer section for "glue" that is incorrectly +@@ -7123,7 +7127,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message, + chkarg.fcx = fctx; + chkarg.rmessage = message; + (void)dns_rdataset_additionaldata(ns_rdataset, +- check_answer, &chkarg); ++ check_answer, &chkarg, 0); + } + #endif + FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING); +@@ -7365,7 +7369,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) { + chkarg.rmessage = message; + (void)dns_rdataset_additionaldata(rdataset, + check_related, +- &chkarg); ++ &chkarg, 0); + } + } else if (aname != NULL) { + dns_chkarg_t chkarg; +@@ -7393,7 +7397,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) { + chkarg.fctx = fctx; + chkarg.rmessage = message; + (void)dns_rdataset_additionaldata(ardataset, check_related, +- &chkarg); ++ &chkarg, 0); + for (sigrdataset = ISC_LIST_HEAD(aname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { +@@ -7556,7 +7560,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) { + (void)dns_rdataset_additionaldata( + rdataset, + check_related, +- &chkarg); ++ &chkarg, 0); + done = true; + } + } +-- +GitLab + diff --git a/bind.spec b/bind.spec index 6426fdd971e4fc8c3640edaf5eba1db77c7c80a7..e698dba7753645c7e8dfaf8b5431e5f7ef55e682 100644 --- a/bind.spec +++ b/bind.spec @@ -19,7 +19,7 @@ Name: bind Summary: Domain Name System (DNS) Server (named) License: MPLv2.0 Version: 9.11.21 -Release: 19 +Release: 20 Epoch: 32 Url: http://www.isc.org/products/BIND/ Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz @@ -250,6 +250,7 @@ Patch6073:backport-0001-CVE-2024-1737.patch Patch6074:backport-0002-CVE-2024-1737.patch Patch6075:backport-0003-CVE-2024-1737.patch Patch6076:backport-0004-CVE-2024-1737.patch +Patch6077:backport-CVE-2024-11187.patch %description Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name @@ -539,6 +540,7 @@ cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data %patch6074 -p1 %patch6075 -p1 %patch6076 -p1 +%patch6077 -p1 %patch199 -p1 @@ -1320,6 +1322,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Tue Apr 22 2025 Funda Wang - 32:9.11.21-20 +- Type:CVE +- CVE:CVE-2024-11187 +- SUG:NA +- DESC:fix CVE-2024-11187 + * Fri Aug 02 2024 chengyechun - 32:9.11.21-19 - Type:CVE - CVE:CVE-2024-1975,CVE-2024-1737