From bf5705e5fc08c26029ffb8cba24882a42d10c5f6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 15 Sep 2015 09:21:04 +0000
Subject: [PATCH] import bind-9.9.4-18.el7_1.4

---
 /dev/null       |  449 --------------------------------------------------------
 SPECS/bind.spec |    7 
 2 files changed, 1 insertions(+), 455 deletions(-)

diff --git a/SOURCES/bind99-CVE-2015-5722.patch b/SOURCES/bind99-CVE-2015-5722.patch
deleted file mode 100644
index bb240ac..0000000
--- a/SOURCES/bind99-CVE-2015-5722.patch
+++ /dev/null
@@ -1,449 +0,0 @@
-diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
-index 7a56c79..3ac01a8 100644
---- a/lib/dns/hmac_link.c
-+++ b/lib/dns/hmac_link.c
-@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
- 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
- 	if (hmacmd5ctx == NULL)
- 		return (ISC_R_NOMEMORY);
--	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
-+	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
- 	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
- 	return (ISC_R_SUCCESS);
- }
-@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	else if (hkey1 == NULL || hkey2 == NULL)
- 		return (ISC_FALSE);
- 
--	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
-+	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
- 		return (ISC_TRUE);
- 	else
- 		return (ISC_FALSE);
-@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
- 	isc_buffer_t b;
- 	isc_result_t ret;
- 	unsigned int bytes;
--	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
-+	unsigned char data[ISC_MD5_BLOCK_LENGTH];
- 
- 	UNUSED(callback);
- 
- 	bytes = (key->key_size + 7) / 8;
--	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
--		bytes = ISC_SHA1_BLOCK_LENGTH;
--		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
-+	if (bytes > ISC_MD5_BLOCK_LENGTH) {
-+		bytes = ISC_MD5_BLOCK_LENGTH;
-+		key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
- 	}
- 
--	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-+	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
- 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
- 
- 	if (ret != ISC_R_SUCCESS)
-@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
- 	isc_buffer_init(&b, data, bytes);
- 	isc_buffer_add(&b, bytes);
- 	ret = hmacmd5_fromdns(key, &b);
--	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-+	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
- 
- 	return (ret);
- }
-@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 
- 	memset(hkey->key, 0, sizeof(hkey->key));
- 
--	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
-+	if (r.length > ISC_MD5_BLOCK_LENGTH) {
- 		isc_md5_init(&md5ctx);
- 		isc_md5_update(&md5ctx, r.base, r.length);
- 		isc_md5_final(&md5ctx, hkey->key);
-@@ -237,6 +237,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	key->key_size = keylen * 8;
- 	key->keydata.hmacmd5 = hkey;
- 
-+	isc_buffer_forward(data, r.length);
-+
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -518,6 +520,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	key->key_size = keylen * 8;
- 	key->keydata.hmacsha1 = hkey;
- 
-+	isc_buffer_forward(data, r.length);
-+
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -804,6 +808,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	key->key_size = keylen * 8;
- 	key->keydata.hmacsha224 = hkey;
- 
-+	isc_buffer_forward(data, r.length);
-+
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -1090,6 +1096,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	key->key_size = keylen * 8;
- 	key->keydata.hmacsha256 = hkey;
- 
-+	isc_buffer_forward(data, r.length);
-+
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -1376,6 +1384,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	key->key_size = keylen * 8;
- 	key->keydata.hmacsha384 = hkey;
- 
-+	isc_buffer_forward(data, r.length);
-+
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -1662,6 +1672,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	key->key_size = keylen * 8;
- 	key->keydata.hmacsha512 = hkey;
- 
-+	isc_buffer_forward(data, r.length);
-+
- 	return (ISC_R_SUCCESS);
- }
- 
-diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index bdbd269..37853aa 100644
---- a/lib/dns/include/dst/dst.h
-+++ b/lib/dns/include/dst/dst.h
-@@ -69,6 +69,7 @@ typedef struct dst_context 	dst_context_t;
- #define DST_ALG_HMACSHA256	163	/* XXXMPA */
- #define DST_ALG_HMACSHA384	164	/* XXXMPA */
- #define DST_ALG_HMACSHA512	165	/* XXXMPA */
-+#define DST_ALG_INDIRECT	252
- #define DST_ALG_PRIVATE		254
- #define DST_ALG_EXPAND		255
- #define DST_MAX_ALGS		255
-diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
-index bcb3d05..3114954 100644
---- a/lib/dns/ncache.c
-+++ b/lib/dns/ncache.c
-@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
- 		dns_name_fromregion(&tname, &remaining);
- 		INSIST(remaining.length >= tname.length);
- 		isc_buffer_forward(&source, tname.length);
--		remaining.length -= tname.length;
--		remaining.base += tname.length;
-+		isc_region_consume(&remaining, tname.length);
- 
- 		INSIST(remaining.length >= 2);
- 		type = isc_buffer_getuint16(&source);
--		remaining.length -= 2;
--		remaining.base += 2;
-+		isc_region_consume(&remaining, 2);
- 
- 		if (type != dns_rdatatype_rrsig ||
- 		    !dns_name_equal(&tname, name)) {
-@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
- 		INSIST(remaining.length >= 1);
- 		trust = isc_buffer_getuint8(&source);
- 		INSIST(trust <= dns_trust_ultimate);
--		remaining.length -= 1;
--		remaining.base += 1;
-+		isc_region_consume(&remaining, 1);
- 
- 		raw = remaining.base;
- 		count = raw[0] * 256 + raw[1];
-diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
-index 55752da..f0cee8d 100644
---- a/lib/dns/openssldh_link.c
-+++ b/lib/dns/openssldh_link.c
-@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
- 
- static void
- uint16_toregion(isc_uint16_t val, isc_region_t *region) {
--	*region->base++ = (val & 0xff00) >> 8;
--	*region->base++ = (val & 0x00ff);
-+	*region->base = (val & 0xff00) >> 8;
-+	isc_region_consume(region, 1);
-+	*region->base = (val & 0x00ff);
-+	isc_region_consume(region, 1);
- }
- 
- static isc_uint16_t
-@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
- 	val = ((unsigned int)(cp[0])) << 8;
- 	val |= ((unsigned int)(cp[1]));
- 
--	region->base += 2;
-+	isc_region_consume(region, 2);
-+
- 	return (val);
- }
- 
-@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	}
- 	else
- 		BN_bn2bin(dh->p, r.base);
--	r.base += plen;
-+	isc_region_consume(&r, plen);
- 
- 	uint16_toregion(glen, &r);
- 	if (glen > 0)
- 		BN_bn2bin(dh->g, r.base);
--	r.base += glen;
-+	isc_region_consume(&r, glen);
- 
- 	uint16_toregion(publen, &r);
- 	BN_bn2bin(dh->pub_key, r.base);
--	r.base += publen;
-+	isc_region_consume(&r, publen);
- 
- 	isc_buffer_add(data, dnslen);
- 
-@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		return (DST_R_INVALIDPUBLICKEY);
- 	}
- 	if (plen == 1 || plen == 2) {
--		if (plen == 1)
--			special = *r.base++;
--		else
-+		if (plen == 1) {
-+			special = *r.base;
-+			isc_region_consume(&r, 1);
-+		} else {
- 			special = uint16_fromregion(&r);
-+		}
- 		switch (special) {
- 			case 1:
- 				dh->p = &bn768;
-@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 				DH_free(dh);
- 				return (DST_R_INVALIDPUBLICKEY);
- 		}
--	}
--	else {
-+	} else {
- 		dh->p = BN_bin2bn(r.base, plen, NULL);
--		r.base += plen;
-+		isc_region_consume(&r, plen);
- 	}
- 
- 	/*
-@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 				return (DST_R_INVALIDPUBLICKEY);
- 			}
- 		}
--	}
--	else {
-+	} else {
- 		if (glen == 0) {
- 			DH_free(dh);
- 			return (DST_R_INVALIDPUBLICKEY);
- 		}
- 		dh->g = BN_bin2bn(r.base, glen, NULL);
- 	}
--	r.base += glen;
-+	isc_region_consume(&r, glen);
- 
- 	if (r.length < 2) {
- 		DH_free(dh);
-@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		return (DST_R_INVALIDPUBLICKEY);
- 	}
- 	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
--	r.base += publen;
-+	isc_region_consume(&r, publen);
- 
- 	key->key_size = BN_num_bits(dh->p);
- 
-diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
-index fd6e91e..8e16557 100644
---- a/lib/dns/openssldsa_link.c
-+++ b/lib/dns/openssldsa_link.c
-@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- 	DSA *dsa = key->keydata.dsa;
- 	isc_region_t r;
- 	DSA_SIG *dsasig;
-+	unsigned int klen;
- #if USE_EVP
- 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- 	EVP_PKEY *pkey;
-@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- 					       "DSA_do_sign",
- 					       DST_R_SIGNFAILURE));
- #endif
--	*r.base++ = (key->key_size - 512)/64;
-+
-+	klen = (key->key_size - 512)/64;
-+	if (klen > 255)
-+		return (ISC_R_FAILURE);
-+	*r.base = klen;
-+	isc_region_consume(&r, 1);
-+
- 	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
--	r.base += ISC_SHA1_DIGESTLENGTH;
-+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- 	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
--	r.base += ISC_SHA1_DIGESTLENGTH;
-+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- 	DSA_SIG_free(dsasig);
- 	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
- 
-@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	if (r.length < (unsigned int) dnslen)
- 		return (ISC_R_NOSPACE);
- 
--	*r.base++ = t;
-+	*r.base = t;
-+	isc_region_consume(&r, 1);
- 	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
--	r.base += ISC_SHA1_DIGESTLENGTH;
-+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- 	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
--	r.base += p_bytes;
-+	isc_region_consume(&r, p_bytes);
- 	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
--	r.base += p_bytes;
-+	isc_region_consume(&r, p_bytes);
- 	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
--	r.base += p_bytes;
-+	isc_region_consume(&r, p_bytes);
- 
- 	isc_buffer_add(data, dnslen);
- 
-@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		return (ISC_R_NOMEMORY);
- 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
- 
--	t = (unsigned int) *r.base++;
-+	t = (unsigned int) *r.base;
-+	isc_region_consume(&r, 1);
- 	if (t > 8) {
- 		DSA_free(dsa);
- 		return (DST_R_INVALIDPUBLICKEY);
- 	}
- 	p_bytes = 64 + 8 * t;
- 
--	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
-+	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
- 		DSA_free(dsa);
- 		return (DST_R_INVALIDPUBLICKEY);
- 	}
- 
- 	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
--	r.base += ISC_SHA1_DIGESTLENGTH;
-+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- 
- 	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
--	r.base += p_bytes;
-+	isc_region_consume(&r, p_bytes);
- 
- 	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
--	r.base += p_bytes;
-+	isc_region_consume(&r, p_bytes);
- 
- 	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
--	r.base += p_bytes;
-+	isc_region_consume(&r, p_bytes);
- 
- 	key->key_size = p_bytes * 8;
- 
-diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
-index c64cc55..40c612b 100644
---- a/lib/dns/opensslecdsa_link.c
-+++ b/lib/dns/opensslecdsa_link.c
-@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- 					       "ECDSA_do_sign",
- 					       DST_R_SIGNFAILURE));
- 	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
--	r.base += siglen / 2;
-+	isc_region_consume(&r, siglen / 2);
- 	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
--	r.base += siglen / 2;
-+	isc_region_consume(&r, siglen / 2);
- 	ECDSA_SIG_free(ecdsasig);
- 	isc_buffer_add(sig, siglen);
- 	ret = ISC_R_SUCCESS;
-diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index 1edeb8d..53c6d4b 100644
---- a/lib/dns/opensslrsa_link.c
-+++ b/lib/dns/opensslrsa_link.c
-@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	RSA *rsa;
- 	isc_region_t r;
- 	unsigned int e_bytes;
-+	unsigned int length;
- #if USE_EVP
- 	EVP_PKEY *pkey;
- #endif
-@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	isc_buffer_remainingregion(data, &r);
- 	if (r.length == 0)
- 		return (ISC_R_SUCCESS);
-+	length = r.length;
- 
- 	rsa = RSA_new();
- 	if (rsa == NULL)
-@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		RSA_free(rsa);
- 		return (DST_R_INVALIDPUBLICKEY);
- 	}
--	e_bytes = *r.base++;
--	r.length--;
-+	e_bytes = *r.base;
-+	isc_region_consume(&r, 1);
- 
- 	if (e_bytes == 0) {
- 		if (r.length < 2) {
- 			RSA_free(rsa);
- 			return (DST_R_INVALIDPUBLICKEY);
- 		}
--		e_bytes = ((*r.base++) << 8);
--		e_bytes += *r.base++;
--		r.length -= 2;
-+		e_bytes = (*r.base) << 8;
-+		isc_region_consume(&r, 1);
-+		e_bytes += *r.base;
-+		isc_region_consume(&r, 1);
- 	}
- 
- 	if (r.length < e_bytes) {
-@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		return (DST_R_INVALIDPUBLICKEY);
- 	}
- 	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
--	r.base += e_bytes;
--	r.length -= e_bytes;
-+	isc_region_consume(&r, e_bytes);
- 
- 	rsa->n = BN_bin2bn(r.base, r.length, NULL);
- 
- 	key->key_size = BN_num_bits(rsa->n);
- 
--	isc_buffer_forward(data, r.length);
-+	isc_buffer_forward(data, length);
- 
- #if USE_EVP
- 	pkey = EVP_PKEY_new();
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 2004b0b..c7971b1 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -8959,6 +8959,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
- 
- 	REQUIRE(VALID_RESOLVER(resolver));
- 
-+	/*
-+	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
-+	 */
-+	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
-+		return (ISC_FALSE);
-+
- #if USE_ALGLOCK
- 	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
- #endif
- 
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 7e8815b..20170e3 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -29,7 +29,7 @@
 Name:     bind
 License:  ISC
 Version:  9.9.4
-Release:  18%{?PATCHVER}%{?PREVER}%{?dist}.5
+Release:  18%{?PATCHVER}%{?PREVER}%{?dist}.4
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -102,7 +102,6 @@
 Patch150:bind99-CVE-2015-5477.patch
 Patch151:bind99-rh1215687-limits.patch
 Patch152:bind-99-socket-maxevents.patch
-Patch153:bind99-CVE-2015-5722.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -334,7 +333,6 @@
 %patch150 -p1 -b .CVE-2015-5477
 %patch151 -p1 -b .rh1215687-limits
 %patch152 -p1 -b .sock-maxevent
-%patch153 -p1 -b .CVE-2015-5722
 
 %if %{SDB}
 %patch101 -p1 -b .old-api
@@ -954,9 +952,6 @@
 %endif
 
 %changelog
-* Wed Sep 02 2015 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-18.5
-- Fix CVE-2015-5722
-
 * Thu Aug 06 2015 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-18.4
 - DNS resolution failure in high load environment with SERVFAIL and "out of memory/success" in the log (#1221180)
 - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1250561)

--
Gitblit v1.8.0