rpms / bind

Clone
Source Code
GIT

Blame bind-9.11-CVE-2018-5738.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta c9s-sig-hyperscale
  1.   3159fb6a8e3b33377726cec98cbe9e34cb0e78b5
  2.   bind-9.11-CVE-2018-5738.patch
Blob History Raw
ac5057 
From 7983015dfa58be21526a01300b9e13a84278266a Mon Sep 17 00:00:00 2001
ac5057 
From: Evan Hunt <each@isc.org>
ac5057 
Date: Mon, 4 Jun 2018 21:55:41 -0700
ac5057 
Subject: [PATCH] allow-recursion could incorrectly inherit from the default
ac5057 
 allow-query
ac5057
ac5057 
---
ac5057 
 bin/named/server.c | 50 ++++++++++++++++++++++++++++++++++++--------------
ac5057 
 doc/arm/notes.xml  | 41 +++++------------------------------------
ac5057 
 2 files changed, 41 insertions(+), 50 deletions(-)
ac5057
ac5057 
diff --git a/bin/named/server.c b/bin/named/server.c
ac5057 
index 64a5180..41a1826 100644
ac5057 
--- a/bin/named/server.c
ac5057 
+++ b/bin/named/server.c
ac5057 
@@ -3376,10 +3376,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
ac5057 
 		dns_acache_setcachesize(view->acache, max_acache_size);
ac5057 
 	}
ac5057
ac5057 
-	CHECK(configure_view_acl(vconfig, config, ns_g_config,
ac5057 
-				 "allow-query", NULL, actx,
ac5057 
-				 ns_g_mctx, &view->queryacl));
ac5057 
-
ac5057 
 	/*
ac5057 
 	 * Make the list of response policy zone names for a view that
ac5057 
 	 * is used for real lookups and so cares about hints.
ac5057 
@@ -4258,9 +4254,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
ac5057 
 	INSIST(result == ISC_R_SUCCESS);
ac5057 
 	view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
ac5057
ac5057 
-	CHECK(configure_view_acl(vconfig, config, ns_g_config,
ac5057 
-				 "allow-query-cache-on", NULL, actx,
ac5057 
-				 ns_g_mctx, &view->cacheonacl));
ac5057 
 	/*
ac5057 
 	 * Set sources where additional data and CNAME/DNAME
ac5057 
 	 * targets for authoritative answers may be found.
ac5057 
@@ -4287,22 +4280,40 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
ac5057 
 		view->additionalfromcache = ISC_TRUE;
ac5057 
 	}
ac5057
ac5057 
+	CHECK(configure_view_acl(vconfig, config, ns_g_config,
ac5057 
+				 "allow-query-cache-on", NULL, actx,
ac5057 
+				 ns_g_mctx, &view->cacheonacl));
ac5057 
+
ac5057 
 	/*
ac5057 
-	 * Set "allow-query-cache", "allow-recursion", and
ac5057 
-	 * "allow-recursion-on" acls if configured in named.conf.
ac5057 
-	 * (Ignore the global defaults for now, because these ACLs
ac5057 
-	 * can inherit from each other when only some of them set at
ac5057 
-	 * the options/view level.)
ac5057 
+	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
ac5057 
+	 * and "allow-recursion-on" ACLs if configured in named.conf, but
ac5057 
+	 * NOT from the global defaults. This is done by leaving the third
ac5057 
+	 * argument to configure_view_acl() NULL.
ac5057 
+	 *
ac5057 
+	 * We ignore the global defaults here because these ACLs
ac5057 
+	 * can inherit from each other.  If any are still unset after
ac5057 
+	 * applying the inheritance rules, we'll look up the defaults at
ac5057 
+	 * that time.
ac5057 
 	 */
ac5057 
-	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
ac5057 
-				 NULL, actx, ns_g_mctx, &view->cacheacl));
ac5057 
+
ac5057 
+	/* named.conf only */
ac5057 
+	CHECK(configure_view_acl(vconfig, config, NULL,
ac5057 
+				 "allow-query", NULL, actx,
ac5057 
+				 ns_g_mctx, &view->queryacl));
ac5057 
+
ac5057 
+	/* named.conf only */
ac5057 
+	CHECK(configure_view_acl(vconfig, config, NULL,
ac5057 
+				 "allow-query-cache", NULL, actx,
ac5057 
+				 ns_g_mctx, &view->cacheacl));
ac5057
ac5057 
 	if (strcmp(view->name, "_bind") != 0 &&
ac5057 
 	    view->rdclass != dns_rdataclass_chaos)
ac5057 
 	{
ac5057 
+		/* named.conf only */
ac5057 
 		CHECK(configure_view_acl(vconfig, config, NULL,
ac5057 
 					 "allow-recursion", NULL, actx,
ac5057 
 					 ns_g_mctx, &view->recursionacl));
ac5057 
+		/* named.conf only */
ac5057 
 		CHECK(configure_view_acl(vconfig, config, NULL,
ac5057 
 					 "allow-recursion-on", NULL, actx,
ac5057 
 					 ns_g_mctx, &view->recursiononacl));
ac5057 
@@ -4340,18 +4351,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
ac5057 
 		 * the global config.
ac5057 
 		 */
ac5057 
 		if (view->recursionacl == NULL) {
ac5057 
+			/* global default only */
ac5057 
 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
ac5057 
 						 "allow-recursion", NULL,
ac5057 
 						 actx, ns_g_mctx,
ac5057 
 						 &view->recursionacl));
ac5057 
 		}
ac5057 
 		if (view->recursiononacl == NULL) {
ac5057 
+			/* global default only */
ac5057 
 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
ac5057 
 						 "allow-recursion-on", NULL,
ac5057 
 						 actx, ns_g_mctx,
ac5057 
 						 &view->recursiononacl));
ac5057 
 		}
ac5057 
 		if (view->cacheacl == NULL) {
ac5057 
+			/* global default only */
ac5057 
 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
ac5057 
 						 "allow-query-cache", NULL,
ac5057 
 						 actx, ns_g_mctx,
ac5057 
@@ -4365,6 +4379,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
ac5057 
 		CHECK(dns_acl_none(mctx, &view->cacheacl));
ac5057 
 	}
ac5057
ac5057 
+	if (view->queryacl == NULL) {
ac5057 
+		/* global default only */
ac5057 
+		CHECK(configure_view_acl(NULL, NULL, ns_g_config,
ac5057 
+					 "allow-query", NULL,
ac5057 
+					 actx, ns_g_mctx,
ac5057 
+					 &view->queryacl));
ac5057 
+	}
ac5057 
+
ac5057 
 	/*
ac5057 
 	 * Ignore case when compressing responses to the specified
ac5057 
 	 * clients. This causes case not always to be preserved,
ac5057 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
ac5057 
index ea9b61f..9a1832d 100644
ac5057 
--- a/doc/arm/notes.xml
ac5057 
+++ b/doc/arm/notes.xml
ac5057 
@@ -103,42 +103,11 @@
ac5057 
     <itemizedlist>
ac5057 
       <listitem>
ac5057 
 	<para>
ac5057 
-	  An error in TSIG handling could permit unauthorized zone
ac5057 
-	  transfers or zone updates. These flaws are disclosed in
ac5057 
-	  CVE-2017-3142 and CVE-2017-3143. [RT #45383]
ac5057 
-	</para>
ac5057 
-      </listitem>
ac5057 
-      <listitem>
ac5057 
-	<para>
ac5057 
-	  The BIND installer on Windows used an unquoted service path,
ac5057 
-	  which can enable privilege escalation. This flaw is disclosed
ac5057 
-	  in CVE-2017-3141. [RT #45229]
ac5057 
-	</para>
ac5057 
-      </listitem>
ac5057 
-      <listitem>
ac5057 
-	<para>
ac5057 
-	  With certain RPZ configurations, a response with TTL 0
ac5057 
-	  could cause <command>named</command> to go into an infinite
ac5057 
-	  query loop. This flaw is disclosed in CVE-2017-3140.
ac5057 
-	  [RT #45181]
ac5057 
-	</para>
ac5057 
-      </listitem>
ac5057 
-      <listitem>
ac5057 
-	<para>
ac5057 
-	  Addresses could be referenced after being freed during resolver
ac5057 
-	  processing, causing an assertion failure. The chances of this
ac5057 
-	  happening were remote, but the introduction of a delay in
ac5057 
-	  resolution increased them. This bug is disclosed in
ac5057 
-	  CVE-2017-3145. [RT #46839]
ac5057 
-	</para>
ac5057 
-      </listitem>
ac5057 
-      <listitem>
ac5057 
-	<para>
ac5057 
-	  update-policy rules that otherwise ignore the name field now
ac5057 
-	  require that it be set to "." to ensure that any type list
ac5057 
-	  present is properly interpreted.  If the name field was omitted
ac5057 
-	  from the rule declaration and a type list was present it wouldn't
ac5057 
-	  be interpreted as expected.
ac5057 
+	  When recursion is enabled but the <command>allow-recursion</command>
ac5057 
+	  and <command>allow-query-cache</command> ACLs are not specified, they
ac5057 
+	  should be limited to local networks, but they were inadvertently set
ac5057 
+	  to match the default <command>allow-query</command>, thus allowing
ac5057 
+	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
ac5057 
 	</para>
ac5057 
       </listitem>
ac5057 
     </itemizedlist>
ac5057 
--
ac5057 
2.14.4
ac5057

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation