From 497f7665a26dfe26669e1f5f11edd47f556a0bbb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 22 2018 08:17:17 +0000 Subject: import bind-9.9.4-51.el7_4.2 --- diff --git a/SOURCES/bind99-CVE-2017-3145.patch b/SOURCES/bind99-CVE-2017-3145.patch new file mode 100644 index 0000000..167f277 --- /dev/null +++ b/SOURCES/bind99-CVE-2017-3145.patch @@ -0,0 +1,124 @@ +From 4d73fed57703f561aefd545eda0f3f2c5e69a547 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 16 Jan 2018 09:50:45 +0100 +Subject: [PATCH] 4858. [security] Addresses could be referenced after + being freed in resolver.c, causing an assertion failure. + (CVE-2017-3145) [RT #46839] + +--- + lib/dns/resolver.c | 37 +++++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 860a792..619646f 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -751,7 +751,7 @@ fctx_stoptimer(fetchctx_t *fctx) { + * cannot fail in that case. + */ + result = isc_timer_reset(fctx->timer, isc_timertype_inactive, +- NULL, NULL, ISC_TRUE); ++ NULL, NULL, ISC_TRUE); + if (result != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "isc_timer_reset(): %s", +@@ -759,7 +759,6 @@ fctx_stoptimer(fetchctx_t *fctx) { + } + } + +- + static inline isc_result_t + fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) { + /* +@@ -992,7 +991,8 @@ fctx_cleanupfinds(fetchctx_t *fctx) { + + for (find = ISC_LIST_HEAD(fctx->finds); + find != NULL; +- find = next_find) { ++ find = next_find) ++ { + next_find = ISC_LIST_NEXT(find, publink); + ISC_LIST_UNLINK(fctx->finds, find, publink); + dns_adb_destroyfind(&find); +@@ -1008,7 +1008,8 @@ fctx_cleanupaltfinds(fetchctx_t *fctx) { + + for (find = ISC_LIST_HEAD(fctx->altfinds); + find != NULL; +- find = next_find) { ++ find = next_find) ++ { + next_find = ISC_LIST_NEXT(find, publink); + ISC_LIST_UNLINK(fctx->altfinds, find, publink); + dns_adb_destroyfind(&find); +@@ -1024,7 +1025,8 @@ fctx_cleanupforwaddrs(fetchctx_t *fctx) { + + for (addr = ISC_LIST_HEAD(fctx->forwaddrs); + addr != NULL; +- addr = next_addr) { ++ addr = next_addr) ++ { + next_addr = ISC_LIST_NEXT(addr, publink); + ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink); + dns_adb_freeaddrinfo(fctx->adb, &addr); +@@ -1039,7 +1041,8 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) { + + for (addr = ISC_LIST_HEAD(fctx->altaddrs); + addr != NULL; +- addr = next_addr) { ++ addr = next_addr) ++ { + next_addr = ISC_LIST_NEXT(addr, publink); + ISC_LIST_UNLINK(fctx->altaddrs, addr, publink); + dns_adb_freeaddrinfo(fctx->adb, &addr); +@@ -1047,14 +1050,18 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) { + } + + static inline void +-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) { +- FCTXTRACE("stopeverything"); ++fctx_stopqueries(fetchctx_t *fctx, isc_boolean_t no_response) { ++ FCTXTRACE("stopqueries"); + fctx_cancelqueries(fctx, no_response); ++ fctx_stoptimer(fctx); ++} ++ ++static inline void ++fctx_cleanupall(fetchctx_t *fctx) { + fctx_cleanupfinds(fctx); + fctx_cleanupaltfinds(fctx); + fctx_cleanupforwaddrs(fctx); + fctx_cleanupaltaddrs(fctx); +- fctx_stoptimer(fctx); + } + + static inline void +@@ -1184,7 +1191,8 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) { + no_response = ISC_FALSE; + + fctx->reason = NULL; +- fctx_stopeverything(fctx, no_response); ++ ++ fctx_stopqueries(fctx, no_response); + + LOCK(&res->buckets[fctx->bucketnum].lock); + +@@ -3336,11 +3344,12 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) { + dns_resolver_cancelfetch(fctx->nsfetch); + + /* +- * Shut down anything that is still running on behalf of this +- * fetch. To avoid deadlock with the ADB, we must do this +- * before we lock the bucket lock. ++ * Shut down anything still running on behalf of this ++ * fetch, and clean up finds and addresses. To avoid deadlock ++ * with the ADB, we must do this before we lock the bucket lock. + */ +- fctx_stopeverything(fctx, ISC_FALSE); ++ fctx_stopqueries(fctx, ISC_FALSE); ++ fctx_cleanupall(fctx); + + LOCK(&res->buckets[bucketnum].lock); + +-- +2.14.3 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 58bb869..a93cb66 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -25,7 +25,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.4 -Release: 51%{?PATCHVER}%{?PREVER}%{?dist}.1 +Release: 51%{?PATCHVER}%{?PREVER}%{?dist}.2 Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -144,7 +144,9 @@ Patch180:bind99-CVE-2017-3137.patch # commit 5e746ab61ed8158f784b86111fef95581a08b7dd ISC 3905 Patch181:bind99-rh1416304.patch # ISC 4643 -Patch182: bind99-CVE-2017-3142+3143.patch +Patch182:bind99-CVE-2017-3142+3143.patch +# ISC 4858 +Patch183:bind99-CVE-2017-3145.patch # Native PKCS#11 functionality from 9.10 Patch150:bind-9.9-allow_external_dnskey.patch @@ -445,6 +447,7 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data %patch180 -p1 -b .CVE-2017-3137 %patch181 -p1 -b .rh1416304 %patch182 -p1 -b .CVE-2017-3142+3143 +%patch183 -p1 -b .CVE-2017-3145 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1131,6 +1134,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Wed Jan 17 2018 Petr Menšík - 32:9.9.4-51.2 +- Fix CVE-2017-3145 + * Fri Oct 20 2017 Petr Menšík - 32:9.9.4-51.1 - Fix named-chroot restart leak (#1504700)