From 81c2babe412b06cc41b4e803c148f1606304ea29 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 28 2023 08:28:00 +0000 Subject: import bind-9.11.36-8.el8 --- diff --git a/SOURCES/bind-9.11-CVE-2022-2795.patch b/SOURCES/bind-9.11-CVE-2022-2795.patch new file mode 100644 index 0000000..2175637 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2022-2795.patch @@ -0,0 +1,61 @@ +From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8ae9a993bb..ac9a9ef5d0 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -180,6 +180,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.37.3 + diff --git a/SOURCES/bind-9.11-rh2101712.patch b/SOURCES/bind-9.11-rh2101712.patch new file mode 100644 index 0000000..e519e97 --- /dev/null +++ b/SOURCES/bind-9.11-rh2101712.patch @@ -0,0 +1,232 @@ +From fff2960981a3294ac641968a17558c8d7eecf74d Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 24 Aug 2022 12:21:50 +1000 +Subject: [PATCH] Have dns_zt_apply lock the zone table + +There where a number of places where the zone table should have +been locked, but wasn't, when dns_zt_apply was called. + +Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted +all calls to using it. Removed locks in callers. + +Modified upstream commit for v9_11 +--- + bin/named/server.c | 11 ++++++----- + bin/named/statschannel.c | 8 ++++---- + lib/dns/include/dns/zt.h | 4 ++-- + lib/dns/tests/zt_test.c | 3 ++- + lib/dns/view.c | 3 ++- + lib/dns/zt.c | 34 +++++++++++++++++++--------------- + 6 files changed, 35 insertions(+), 28 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 9826588e6d..0b4b309461 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -8723,8 +8723,8 @@ load_configuration(const char *filename, ns_server_t *server, + strcmp(view->name, "_bind") != 0) + { + dns_view_setviewrevert(view); +- (void)dns_zt_apply(view->zonetable, false, +- removed, view); ++ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ false, removed, view); + } + dns_view_detach(&view); + } +@@ -10090,8 +10090,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { + ISC_LIST_INIT(vle->zonelist); + ISC_LIST_APPEND(dctx->viewlist, vle, link); + if (dctx->dumpzones) +- result = dns_zt_apply(view->zonetable, true, +- add_zone_tolist, dctx); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ true, add_zone_tolist, dctx); + return (result); + } + +@@ -11367,7 +11367,8 @@ ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { +- result = dns_zt_apply(view->zonetable, false, ++ result = dns_zt_apply(view->zonetable, ++ isc_rwlocktype_none, false, + synczone, &cleanup); + if (result != ISC_R_SUCCESS && + tresult == ISC_R_SUCCESS) +diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c +index 12ab048469..9828df0f4e 100644 +--- a/bin/named/statschannel.c ++++ b/bin/named/statschannel.c +@@ -1833,8 +1833,8 @@ generatexml(ns_server_t *server, uint32_t flags, + if ((flags & STATS_XML_ZONES) != 0) { + TRY0(xmlTextWriterStartElement(writer, + ISC_XMLCHAR "zones")); +- result = dns_zt_apply(view->zonetable, true, +- zone_xmlrender, writer); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ true, zone_xmlrender, writer); + if (result != ISC_R_SUCCESS) + goto error; + TRY0(xmlTextWriterEndElement(writer)); /* /zones */ +@@ -2489,8 +2489,8 @@ generatejson(ns_server_t *server, size_t *msglen, + CHECKMEM(za); + + if ((flags & STATS_JSON_ZONES) != 0) { +- result = dns_zt_apply(view->zonetable, true, +- zone_jsonrender, za); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ true, zone_jsonrender, za); + if (result != ISC_R_SUCCESS) { + goto error; + } +diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h +index e658e5bb67..94212250da 100644 +--- a/lib/dns/include/dns/zt.h ++++ b/lib/dns/include/dns/zt.h +@@ -177,11 +177,11 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze); + */ + + isc_result_t +-dns_zt_apply(dns_zt_t *zt, bool stop, ++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, + isc_result_t (*action)(dns_zone_t *, void *), void *uap); + + isc_result_t +-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, ++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub, + isc_result_t (*action)(dns_zone_t *, void *), void *uap); + /*%< + * Apply a given 'action' to all zone zones in the table. +diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c +index 3f1e812d60..ee75303a50 100644 +--- a/lib/dns/tests/zt_test.c ++++ b/lib/dns/tests/zt_test.c +@@ -145,7 +145,8 @@ apply(void **state) { + assert_non_null(view->zonetable); + + assert_int_equal(nzones, 0); +- result = dns_zt_apply(view->zonetable, false, count_zone, &nzones); ++ result = dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL, ++ count_zone, &nzones); + assert_int_equal(result, ISC_R_SUCCESS); + assert_int_equal(nzones, 1); + +diff --git a/lib/dns/view.c b/lib/dns/view.c +index f01b4dea0f..bd1ced2863 100644 +--- a/lib/dns/view.c ++++ b/lib/dns/view.c +@@ -676,7 +676,8 @@ dns_view_dialup(dns_view_t *view) { + REQUIRE(DNS_VIEW_VALID(view)); + REQUIRE(view->zonetable != NULL); + +- (void)dns_zt_apply(view->zonetable, false, dialup, NULL); ++ (void)dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL, ++ dialup, NULL); + } + + void +diff --git a/lib/dns/zt.c b/lib/dns/zt.c +index 3f12e247e0..af65740325 100644 +--- a/lib/dns/zt.c ++++ b/lib/dns/zt.c +@@ -202,7 +202,8 @@ flush(dns_zone_t *zone, void *uap) { + static void + zt_destroy(dns_zt_t *zt) { + if (zt->flush) { +- (void)dns_zt_apply(zt, false, flush, NULL); ++ (void)dns_zt_apply(zt, isc_rwlocktype_none, ++ false, flush, NULL); + } + isc_refcount_destroy(&zt->references); + dns_rbt_destroy(&zt->table); +@@ -249,9 +250,7 @@ dns_zt_load(dns_zt_t *zt, bool stop) { + + REQUIRE(VALID_ZT(zt)); + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply(zt, stop, load, NULL); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply2(zt, isc_rwlocktype_read, stop, NULL, load, NULL); + return (result); + } + +@@ -293,7 +292,7 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg, + * Prevent loads_pending going to zero while kicking off the loads. + */ + zt->loads_pending++; +- result = dns_zt_apply2(zt, false, NULL, asyncload, ¶ms); ++ result = dns_zt_apply2(zt, isc_rwlocktype_none, false, NULL, asyncload, ¶ms); + pending = --zt->loads_pending; + if (pending != 0) { + zt->loaddone = alldone; +@@ -342,9 +341,7 @@ dns_zt_loadnew(dns_zt_t *zt, bool stop) { + + REQUIRE(VALID_ZT(zt)); + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply(zt, stop, loadnew, NULL); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, loadnew, NULL); + return (result); + } + +@@ -366,9 +363,7 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze) { + + REQUIRE(VALID_ZT(zt)); + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply2(zt, isc_rwlocktype_read, false, &tresult, freezezones, &freeze); + if (tresult == ISC_R_NOTFOUND) + tresult = ISC_R_SUCCESS; + return ((result == ISC_R_SUCCESS) ? tresult : result); +@@ -490,14 +485,14 @@ dns_zt_setviewrevert(dns_zt_t *zt) { + } + + isc_result_t +-dns_zt_apply(dns_zt_t *zt, bool stop, ++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, + isc_result_t (*action)(dns_zone_t *, void *), void *uap) + { +- return (dns_zt_apply2(zt, stop, NULL, action, uap)); ++ return (dns_zt_apply2(zt, lock, stop, NULL, action, uap)); + } + + isc_result_t +-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, ++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub, + isc_result_t (*action)(dns_zone_t *, void *), void *uap) + { + dns_rbtnode_t *node; +@@ -508,6 +503,10 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, + REQUIRE(VALID_ZT(zt)); + REQUIRE(action != NULL); + ++ if (lock != isc_rwlocktype_none) { ++ RWLOCK(&zt->rwlock, lock); ++ } ++ + dns_rbtnodechain_init(&chain, zt->mctx); + result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL); + if (result == ISC_R_NOTFOUND) { +@@ -538,8 +537,13 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub, + + cleanup: + dns_rbtnodechain_invalidate(&chain); +- if (sub != NULL) ++ if (sub != NULL) { + *sub = tresult; ++ } ++ ++ if (lock != isc_rwlocktype_none) { ++ RWUNLOCK(&zt->rwlock, lock); ++ } + + return (result); + } +-- +2.37.2 + diff --git a/SOURCES/bind-9.11-rh2133889.patch b/SOURCES/bind-9.11-rh2133889.patch new file mode 100644 index 0000000..c61d902 --- /dev/null +++ b/SOURCES/bind-9.11-rh2133889.patch @@ -0,0 +1,26 @@ +From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 13 Oct 2022 15:35:46 +0200 +Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h + +It got broken as part of bug #2101712 fix. Introduced new definition, +which passes during bind build, but breaks bind-dyndb-ldap build. +--- + lib/dns/include/dns/zt.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h +index 9421225..64c24d6 100644 +--- a/lib/dns/include/dns/zt.h ++++ b/lib/dns/include/dns/zt.h +@@ -18,6 +18,7 @@ + #include + + #include ++#include + + #include + +-- +2.37.3 + diff --git a/SOURCES/bind-9.16-CVE-2022-38177.patch b/SOURCES/bind-9.16-CVE-2022-38177.patch new file mode 100644 index 0000000..d40ea61 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2022-38177.patch @@ -0,0 +1,27 @@ +From 0095b8a6b09173ab5eb48611dc0233d2a6337dc1 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 20 Sep 2022 11:21:45 +0200 +Subject: [PATCH] Fix CVE-2022-38177 + +5961. [security] Fix memory leak in ECDSA verify processing. + (CVE-2022-38177) [GL #3487] +--- + lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 83b5b51..7576e04 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ECDSA384SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) + DST_RET (dst__openssl_toresult3(dctx->category, +-- +2.37.3 + diff --git a/SOURCES/bind-9.16-CVE-2022-38178.patch b/SOURCES/bind-9.16-CVE-2022-38178.patch new file mode 100644 index 0000000..eb45109 --- /dev/null +++ b/SOURCES/bind-9.16-CVE-2022-38178.patch @@ -0,0 +1,27 @@ +From bb68864bf05d29df644427ec841bc3db6a336519 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 20 Sep 2022 11:22:47 +0200 +Subject: [PATCH] Fix CVE-2022-38178 + +5962. [security] Fix memory leak in EdDSA verify processing. + (CVE-2022-38178) [GL #3487] +--- + lib/dns/openssleddsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c +index 8b115ec..4f3c2a8 100644 +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ED448SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + isc_buffer_usedregion(buf, &tbsreg); + +-- +2.37.3 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 2c9acdc..8745dbb 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.36 -Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -160,6 +160,13 @@ Patch183:bind-9.11-rh1980757.patch Patch184: bind-9.15-resolver-ntasks.patch Patch185: bind-9.11-CVE-2021-25220.patch Patch186: bind-9.11-CVE-2021-25220-test.patch +Patch188: bind-9.16-CVE-2022-38177.patch +Patch189: bind-9.16-CVE-2022-38178.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695 +Patch190: bind-9.11-rh2101712.patch +Patch191: bind-9.11-CVE-2022-2795.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376 +Patch192: bind-9.11-rh2133889.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -557,6 +564,11 @@ are used for building ISC DHCP. %patch184 -p1 -b .rh2030239 %patch185 -p1 -b .CVE-2021-25220 %patch186 -p1 -b .CVE-2021-25220-test +%patch188 -p1 -b .CVE-2022-38177 +%patch189 -p1 -b .CVE-2022-38178 +%patch190 -p1 -b .rh2101712 +%patch191 -p1 -b .CVE-2022-2795 +%patch192 -p1 -b .rh2133889 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1609,6 +1621,20 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Thu Oct 13 2022 Petr Menšík - 32:9.11.36-8 +- Correct regression preventing bind-dyndb-ldap build (#2133889) + +* Thu Sep 29 2022 Petr Menšík - 32:9.11.36-7 +- Prevent excessive resource use while processing large delegations. + (CVE-2022-2795) + +* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-6 +- Prevent freeing zone during statistics rendering (#2101712) + +* Thu Sep 22 2022 Petr Menšík - 32:9.11.36-5 +- Fix memory leak in ECDSA verify processing (CVE-2022-38177) +- Fix memory leak in EdDSA verify processing (CVE-2022-38178) + * Wed Apr 13 2022 Petr Menšík - 32:9.11.36-4 - Tighten cache protection against record from forwarders (CVE-2021-25220) - Include test of forwarders