From f51a71dea868cdc68d5fc0b1664def05b0722759 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 27 2018 14:11:56 +0000 Subject: import bind-9.9.4-61.el7_5.1 --- diff --git a/SOURCES/bind99-CVE-2018-5740.patch b/SOURCES/bind99-CVE-2018-5740.patch new file mode 100644 index 0000000..90e858a --- /dev/null +++ b/SOURCES/bind99-CVE-2018-5740.patch @@ -0,0 +1,53 @@ +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 252a02f..bfffb8a 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -5957,6 +5957,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + unsigned int nlabels; + dns_fixedname_t fixed; + dns_name_t prefix; ++ int order; + + REQUIRE(rdataset != NULL); + REQUIRE(rdataset->type == dns_rdatatype_cname || +@@ -5979,18 +5980,26 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + tname = &cname.cname; + break; + case dns_rdatatype_dname: ++ if (dns_name_fullcompare(qname, rname, &order, &nlabels) != ++ dns_namereln_subdomain) ++ { ++ return (ISC_TRUE); ++ } + result = dns_rdata_tostruct(&rdata, &dname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_name_init(&prefix, NULL); + dns_fixedname_init(&fixed); + tname = dns_fixedname_name(&fixed); +- nlabels = dns_name_countlabels(qname) - +- dns_name_countlabels(rname); ++ nlabels = dns_name_countlabels(rname); + dns_name_split(qname, nlabels, &prefix, NULL); + result = dns_name_concatenate(&prefix, &dname.dname, tname, + NULL); +- if (result == DNS_R_NAMETOOLONG) ++ if (result == DNS_R_NAMETOOLONG) { ++ if (chainingp != NULL) { ++ *chainingp = ISC_TRUE; ++ } + return (ISC_TRUE); ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: +@@ -6719,7 +6728,9 @@ answer_response(fetchctx_t *fctx) { + } + if ((ardataset->type == dns_rdatatype_cname || + ardataset->type == dns_rdatatype_dname) && +- !is_answertarget_allowed(fctx, qname, aname, ardataset, ++ type != ardataset->type && ++ type != dns_rdatatype_any && ++ !is_answertarget_allowed(fctx, qname, aname, ardataset, + NULL)) + { + return (DNS_R_SERVFAIL); diff --git a/SPECS/bind.spec b/SPECS/bind.spec index d7988d4..7a2eda2 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -25,7 +25,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.4 -Release: 61%{?PATCHVER}%{?PREVER}%{?dist} +Release: 61%{?PATCHVER}%{?PREVER}%{?dist}.1 Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -161,6 +161,7 @@ Patch188: bind99-rh1464850-2.patch Patch189: bind99-rh1501531.patch # ISC 4858 Patch190: bind99-CVE-2017-3145.patch +Patch191: bind99-CVE-2018-5740.patch # Native PKCS#11 functionality from 9.10 Patch150:bind-9.9-allow_external_dnskey.patch @@ -467,6 +468,7 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data %patch188 -p1 -b .rh1464850 %patch189 -p1 -b .rh1501531 %patch190 -p1 -b .CVE-2017-3145 +%patch191 -p1 -b .CVE-2018-5740 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1155,6 +1157,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Thu Aug 09 2018 Petr Menšík - 32:9.9.4-61.1 +- Fix CVE-2018-5740 + * Tue Jan 16 2018 Petr Menšík - 32:9.9.4-61 - Fix CVE-2017-3145