diff --git a/SOURCES/bind-9.11-rh1876492.patch b/SOURCES/bind-9.11-rh1876492.patch new file mode 100644 index 0000000..9b3d1cb --- /dev/null +++ b/SOURCES/bind-9.11-rh1876492.patch @@ -0,0 +1,226 @@ +commit 01cd077f55435ff34e0604e05cf0fbf898799697 +Author: Tomas Korbar +Date: Fri Sep 25 11:57:56 2020 +0200 + + Resolve "RPZ wildcard passthru ignored" + +diff --git a/bin/tests/system/rpzrecurse/ns1/example.com.db b/bin/tests/system/rpzrecurse/ns1/example.com.db +new file mode 100644 +index 0000000..5bbe973 +--- /dev/null ++++ b/bin/tests/system/rpzrecurse/ns1/example.com.db +@@ -0,0 +1,16 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 3600 ++@ IN SOA ns.example.com. root.example.com. 1 3600 3600 3600 3600 ++@ NS ns.example.com. ++ ++ns.example.com. A 10.53.0.1 ++@ A 1.2.3.4 ++www A 1.2.3.5 +diff --git a/bin/tests/system/rpzrecurse/ns1/named.conf.in b/bin/tests/system/rpzrecurse/ns1/named.conf.in +index e8105a2..d3ae39f 100644 +--- a/bin/tests/system/rpzrecurse/ns1/named.conf.in ++++ b/bin/tests/system/rpzrecurse/ns1/named.conf.in +@@ -65,3 +65,8 @@ zone "test2.example.net" { + type master; + file "test2.example.net.db"; + }; ++ ++zone "example.com" { ++ type master; ++ file "example.com.db"; ++}; +diff --git a/bin/tests/system/rpzrecurse/ns2/db.given b/bin/tests/system/rpzrecurse/ns2/db.given +new file mode 100644 +index 0000000..ba78588 +--- /dev/null ++++ b/bin/tests/system/rpzrecurse/ns2/db.given +@@ -0,0 +1,19 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$ORIGIN given.zone. ++$TTL 3600 ++@ IN SOA ns.given.zone. hostmaster.given.zone. 1 600 300 604800 3600 ++ IN NS ns.given.zone. ++ ++ns IN A 127.0.0.1 ++; this should be ignores as it matches earlier passthru entry. ++example.com CNAME . ++; this should be ignored as it matches earlier wildcard passthru entry. ++www.example.com CNAME . +diff --git a/bin/tests/system/rpzrecurse/ns2/db.passthru b/bin/tests/system/rpzrecurse/ns2/db.passthru +new file mode 100644 +index 0000000..4b0b834 +--- /dev/null ++++ b/bin/tests/system/rpzrecurse/ns2/db.passthru +@@ -0,0 +1,17 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$ORIGIN passthru.zone. ++$TTL 3600 ++@ IN SOA ns.passthru.zone. hostmaster.passthru.zone. 1 600 300 604800 3600 ++ IN NS ns.passthru.zone. ++ ++ns IN A 127.0.0.1 ++example.com CNAME rpz-passthru. ++*.example.com CNAME rpz-passthru. +diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf +new file mode 100644 +index 0000000..78915d6 +--- /dev/null ++++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf +@@ -0,0 +1,33 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++# common configuration ++include "named.conf.header"; ++ ++view "recursive" { ++ # policy configuration to be tested ++ response-policy { ++ zone "passthru.zone" policy passthru; ++ zone "given.zone" policy given; ++ }; ++ ++ # policy zones to be tested ++ zone "passthru.zone" { type master; file "db.passthru"; }; ++ zone "given.zone" { type master; file "db.given"; }; ++ ++ zone "." { ++ type hint; ++ file "root.hint"; ++ }; ++ ++ recursion yes; ++ dnssec-validation yes; ++}; +diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh +index 8a23955..5ab2431 100644 +--- a/bin/tests/system/rpzrecurse/tests.sh ++++ b/bin/tests/system/rpzrecurse/tests.sh +@@ -390,5 +390,19 @@ if test $p1 -le $p2; then ret=1; fi + if test $ret != 0; then echo_i "failed"; fi + status=`expr $status + $ret` + ++t=`expr $t + 1` ++echo_i "testing wildcard passthru before explicit drop (${t})" ++run_server wildcard4 ++$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 ++grep "status: NOERROR" dig.out.${t}.1 > /dev/null || { ++ echo_i "test ${t} failed" ++ status=1 ++} ++$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 ++grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { ++ echo_i "test ${t} failed" ++ status=1 ++} ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh +index a0d8b6d..c528be7 100755 +--- a/bin/tests/system/run.sh ++++ b/bin/tests/system/run.sh +@@ -220,6 +220,8 @@ else + elif [ $sanitizer_summaries -ne 0 ]; then + echoinfo "I:$systest:Test claims success despite $sanitizer_summaries sanitizer reports(s)" + echofail "R:$systest:FAIL" ++ elif [ "$status" != 0 ]; then ++ echofail "R:$systest:FAIL" + else + echopass "R:$systest:PASS" + if $clean +diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c +index 3c235c3..b987499 100644 +--- a/lib/dns/rpz.c ++++ b/lib/dns/rpz.c +@@ -2326,7 +2326,40 @@ dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + + case DNS_R_PARTIALMATCH: + i = chain.level_matches; +- while (i >= 0 && (nmnode = chain.levels[i]) != NULL) { ++ nmnode = chain.levels[chain.level_matches]; ++ ++ /* Whenever an exact match is found by dns_rbt_findnode(), ++ * the highest level node in the chain will not be put into ++ * chain->levels[] array, but instead the chain->end ++ * pointer will be adjusted to point to that node. ++ * ++ * Suppose we have the following entries in a rpz zone: ++ * example.com CNAME rpz-passthru. ++ * *.example.com CNAME rpz-passthru. ++ * ++ * A query for www.example.com would result in the ++ * following chain object returned by dns_rbt_findnode(): ++ * chain->level_count = 2 ++ * chain->level_matches = 2 ++ * chain->levels[0] = . ++ * chain->levels[1] = example.com ++ * chain->levels[2] = NULL ++ * chain->end = www ++ * ++ * Since exact matches only care for testing rpz set bits, ++ * we need to test for rpz wild bits through iterating the ++ * nodechain, and that includes testing the rpz wild bits in the ++ * highest level node found. In the case of an exact match, ++ * chain->levels[chain->level_matches] will be NULL, to address ++ * that we must use chain->end as the start ++ * point, then iterate over the remaining levels in the chain. ++ */ ++ if (nmnode == NULL) { ++ --i; ++ nmnode = chain.end; ++ } ++ ++ while (nmnode != NULL) { + nm_data = nmnode->data; + if (nm_data != NULL) { + if (rpz_type == DNS_RPZ_TYPE_QNAME) { +@@ -2335,7 +2368,13 @@ dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + found_zbits |= nm_data->wild.ns; + } + } +- i--; ++ ++ if (i >= 0) { ++ nmnode = chain.levels[i]; ++ --i; ++ } else { ++ break; ++ } + } + break; + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 2597fe2..712120f 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -65,7 +65,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.20 -Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -163,6 +163,8 @@ Patch181:bind-9.11-CVE-2020-8623.patch # https://gitlab.isc.org/isc-projects/bind9/commit/8e919cf6e47c4f52612069ac0868f8caa5089e74 Patch182:bind-9.11-CVE-2020-8624.patch Patch183:bind-9.11-CVE-2020-8624-test.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/33ae88f08dabea846aee3be3af8a515fd9774ee1 +Patch184:bind-9.11-rh1876492.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -526,6 +528,7 @@ are used for building ISC DHCP. %patch181 -p1 -b .CVE-2020-8623 %patch182 -p1 -b .CVE-2020-8624 %patch183 -p1 -b .CVE-2020-8624-test +%patch184 -p1 -b .rh1876492 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1534,6 +1537,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Fri Sep 25 2020 Tomas Korbar - 32:9.11.20-6 +- Do not ignore RPZ wildcard passthru (#1876492) + * Tue Aug 18 2020 Petr Menšík - 32:9.11.20-5 - Fix tsig-request verify (CVE-2020-8622) - Prevent PKCS11 daemon crash on crafted packet (CVE-2020-8623)