diff --git a/SOURCES/bind-9.11-CVE-2020-8616-test.patch b/SOURCES/bind-9.11-CVE-2020-8616-test.patch new file mode 100644 index 0000000..a1d2823 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8616-test.patch @@ -0,0 +1,292 @@ +From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001 +From: Stephen Morris +Date: Thu, 5 Mar 2020 18:46:46 +0000 +Subject: [PATCH] Add test for reduction in number of fetches + +Add a system test that counts how many address fetches are made +for different numbers of NS records and checks that the number +are successfully limited. + +(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2) +--- + bin/tests/system/resolver/clean.sh | 4 +- + bin/tests/system/resolver/ns4/named.conf.in | 5 ++ + bin/tests/system/resolver/ns4/root.db | 4 + + bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++ + bin/tests/system/resolver/ns5/named.conf.in | 9 ++- + bin/tests/system/resolver/ns6/named.conf.in | 15 ++++ + bin/tests/system/resolver/ns6/targetns.db | 23 ++++++ + bin/tests/system/resolver/tests.sh | 34 ++++++++ + 8 files changed, 180 insertions(+), 3 deletions(-) + create mode 100644 bin/tests/system/resolver/ns4/sourcens.db + create mode 100644 bin/tests/system/resolver/ns6/targetns.db + +diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh +index 4dfde1f3e7..b3e4bc0b5d 100644 +--- a/bin/tests/system/resolver/clean.sh ++++ b/bin/tests/system/resolver/clean.sh +@@ -17,8 +17,7 @@ rm -f */named.memstats + rm -f */named.run + rm -f */ans.run + rm -f */*.jdb +-rm -f dig.out dig.out.* +-rm -f dig.*.out.* ++rm -f dig.out dig.out.* dig.*.out.* + rm -f dig.*.foo.* + rm -f dig.*.bar.* + rm -f dig.*.prime.* +@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db + rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db + rm -f ns6/dsset-ds.example.net* + rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl ++rm -f ns6/named.stats* + rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl + rm -f ns7/server.db ns7/server.db.jnl + rm -f resolve.out.*.test* +diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in +index c679dc3151..56fe5d0dd8 100644 +--- a/bin/tests/system/resolver/ns4/named.conf.in ++++ b/bin/tests/system/resolver/ns4/named.conf.in +@@ -50,6 +50,11 @@ zone "broken" { + file "broken.db"; + }; + ++zone "sourcens" { ++ type master; ++ file "sourcens.db"; ++}; ++ + key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db +index 721765d1be..ae541340da 100644 +--- a/bin/tests/system/resolver/ns4/root.db ++++ b/bin/tests/system/resolver/ns4/root.db +@@ -24,3 +24,7 @@ example.net. NS ns.example.net. + ns.example.net. A 10.53.0.6 + no-questions. NS ns.no-questions. + ns.no-questions. A 10.53.0.8 ++sourcens. NS ns.sourcens. ++ns.sourcens. A 10.53.0.4 ++targetns. NS ns.targetns. ++ns.targetns. A 10.53.0.6 +diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db +new file mode 100644 +index 0000000000..b02cc6e835 +--- /dev/null ++++ b/bin/tests/system/resolver/ns4/sourcens.db +@@ -0,0 +1,89 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++; This zone contains a set of delegations with varying numbers of NS ++; records. This is used to check that BIND is limiting the number of ++; NS records it follows when resolving a delegation. It tests all ++; numbers of NS records up to twice the number followed. ++ ++$TTL 60 ++@ IN SOA marka.isc.org. ns.server. ( ++ 2010 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 600 ; minimum ++ ) ++@ NS ns ++ns A 10.53.0.4 ++ ++target1 NS ns.fake11.targetns. ++ ++target2 NS ns.fake21.targetns. ++ NS ns.fake22.targetns. ++ ++target3 NS ns.fake31.targetns. ++ NS ns.fake32.targetns. ++ NS ns.fake33.targetns. ++ ++target4 NS ns.fake41.targetns. ++ NS ns.fake42.targetns. ++ NS ns.fake43.targetns. ++ NS ns.fake44.targetns. ++ ++target5 NS ns.fake51.targetns. ++ NS ns.fake52.targetns. ++ NS ns.fake53.targetns. ++ NS ns.fake54.targetns. ++ NS ns.fake55.targetns. ++ ++target6 NS ns.fake61.targetns. ++ NS ns.fake62.targetns. ++ NS ns.fake63.targetns. ++ NS ns.fake64.targetns. ++ NS ns.fake65.targetns. ++ NS ns.fake66.targetns. ++ ++target7 NS ns.fake71.targetns. ++ NS ns.fake72.targetns. ++ NS ns.fake73.targetns. ++ NS ns.fake74.targetns. ++ NS ns.fake75.targetns. ++ NS ns.fake76.targetns. ++ NS ns.fake77.targetns. ++ ++target8 NS ns.fake81.targetns. ++ NS ns.fake82.targetns. ++ NS ns.fake83.targetns. ++ NS ns.fake84.targetns. ++ NS ns.fake85.targetns. ++ NS ns.fake86.targetns. ++ NS ns.fake87.targetns. ++ NS ns.fake88.targetns. ++ ++target9 NS ns.fake91.targetns. ++ NS ns.fake92.targetns. ++ NS ns.fake93.targetns. ++ NS ns.fake94.targetns. ++ NS ns.fake95.targetns. ++ NS ns.fake96.targetns. ++ NS ns.fake97.targetns. ++ NS ns.fake98.targetns. ++ NS ns.fake99.targetns. ++ ++target10 NS ns.fake101.targetns. ++ NS ns.fake102.targetns. ++ NS ns.fake103.targetns. ++ NS ns.fake104.targetns. ++ NS ns.fake105.targetns. ++ NS ns.fake106.targetns. ++ NS ns.fake107.targetns. ++ NS ns.fake108.targetns. ++ NS ns.fake109.targetns. ++ NS ns.fake1010.targetns. +diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in +index 07205c9938..90818e4556 100644 +--- a/bin/tests/system/resolver/ns5/named.conf.in ++++ b/bin/tests/system/resolver/ns5/named.conf.in +@@ -46,4 +46,11 @@ zone "delegation-only" { + type delegation-only; + }; + +-include "trusted.conf"; ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; +diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in +index 7df48558b8..4b01f9ba14 100644 +--- a/bin/tests/system/resolver/ns6/named.conf.in ++++ b/bin/tests/system/resolver/ns6/named.conf.in +@@ -22,6 +22,7 @@ options { + recursion no; + // minimal-responses yes; + querylog yes; ++ statistics-file "named.stats"; + /* + * test that named loads with root-delegation-only that + * has a exclude list. +@@ -67,3 +68,17 @@ zone "delegation-only" { + type master; + file "delegation-only.db"; + }; ++ ++zone "targetns" { ++ type master; ++ file "targetns.db"; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; +diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db +new file mode 100644 +index 0000000000..036e64580b +--- /dev/null ++++ b/bin/tests/system/resolver/ns6/targetns.db +@@ -0,0 +1,23 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++; In the test for checking how many NS records BIND will follow, this ++; zone marks the server as the one to which the NS lookups will be ++; directed. ++ ++$TTL 300 ++@ IN SOA marka.isc.org. ns.server. ( ++ 2010 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 600 ; minimum ++ ) ++ NS ns ++ns A 10.53.0.6 +diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh +index 12d2819e30..178ba4d79b 100755 +--- a/bin/tests/system/resolver/tests.sh ++++ b/bin/tests/system/resolver/tests.sh +@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then + status=`expr $status + $ret` + fi + ++n=`expr $n + 1` ++echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" ++# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS ++# records pointing to non-existent nameservers in the targetns zone on ns6. ++ret=0 ++$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test ++for nscount in 1 2 3 4 5 6 7 8 9 10 ++do ++ # Verify number of NS records at source server ++ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} ++ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l` ++ test $sourcerecs -eq $nscount || ret=1 ++ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens" ++ # Expected queries = 2 * number of NS records, up to a maximum of 10. ++ expected=`expr 2 \* $nscount` ++ if [ $expected -gt 10 ]; then expected=10; fi ++ # Work out the queries made by checking statistics on the target before and after the test ++ $RNDCCMD 10.53.0.6 stats || ret=1 ++ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats` ++ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} ++ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 ++ $RNDCCMD 10.53.0.6 stats || ret=1 ++ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats` ++ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} ++ # Check number of queries during the test is as expected ++ actual=`expr $final_count - $initial_count` ++ if [ $actual -ne $expected ]; then ++ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" ++ ret=1 ++ fi ++done ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ + n=`expr $n + 1` + echo_i "RT21594 regression test check setup ($n)" + ret=0 +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-CVE-2020-8617-test.patch b/SOURCES/bind-9.11-CVE-2020-8617-test.patch new file mode 100644 index 0000000..1d81c73 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8617-test.patch @@ -0,0 +1,78 @@ +From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 25 Mar 2020 17:44:51 +1100 +Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a + request + +(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1) +--- + bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++ + bin/tests/system/tsig/tests.sh | 9 +++++++++ + 2 files changed, 46 insertions(+) + create mode 100644 bin/tests/system/tsig/badtime + +diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime +new file mode 100644 +index 0000000000..7926404cfb +--- /dev/null ++++ b/bin/tests/system/tsig/badtime +@@ -0,0 +1,37 @@ ++# Transaction ID ++1122 ++# Standard query ++0000 ++# Questions: 1, Additional: 1 ++0001 0000 0000 0001 ++# QNAME: isc.org ++03 69 73 63 03 6F 72 67 00 ++# Type: A (Host Address) ++0001 ++# Class: IN ++0001 ++# Specially crafted TSIG Resource Record ++# Name: "sha256" ++06 73 68 61 32 35 36 00 ++# Type: TSIG (Transaction Signature) ++00fa ++# Class: ANY ++00ff ++# TTL: 0 ++00000000 ++# RdLen: 29 ++001d ++# Algorithm Name: hmac-sha256 ++0b 68 6D 61 63 2D 73 68 61 32 35 36 00 ++# Time Signed: Jan 1, 1970 01:00:00.000000000 CET ++00 00 00 00 00 00 ++# Fudge: 300 ++012c ++# MAC Size: 0; MAC: empty ++0000 ++# Original ID: 0 ++0000 ++# Error: BADSIG ++0010 ++# Other Data Length: 0 ++0000 +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index cade35bc1d..284aea1056 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then + echo "I: failed"; status=1 + fi + ++echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" ++ret=0 ++$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null ++$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 ++grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 ++if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++fi ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-rh1865785.patch b/SOURCES/bind-9.11-rh1865785.patch new file mode 100644 index 0000000..7846798 --- /dev/null +++ b/SOURCES/bind-9.11-rh1865785.patch @@ -0,0 +1,90 @@ +From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 3 Jun 2020 14:42:11 +0200 +Subject: [PATCH] Change the invalid CIDR from parser error to warning + +In [RT #43367], the BIND 9 changed the strictness of address / prefix +length checks: + + Check prefixes in acls to make sure the address and + prefix lengths are consistent. Warn only in + BIND 9.11 and earlier. + +Unfortunately, a regression slipped in and the check was made an error +also in the BIND 9.11. This commit fixes the regression, but turning +the error into a warning. +--- + bin/tests/system/checkconf/tests.sh | 9 +++++++++ + ...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++-- + lib/isccfg/parser.c | 9 --------- + util/copyrights | 2 +- + 4 files changed, 20 insertions(+), 12 deletions(-) + rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%) + +diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh +index 85fb4839e9..d2b0daa35c 100644 +--- a/bin/tests/system/checkconf/tests.sh ++++ b/bin/tests/system/checkconf/tests.sh +@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi + status=`expr $status + $ret` + ++n=`expr $n + 1` ++echo_i "check that invalid address/prefix length generates a warning ($n)" ++ret=0 ++$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1 ++LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1 ++[ "$LINES" -eq 8 ] || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi ++status=`expr $status + $ret` ++ + n=`expr $n + 1` + echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)" + ret=0 +diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf +similarity index 70% +rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf +rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf +index 2c768c7e1a..5e3bc3f6ee 100644 +--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf ++++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf +@@ -9,6 +9,14 @@ + * information regarding copyright ownership. + */ + +-acl myacl { +- 127.1/8; /* No-zero bits */ ++zone example { ++ type master; ++ file "example.db"; ++ auto-dnssec maintain; ++ allow-update { ++ 192.0.2.64/24; ++ 192.0.2.128/24; ++ 198.51.100.255/24; ++ 203.0.113.2/24; ++ }; + }; +diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c +index e2af054661..44a1dfc37a 100644 +--- a/lib/isccfg/parser.c ++++ b/lib/isccfg/parser.c +@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, + "invalid prefix length"); + return (ISC_R_RANGE); + } +- result = isc_netaddr_prefixok(&netaddr, prefixlen); +- if (result != ISC_R_SUCCESS) { +- char buf[ISC_NETADDR_FORMATSIZE + 1]; +- isc_netaddr_format(&netaddr, buf, sizeof(buf)); +- cfg_parser_error(pctx, CFG_LOG_NOPREP, +- "'%s/%u': address/prefix length " +- "mismatch", buf, prefixlen); +- return (ISC_R_FAILURE); +- } + } else { + if (expectprefix) { + cfg_parser_error(pctx, CFG_LOG_NEAR, +-- +GitLab + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 68295f0..64cf3b7 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -63,7 +63,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.13 -Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.1 Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -157,6 +157,9 @@ Patch179:bind-9.11-rh1790879.patch Patch180:bind-9.11.13-rwlock.patch Patch181:bind-9.11.13-CVE-2020-8617.patch Patch182:bind-9.11.13-CVE-2020-8616.patch +Patch183:bind-9.11-CVE-2020-8616-test.patch +Patch184:bind-9.11-CVE-2020-8617-test.patch +Patch185:bind-9.11-rh1865785.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -513,6 +516,9 @@ are used for building ISC DHCP. %patch180 -p1 -b .rwlock %patch181 -p1 -b .CVE-2020-8617 %patch182 -p1 -b .CVE-2020-8616 +%patch183 -p1 -b .CVE-2020-8616-test +%patch184 -p1 -b .CVE-2020-8616-test +%patch185 -p1 -b .rh1865785 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1490,6 +1496,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Tue Aug 04 2020 Tomas Korbar - 32:9.11.13-6.1 +- Validate configuration files with CIDRs host bits set (#1865785) + +* Fri May 22 2020 Petr Menšík - 32:9.11.13-5.1 +- Add CVE tests to codebase + * Fri May 15 2020 Petr Menšík - 32:9.11.13-5 - Limit number of queries triggered by a request (CVE-2020-8616)