diff --git a/bind-9.16-CVE-2020-8625.patch b/bind-9.16-CVE-2020-8625.patch new file mode 100644 index 0000000..ce92a48 --- /dev/null +++ b/bind-9.16-CVE-2020-8625.patch @@ -0,0 +1,45 @@ +From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Thu, 7 Jan 2021 10:44:46 +0100 +Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation + +The ISC SPNEGO implementation is based on mod_auth_kerb code. When +CVE-2006-5989 was disclosed, the relevant fix was not applied to the +BIND 9 codebase, making the latter vulnerable to the aforementioned flaw +when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in +named.conf. + +The original description of CVE-2006-5989 was: + + Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 + allows remote attackers to cause a denial of service (crash) via a + crafted Kerberos message that triggers a heap-based buffer overflow + in the component array. + +Later research revealed that this flaw also theoretically enables remote +code execution, though achieving the latter in real-world conditions is +currently deemed very difficult. + +This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND +TKEY Query Heap-based Buffer Overflow Remote Code Execution +Vulnerability") by Trend Micro Zero Day Initiative. +--- + lib/dns/spnego.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c +index e61d1c600f..753dc8049f 100644 +--- a/lib/dns/spnego.c ++++ b/lib/dns/spnego.c +@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) { + return (ASN1_OVERRUN); + } + +- data->components = malloc(len * sizeof(*data->components)); ++ data->components = malloc((len + 1) * sizeof(*data->components)); + if (data->components == NULL) { + return (ENOMEM); + } +-- +2.26.2 + diff --git a/bind.spec b/bind.spec index 4e3ad7e..cb333e1 100644 --- a/bind.spec +++ b/bind.spec @@ -66,7 +66,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.11 -Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -120,6 +120,8 @@ Patch170:bind-9.11-feature-test-named.patch Patch171:bind-9.11-tests-variants.patch # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4582 Patch172:bind-9.16-unit-tests-multicore.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5 +Patch173:bind-9.16-CVE-2020-8625.patch Requires(post): systemd Requires(preun): systemd @@ -434,6 +436,7 @@ in HTML and PDF format. %patch170 -p1 -b .featuretest-named %patch171 -p1 -b .test-variant %patch172 -p1 -b .multicore +%patch173 -p1 -b .CVE-2020-8625 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1164,6 +1167,9 @@ fi; %endif %changelog +* Mon Feb 22 2021 Petr Menšík - 32:9.16.11-4 +- Fix off-by-one bug in ISC SPNEGO implementation (#1929965) + * Mon Feb 08 2021 Pavel Raiskup - 32:9.16.11-3 - rebuild for libpq ABI fix rhbz#1908268