diff --git a/SOURCES/bind99-CVE-2016-2776.patch b/SOURCES/bind99-CVE-2016-2776.patch new file mode 100644 index 0000000..6a02094 --- /dev/null +++ b/SOURCES/bind99-CVE-2016-2776.patch @@ -0,0 +1,89 @@ +diff --git a/lib/dns/message.c b/lib/dns/message.c +index 73def73..3d2de4f 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -1736,7 +1736,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_NOSPACE); + +- if (r.length < msg->reserved) ++ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) + return (ISC_R_NOSPACE); + + /* +@@ -1863,8 +1863,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options) + + return (ISC_TRUE); + } +- + #endif ++ ++static isc_result_t ++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, ++ dns_compress_t *cctx, isc_buffer_t *target, ++ unsigned int reserved, unsigned int options, unsigned int *countp) ++{ ++ isc_result_t result; ++ ++ /* ++ * Shrink the space in the buffer by the reserved amount. ++ */ ++ if (target->length - target->used < reserved) ++ return (ISC_R_NOSPACE); ++ ++ target->length -= reserved; ++ result = dns_rdataset_towire(rdataset, owner_name, ++ cctx, target, options, countp); ++ target->length += reserved; ++ ++ return (result); ++} ++ + isc_result_t + dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, + unsigned int options) +@@ -1907,6 +1928,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, + /* + * Shrink the space in the buffer by the reserved amount. + */ ++ if (msg->buffer->length - msg->buffer->used < msg->reserved) ++ return (ISC_R_NOSPACE); + msg->buffer->length -= msg->reserved; + + total = 0; +@@ -2183,9 +2206,8 @@ dns_message_renderend(dns_message_t *msg) { + * Render. + */ + count = 0; +- result = dns_rdataset_towire(msg->opt, dns_rootname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->opt, dns_rootname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); +@@ -2201,9 +2223,8 @@ dns_message_renderend(dns_message_t *msg) { + if (result != ISC_R_SUCCESS) + return (result); + count = 0; +- result = dns_rdataset_towire(msg->tsig, msg->tsigname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->tsig, msg->tsigname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); +@@ -2224,9 +2245,8 @@ dns_message_renderend(dns_message_t *msg) { + * the owner name of a SIG(0) is irrelevant, and will not + * be set in a message being rendered. + */ +- result = dns_rdataset_towire(msg->sig0, dns_rootname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->sig0, dns_rootname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 02e2653..5d516b5 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -25,7 +25,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.4 -Release: 29%{?PATCHVER}%{?PREVER}%{?dist}.3 +Release: 29%{?PATCHVER}%{?PREVER}%{?dist}.4 Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -104,6 +104,7 @@ Patch159:bind99-CVE-2015-5722.patch Patch160:bind99-CVE-2015-8000.patch Patch161:bind99-CVE-2015-8704.patch Patch162:bind99-CVE-2016-1285-CVE-2016-1286.patch +patch163:bind99-CVE-2016-2776.patch # Native PKCS#11 functionality from 9.10 Patch150:bind-9.9-allow_external_dnskey.patch @@ -381,6 +382,7 @@ popd %patch160 -p1 -b .CVE-2015-8000 %patch161 -p1 -b .CVE-2015-8704 %patch162 -p1 -b .CVE-2016-1285-CVE-2016-1286 +%patch163 -p1 -b .CVE-2016-2776 %if %{PKCS11} cp -r bin/named{,-pkcs11} @@ -1061,6 +1063,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Fri Sep 23 2016 Tomas Hozza - 32:9.9.4-29.4 +- Fix CVE-2016-2776 + * Tue Mar 08 2016 Tomas Hozza - 32:9.9.4-29.3 - Fix CVE-2016-1285 and CVE-2016-1286