From ba28f7a158f7b7f3f16a75270cee0b71059e7e79 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:55:50 +0200
Subject: [PATCH] Fix CVE-2020-8624

5481.	[security]	"update-policy" rules of type "subdomain" were
			incorrectly treated as "zonesub" rules, which allowed
			keys used in "subdomain" rules to update names outside
			of the specified subdomains. The problem was fixed by
			making sure "subdomain" rules are again processed as
			described in the ARM. (CVE-2020-8624) [GL #2055]
---
 bin/named/zoneconf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 9bf5bfe..3aee3d2 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -234,7 +234,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 
 		str = cfg_obj_asstring(matchtype);
 		CHECK(dns_ssu_mtypefromstring(str, &mtype));
-		if (mtype == dns_ssumatchtype_subdomain) {
+		if (mtype == dns_ssumatchtype_subdomain &&
+		    strcasecmp(str, "zonesub") == 0) {
 			usezone = ISC_TRUE;
 		}
 
-- 
2.26.2