diff --git a/SOURCES/unbound-1.6.6-amplifying-an-incoming-query.patch b/SOURCES/unbound-1.6.6-amplifying-an-incoming-query.patch index 00a8ddc..75922b1 100644 --- a/SOURCES/unbound-1.6.6-amplifying-an-incoming-query.patch +++ b/SOURCES/unbound-1.6.6-amplifying-an-incoming-query.patch @@ -341,7 +341,7 @@ index 70cab40..fc7d625 100644 lock_rw_unlock(&akey->entry.lock); } diff --git a/iterator/iterator.c b/iterator/iterator.c -index 01ac883..7fd4d32 100644 +index 01ac883..edf5751 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -68,6 +68,8 @@ @@ -578,7 +578,7 @@ index 01ac883..7fd4d32 100644 "number of sends with %d", iq->sent_count); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } -+ ++ + if(iq->target_count && iq->target_count[2] > MAX_TARGET_NX) { + verbose(VERB_QUERY, "request has exceeded the maximum " + " number of nxdomain nameserver lookups with %d", @@ -590,7 +590,32 @@ index 01ac883..7fd4d32 100644 /* Make sure we have a delegation point, otherwise priming failed * or another failure occurred */ -@@ -2160,12 +2211,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -1920,6 +1971,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + * generated query will immediately be discarded due to depth and + * that servfail is cached, which is not good as opportunism goes. */ + if(iq->depth < ie->max_dependency_depth ++ && iq->num_target_queries == 0 ++ && (!iq->target_count || iq->target_count[2]==0) + && iq->sent_count < TARGET_FETCH_STOP) { + tf_policy = ie->target_fetch_policy[iq->depth]; + } +@@ -1957,6 +2010,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + iq->num_current_queries++; /* RespState decrements it*/ + iq->referral_count++; /* make sure we don't loop */ + iq->sent_count = 0; ++ iq->dp_target_count = 0; + iq->state = QUERY_RESP_STATE; + return 1; + } +@@ -2041,6 +2095,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + iq->num_current_queries++; /* RespState decrements it*/ + iq->referral_count++; /* make sure we don't loop */ + iq->sent_count = 0; ++ iq->dp_target_count = 0; + iq->state = QUERY_RESP_STATE; + return 1; + } +@@ -2160,12 +2215,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, iq->qinfo_out.qtype, iq->qinfo_out.qclass, qstate->query_flags, qstate->region, qstate->env->scratch); @@ -635,7 +660,7 @@ index 01ac883..7fd4d32 100644 } } if(iq->minimisation_state == SKIP_MINIMISE_STATE) { -@@ -2216,6 +2296,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2216,6 +2300,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, outbound_list_insert(&iq->outlist, outq); iq->num_current_queries++; iq->sent_count++; @@ -643,7 +668,7 @@ index 01ac883..7fd4d32 100644 qstate->ext_state[id] = module_wait_reply; return 0; -@@ -2404,7 +2485,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2404,7 +2489,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, /* Make subrequest to validate intermediate * NXDOMAIN if harden-below-nxdomain is * enabled. */ @@ -653,7 +678,7 @@ index 01ac883..7fd4d32 100644 struct module_qstate* subq = NULL; log_query_info(VERB_QUERY, "schedule NXDOMAIN validation:", -@@ -2416,7 +2498,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2416,7 +2502,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, iq->response->qinfo.qclass, qstate, id, iq, INIT_REQUEST_STATE, @@ -662,7 +687,7 @@ index 01ac883..7fd4d32 100644 verbose(VERB_ALGO, "could not validate NXDOMAIN " "response"); -@@ -2499,6 +2581,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2499,6 +2585,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, /* Count this as a referral. */ iq->referral_count++; iq->sent_count = 0; @@ -670,7 +695,15 @@ index 01ac883..7fd4d32 100644 /* see if the next dp is a trust anchor, or a DS was sent * along, indicating dnssec is expected for next zone */ iq->dnssec_expected = iter_indicates_dnssec(qstate->env, -@@ -2739,7 +2822,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) +@@ -2576,6 +2663,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + /* Note the query restart. */ + iq->query_restart_count++; + iq->sent_count = 0; ++ iq->dp_target_count = 0; + + /* stop current outstanding queries. + * FIXME: should the outstanding queries be waited for and +@@ -2739,7 +2827,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) if(!generate_sub_request(qstate->qinfo.qname, qstate->qinfo.qname_len, qstate->qinfo.qtype, qstate->qinfo.qclass, qstate, id, iq, @@ -679,7 +712,7 @@ index 01ac883..7fd4d32 100644 verbose(VERB_ALGO, "could not generate prime check"); } generate_a_aaaa_check(qstate, iq, id); -@@ -2767,6 +2850,7 @@ static void +@@ -2767,6 +2855,7 @@ static void processTargetResponse(struct module_qstate* qstate, int id, struct module_qstate* forq) { @@ -687,7 +720,7 @@ index 01ac883..7fd4d32 100644 struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id]; struct iter_qstate* foriq = (struct iter_qstate*)forq->minfo[id]; struct ub_packed_rrset_key* rrset; -@@ -2804,7 +2888,7 @@ processTargetResponse(struct module_qstate* qstate, int id, +@@ -2804,7 +2893,7 @@ processTargetResponse(struct module_qstate* qstate, int id, log_rrset_key(VERB_ALGO, "add parentside glue to dp", iq->pside_glue); if(!delegpt_add_rrset(foriq->dp, forq->region, @@ -696,7 +729,7 @@ index 01ac883..7fd4d32 100644 log_err("out of memory adding pside glue"); } -@@ -2815,6 +2899,7 @@ processTargetResponse(struct module_qstate* qstate, int id, +@@ -2815,6 +2904,7 @@ processTargetResponse(struct module_qstate* qstate, int id, * response type was ANSWER. */ rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep); if(rrset) { @@ -704,7 +737,7 @@ index 01ac883..7fd4d32 100644 /* if CNAMEs have been followed - add new NS to delegpt. */ /* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */ if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, -@@ -2826,13 +2911,23 @@ processTargetResponse(struct module_qstate* qstate, int id, +@@ -2826,13 +2916,23 @@ processTargetResponse(struct module_qstate* qstate, int id, } /* if dpns->lame then set the address(es) lame too */ if(!delegpt_add_rrset(foriq->dp, forq->region, rrset, @@ -729,7 +762,7 @@ index 01ac883..7fd4d32 100644 } } -@@ -3003,7 +3098,7 @@ processCollectClass(struct module_qstate* qstate, int id) +@@ -3003,7 +3103,7 @@ processCollectClass(struct module_qstate* qstate, int id) qstate->qinfo.qname_len, qstate->qinfo.qtype, c, qstate, id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index cf08cf0..ad4ba8a 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -12,7 +12,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.6.6 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD Url: https://unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -355,6 +355,10 @@ fi %endif %changelog +* Thu Jun 11 2020 Anna Khaitovich - 1.6.6-5 +- Fix incomplete amplifying-an-incoming-query patch +- Resolves: rhbz#1846424 + * Sun May 31 2020 Anna Khaitovich - 1.6.6-4 - Fix amplifying an incoming query into a large number of queries directed to a target - Resolves: rhbz#1839172 (CVE-2020-12662), rhbz#1840258 (CVE-2020-12663)