CVE-2016-8864
---
main/bind/APKBUILD | 13 ++-
main/bind/CVE-2016-8864.patch | 201 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 210 insertions(+), 4 deletions(-)
create mode 100644 main/bind/CVE-2016-8864.patch
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 3412e12..d7a0bc3 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -1,3 +1,4 @@
+# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=bind
@@ -5,7 +6,7 @@ pkgver=9.10.4_p3
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
[ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
-pkgrel=0
+pkgrel=1
pkgdesc="The Berkeley Internet Name Domain Name Server and tools"
url="http://www.isc.org"
arch="all"
@@ -25,6 +26,7 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
127.zone
localhost.zone
named.ca
+ CVE-2016-8864.patch
"
# secfixes:
@@ -125,7 +127,8 @@ a9de5fb1c027a7eedf440bf187594f07 named.conf.authoritative
886fe73bf37335df1ef15ff842b568b3 named.conf.recursive
a7455b009b7fccd74ac6f6eaa6902a00 127.zone
c3220168fabfb31a25e8c3a545545e34 localhost.zone
-a94e29ac677846f3d4d618c50b7d34f1 named.ca"
+a94e29ac677846f3d4d618c50b7d34f1 named.ca
+daeebcd6384a73b364eed865b40605cb CVE-2016-8864.patch"
sha256sums="a075e5ce89fddccb0e64d1777d59161387dd5151cf4e7d1a93875a487812baef bind-9.10.4-P3.tar.gz
4c5dc352da0a12bdda2644e835f7eabde4f5687f1a98acd65b22be4ee587c086 bind.so_bsdcompat.patch
058d9d1d6c35f79bc704e87186072d0a79f9a4f269363a8c367885dabf016913 named.initd
@@ -134,7 +137,8 @@ c0e7b365dca072dc96a97c8f81dff012aff7fe57337c10b63cd9f292d03c207d named.confd
633f1b97fbf509880c278e92adedc85fd72d519f7a5b1ecd6b3fb727722f5098 named.conf.recursive
65b909fc1398dfa5b532ab395d6920758937093cf7e5b5bec8242dff4fe15e89 127.zone
b6dff70386920adb21883566610b0a45b9de5a3847a870e4ad1902c5c7900399 localhost.zone
-0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56 named.ca"
+0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56 named.ca
+5eb5cd93454fe1554e49f1920a9b6659105b5ee72625e7963bd41c6c357b7dce CVE-2016-8864.patch"
sha512sums="6ffe0b488a5e5c4547723b1570b5b71287fbcb93b54a89d79c43ddd661bbf5c575edc8b4dae275a34916d3951907c2c6a4e58aee1ee9c87a4c3075de4671c124 bind-9.10.4-P3.tar.gz
f3e3d1b680617485b9db20a59a10fec3b3b539d423984493228a7d5aaa29d699b9012ad60e863e56bdaf15b73952c22710d0ded1c86cd24417ac775ee062cfa3 bind.so_bsdcompat.patch
8ccc944eb35cd5523b63fabc912b63e60e3d97abebc81e2edcae557dbde6a9b2fc3da71ecaed8c991cffaf73061f59a76ab339ce90f8412b5516744c47887712 named.initd
@@ -143,4 +147,5 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793
3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
-badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca"
+badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca
+b5d1f84822b7ab54bdfef2c551869b7833bd3318fcd12b2114e374a96e28dabf000d601721ee45bd69abf91f86610c54437d38e1879e5d645f2beb778df8a404 CVE-2016-8864.patch"
diff --git a/main/bind/CVE-2016-8864.patch b/main/bind/CVE-2016-8864.patch
new file mode 100644
index 0000000..fa0dc56
--- /dev/null
+++ b/main/bind/CVE-2016-8864.patch
@@ -0,0 +1,201 @@
+Fix for CVE-2016-8864
+https://bugs.alpinelinux.org/issues/6424
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=8bd0c12d53bea6f299e92d20ee0a23b16a7f65bc
+
+diff --git a/CHANGES b/CHANGES
+index 5b9e552..c709f58 100644 (file)
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,6 @@
++4489. [security] It was possible to trigger assertions when processing
++ a response. (CVE-2016-8864) [RT #43465]
++
+ --- 9.9.9-P3 released ---
+
+ 4467. [security] It was possible to trigger a assertion when rendering
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 5f75bc0..2bc4461 100644 (file)
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -593,7 +593,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+ valarg->addrinfo = addrinfo;
+
+ if (!ISC_LIST_EMPTY(fctx->validators))
+- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++ valoptions |= DNS_VALIDATOR_DEFER;
++ else
++ valoptions &= ~DNS_VALIDATOR_DEFER;
+
+ result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ sigrdataset, fctx->rmessage,
+@@ -5277,13 +5279,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+ rdataset,
+ sigrdataset,
+ valoptions, task);
+- /*
+- * Defer any further validations.
+- * This prevents multiple validators
+- * from manipulating fctx->rmessage
+- * simultaneously.
+- */
+- valoptions |= DNS_VALIDATOR_DEFER;
+ }
+ } else if (CHAINING(rdataset)) {
+ if (rdataset->type == dns_rdatatype_cname)
+@@ -5396,6 +5391,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+ eresult == DNS_R_NCACHENXRRSET);
+ }
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -5643,6 +5643,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+ fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ if (event != NULL) {
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -6464,13 +6469,15 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_message_t *message;
+- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++ dns_name_t *cname = NULL;
+ dns_rdataset_t *rdataset, *ns_rdataset;
+ isc_boolean_t done, external, chaining, aa, found, want_chaining;
+- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++ isc_boolean_t have_answer, found_cname, found_dname, found_type;
++ isc_boolean_t wanted_chaining;
+ unsigned int aflag;
+ dns_rdatatype_t type;
+- dns_fixedname_t fdname, fqname;
++ dns_fixedname_t fdname, fqname, fqdname;
+ dns_view_t *view;
+
+ FCTXTRACE("answer_response");
+@@ -6484,6 +6491,7 @@ answer_response(fetchctx_t *fctx) {
+
+ done = ISC_FALSE;
+ found_cname = ISC_FALSE;
++ found_dname = ISC_FALSE;
+ found_type = ISC_FALSE;
+ chaining = ISC_FALSE;
+ have_answer = ISC_FALSE;
+@@ -6493,12 +6501,13 @@ answer_response(fetchctx_t *fctx) {
+ aa = ISC_TRUE;
+ else
+ aa = ISC_FALSE;
+- qname = &fctx->name;
++ dqname = qname = &fctx->name;
+ type = fctx->type;
+ view = fctx->res->view;
++ dns_fixedname_init(&fqdname);
+ result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ while (!done && result == ISC_R_SUCCESS) {
+- dns_namereln_t namereln;
++ dns_namereln_t namereln, dnamereln;
+ int order;
+ unsigned int nlabels;
+
+@@ -6506,6 +6515,8 @@ answer_response(fetchctx_t *fctx) {
+ dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++ dnamereln = dns_name_fullcompare(dqname, name, &order,
++ &nlabels);
+ if (namereln == dns_namereln_equal) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6600,7 +6611,7 @@ answer_response(fetchctx_t *fctx) {
+ }
+ } else if (rdataset->type == dns_rdatatype_rrsig
+ && rdataset->covers ==
+- dns_rdatatype_cname
++ dns_rdatatype_cname
+ && !found_type) {
+ /*
+ * We're looking for something else,
+@@ -6630,11 +6641,18 @@ answer_response(fetchctx_t *fctx) {
+ * a CNAME or DNAME).
+ */
+ INSIST(!external);
+- if (aflag ==
+- DNS_RDATASETATTR_ANSWER) {
++ if ((rdataset->type !=
++ dns_rdatatype_cname) ||
++ !found_dname ||
++ (aflag ==
++ DNS_RDATASETATTR_ANSWER))
++ {
+ have_answer = ISC_TRUE;
++ if (rdataset->type ==
++ dns_rdatatype_cname)
++ cname = name;
+ name->attributes |=
+- DNS_NAMEATTR_ANSWER;
++ DNS_NAMEATTR_ANSWER;
+ }
+ rdataset->attributes |= aflag;
+ if (aa)
+@@ -6728,11 +6746,11 @@ answer_response(fetchctx_t *fctx) {
+ return (DNS_R_FORMERR);
+ }
+
+- if (namereln != dns_namereln_subdomain) {
++ if (dnamereln != dns_namereln_subdomain) {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+- dns_name_format(qname, qbuf,
++ dns_name_format(dqname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
+@@ -6747,7 +6765,7 @@ answer_response(fetchctx_t *fctx) {
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+ aflag = DNS_RDATASETATTR_ANSWER;
+- result = dname_target(rdataset, qname,
++ result = dname_target(rdataset, dqname,
+ nlabels, &fdname);
+ if (result == ISC_R_NOSPACE) {
+ /*
+@@ -6764,10 +6782,13 @@ answer_response(fetchctx_t *fctx) {
+
+ dname = dns_fixedname_name(&fdname);
+ if (!is_answertarget_allowed(view,
+- qname, rdataset->type,
+- dname, &fctx->domain)) {
++ dqname, rdataset->type,
++ dname, &fctx->domain))
++ {
+ return (DNS_R_SERVFAIL);
+ }
++ dqname = dns_fixedname_name(&fqdname);
++ dns_name_copy(dname, dqname, NULL);
+ } else {
+ /*
+ * We've found a signature that
+@@ -6792,6 +6813,10 @@ answer_response(fetchctx_t *fctx) {
+ INSIST(!external);
+ if (aflag == DNS_RDATASETATTR_ANSWER) {
+ have_answer = ISC_TRUE;
++ found_dname = ISC_TRUE;
++ if (cname != NULL)
++ cname->attributes &=
++ ~DNS_NAMEATTR_ANSWER;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;
+ }
--
2.2.1
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---