Mail archive
alpine-aports

[alpine-aports] [PATCH v3.2] main/bind: security upgrade - fixes #6423

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Fri, 9 Dec 2016 09:04:09 +0000

CVE-2016-8864
---
 main/bind/APKBUILD            |  23 +++--
 main/bind/CVE-2016-8864.patch | 201 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 215 insertions(+), 9 deletions(-)
 create mode 100644 main/bind/CVE-2016-8864.patch
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 6eeb9dd..2e7e1c7 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
_at_@ -1,11 +1,12 @@
-# Contributor: Carlo Landmeter <clandmeter_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
+# Contributor: Carlo Landmeter <clandmeter_at_gmail.com>
+# Contributor: Sergey Lukin <sergej.lukin_at_gmail.com>
 pkgname=bind
 pkgver=9.10.4_p3
 _ver=${pkgver%_p*}
 _p=${pkgver#*_p}
 [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
-pkgrel=0
+pkgrel=1
 pkgdesc="The Berkeley Internet Name Domain Name Server and tools"
 url="http://www.isc.org"
 arch="all"
_at_@ -25,15 +26,16 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
 	127.zone
 	localhost.zone
 	named.ca
+	CVE-2016-8864.patch
 	"
 
 # secfixes:
 #   9.10.4_p3:
 #   - CVE-2016-2776
 
-_builddir="$srcdir/bind-${_ver}"
+builddir="$srcdir/bind-${_ver}"
 prepare() {
-	cd "$_builddir"
+	cd "$builddir"
 
 	### http://bugs.gentoo.org/show_bug.cgi?id=227333
 	export CFLAGS="$CFLAGS -D_GNU_SOURCE" 
_at_@ -51,7 +53,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
_at_@ -76,7 +78,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	install -d -m0770 -g named -o root "$pkgdir"/var/bind \
 		"$pkgdir"/var/bind/sec \
 		"$pkgdir"/var/bind/dyn \
_at_@ -125,7 +127,8 @@ a9de5fb1c027a7eedf440bf187594f07  named.conf.authoritative
 886fe73bf37335df1ef15ff842b568b3  named.conf.recursive
 a7455b009b7fccd74ac6f6eaa6902a00  127.zone
 c3220168fabfb31a25e8c3a545545e34  localhost.zone
-a94e29ac677846f3d4d618c50b7d34f1  named.ca"
+a94e29ac677846f3d4d618c50b7d34f1  named.ca
+9ae2ffa09c9ae920f68969c55081a3c7  CVE-2016-8864.patch"
 sha256sums="a075e5ce89fddccb0e64d1777d59161387dd5151cf4e7d1a93875a487812baef  bind-9.10.4-P3.tar.gz
 4c5dc352da0a12bdda2644e835f7eabde4f5687f1a98acd65b22be4ee587c086  bind.so_bsdcompat.patch
 74e7a9ab5836d5182a55a9fc4ba24ea2665e4ef9307c4071ba6e2eab792d73ce  named.initd
_at_@ -134,7 +137,8 @@ c0e7b365dca072dc96a97c8f81dff012aff7fe57337c10b63cd9f292d03c207d  named.confd
 633f1b97fbf509880c278e92adedc85fd72d519f7a5b1ecd6b3fb727722f5098  named.conf.recursive
 65b909fc1398dfa5b532ab395d6920758937093cf7e5b5bec8242dff4fe15e89  127.zone
 b6dff70386920adb21883566610b0a45b9de5a3847a870e4ad1902c5c7900399  localhost.zone
-0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56  named.ca"
+0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56  named.ca
+e01cad1baedd07d6fb5391d3d53037c857785861d221bd7ca7c5d4d0f8cf0eda  CVE-2016-8864.patch"
 sha512sums="6ffe0b488a5e5c4547723b1570b5b71287fbcb93b54a89d79c43ddd661bbf5c575edc8b4dae275a34916d3951907c2c6a4e58aee1ee9c87a4c3075de4671c124  bind-9.10.4-P3.tar.gz
 f3e3d1b680617485b9db20a59a10fec3b3b539d423984493228a7d5aaa29d699b9012ad60e863e56bdaf15b73952c22710d0ded1c86cd24417ac775ee062cfa3  bind.so_bsdcompat.patch
 196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015  named.initd
_at_@ -143,4 +147,5 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793
 3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe  named.conf.recursive
 eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c  127.zone
 340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b  localhost.zone
-badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192  named.ca"
+badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192  named.ca
+3d4a9d455d95a2a79fc3924c3ad2f5177289ddd94aa159c51be1a6ae05357f6c8dcf4895c51752fe69c37f2dfae8d90adc469c338e83dbd76d95419c3a3637db  CVE-2016-8864.patch"
diff --git a/main/bind/CVE-2016-8864.patch b/main/bind/CVE-2016-8864.patch
new file mode 100644
index 0000000..67e58b8
--- /dev/null
+++ b/main/bind/CVE-2016-8864.patch
_at_@ -0,0 +1,201 @@
+Fix for CVE-2016-8864
+https://bugs.alpinelinux.org/issues/6423
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=8bd0c12d53bea6f299e92d20ee0a23b16a7f65bc
+
+diff --git a/CHANGES b/CHANGES
+index 5b9e552..c709f58 100644 (file)
+--- a/CHANGES
++++ b/CHANGES
+_at_@ -1,3 +1,6 @@
++4489.  [security]      It was possible to trigger assertions when processing
++                       a response. (CVE-2016-8864) [RT #43465]
++
+        --- 9.9.9-P3 released ---
+ 
+ 4467.  [security]      It was possible to trigger a assertion when rendering
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 5f75bc0..2bc4461 100644 (file)
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+_at_@ -593,7 +593,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+        valarg->addrinfo = addrinfo;
+ 
+        if (!ISC_LIST_EMPTY(fctx->validators))
+-               INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++               valoptions |= DNS_VALIDATOR_DEFER;
++       else
++               valoptions &= ~DNS_VALIDATOR_DEFER;
+ 
+        result = dns_validator_create(fctx->res->view, name, type, rdataset,
+                                      sigrdataset, fctx->rmessage,
+_at_@ -5277,13 +5279,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                                           rdataset,
+                                                           sigrdataset,
+                                                           valoptions, task);
+-                                       /*
+-                                        * Defer any further validations.
+-                                        * This prevents multiple validators
+-                                        * from manipulating fctx->rmessage
+-                                        * simultaneously.
+-                                        */
+-                                       valoptions |= DNS_VALIDATOR_DEFER;
+                                }
+                        } else if (CHAINING(rdataset)) {
+                                if (rdataset->type == dns_rdatatype_cname)
+_at_@ -5396,6 +5391,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+                                       eresult == DNS_R_NCACHENXRRSET);
+                        }
+                        event->result = eresult;
++                       if (adbp != NULL && *adbp != NULL) {
++                               if (anodep != NULL && *anodep != NULL)
++                                       dns_db_detachnode(*adbp, anodep);
++                               dns_db_detach(adbp);
++                       }
+                        dns_db_attach(fctx->cache, adbp);
+                        dns_db_transfernode(fctx->cache, &node, anodep);
+                        clone_results(fctx);
+_at_@ -5643,6 +5643,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+                fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+                if (event != NULL) {
+                        event->result = eresult;
++                       if (adbp != NULL && *adbp != NULL) {
++                               if (anodep != NULL && *anodep != NULL)
++                                       dns_db_detachnode(*adbp, anodep);
++                               dns_db_detach(adbp);
++                       }
+                        dns_db_attach(fctx->cache, adbp);
+                        dns_db_transfernode(fctx->cache, &node, anodep);
+                        clone_results(fctx);
+_at_@ -6464,13 +6469,15 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+        isc_result_t result;
+        dns_message_t *message;
+-       dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++       dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++       dns_name_t *cname = NULL;
+        dns_rdataset_t *rdataset, *ns_rdataset;
+        isc_boolean_t done, external, chaining, aa, found, want_chaining;
+-       isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++       isc_boolean_t have_answer, found_cname, found_dname, found_type;
++       isc_boolean_t wanted_chaining;
+        unsigned int aflag;
+        dns_rdatatype_t type;
+-       dns_fixedname_t fdname, fqname;
++       dns_fixedname_t fdname, fqname, fqdname;
+        dns_view_t *view;
+ 
+        FCTXTRACE("answer_response");
+_at_@ -6484,6 +6491,7 @@ answer_response(fetchctx_t *fctx) {
+ 
+        done = ISC_FALSE;
+        found_cname = ISC_FALSE;
++       found_dname = ISC_FALSE;
+        found_type = ISC_FALSE;
+        chaining = ISC_FALSE;
+        have_answer = ISC_FALSE;
+_at_@ -6493,12 +6501,13 @@ answer_response(fetchctx_t *fctx) {
+                aa = ISC_TRUE;
+        else
+                aa = ISC_FALSE;
+-       qname = &fctx->name;
++       dqname = qname = &fctx->name;
+        type = fctx->type;
+        view = fctx->res->view;
++       dns_fixedname_init(&fqdname);
+        result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+        while (!done && result == ISC_R_SUCCESS) {
+-               dns_namereln_t namereln;
++               dns_namereln_t namereln, dnamereln;
+                int order;
+                unsigned int nlabels;
+ 
+_at_@ -6506,6 +6515,8 @@ answer_response(fetchctx_t *fctx) {
+                dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+                external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+                namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++               dnamereln = dns_name_fullcompare(dqname, name, &order,
++                                                &nlabels);
+                if (namereln == dns_namereln_equal) {
+                        wanted_chaining = ISC_FALSE;
+                        for (rdataset = ISC_LIST_HEAD(name->list);
+_at_@ -6600,7 +6611,7 @@ answer_response(fetchctx_t *fctx) {
+                                        }
+                                } else if (rdataset->type == dns_rdatatype_rrsig
+                                           && rdataset->covers ==
+-                                          dns_rdatatype_cname
++                                             dns_rdatatype_cname
+                                           && !found_type) {
+                                        /*
+                                         * We're looking for something else,
+_at_@ -6630,11 +6641,18 @@ answer_response(fetchctx_t *fctx) {
+                                                 * a CNAME or DNAME).
+                                                 */
+                                                INSIST(!external);
+-                                               if (aflag ==
+-                                                   DNS_RDATASETATTR_ANSWER) {
++                                               if ((rdataset->type !=
++                                                    dns_rdatatype_cname) ||
++                                                   !found_dname ||
++                                                   (aflag ==
++                                                    DNS_RDATASETATTR_ANSWER))
++                                               {
+                                                        have_answer = ISC_TRUE;
++                                                       if (rdataset->type ==
++                                                           dns_rdatatype_cname)
++                                                               cname = name;
+                                                        name->attributes |=
+-                                                               DNS_NAMEATTR_ANSWER;
++                                                           DNS_NAMEATTR_ANSWER;
+                                                }
+                                                rdataset->attributes |= aflag;
+                                                if (aa)
+_at_@ -6728,11 +6746,11 @@ answer_response(fetchctx_t *fctx) {
+                                        return (DNS_R_FORMERR);
+                                }
+ 
+-                               if (namereln != dns_namereln_subdomain) {
++                               if (dnamereln != dns_namereln_subdomain) {
+                                        char qbuf[DNS_NAME_FORMATSIZE];
+                                        char obuf[DNS_NAME_FORMATSIZE];
+ 
+-                                       dns_name_format(qname, qbuf,
++                                       dns_name_format(dqname, qbuf,
+                                                        sizeof(qbuf));
+                                        dns_name_format(name, obuf,
+                                                        sizeof(obuf));
+_at_@ -6747,7 +6765,7 @@ answer_response(fetchctx_t *fctx) {
+                                        want_chaining = ISC_TRUE;
+                                        POST(want_chaining);
+                                        aflag = DNS_RDATASETATTR_ANSWER;
+-                                       result = dname_target(rdataset, qname,
++                                       result = dname_target(rdataset, dqname,
+                                                              nlabels, &fdname);
+                                        if (result == ISC_R_NOSPACE) {
+                                                /*
+_at_@ -6764,10 +6782,13 @@ answer_response(fetchctx_t *fctx) {
+ 
+                                        dname = dns_fixedname_name(&fdname);
+                                        if (!is_answertarget_allowed(view,
+-                                                       qname, rdataset->type,
+-                                                       dname, &fctx->domain)) {
++                                                    dqname, rdataset->type,
++                                                    dname, &fctx->domain))
++                                       {
+                                                return (DNS_R_SERVFAIL);
+                                        }
++                                       dqname = dns_fixedname_name(&fqdname);
++                                       dns_name_copy(dname, dqname, NULL);
+                                } else {
+                                        /*
+                                         * We've found a signature that
+_at_@ -6792,6 +6813,10 @@ answer_response(fetchctx_t *fctx) {
+                                        INSIST(!external);
+                                        if (aflag == DNS_RDATASETATTR_ANSWER) {
+                                                have_answer = ISC_TRUE;
++                                               found_dname = ISC_TRUE;
++                                               if (cname != NULL)
++                                                       cname->attributes &=
++                                                          ~DNS_NAMEATTR_ANSWER;
+                                                name->attributes |=
+                                                        DNS_NAMEATTR_ANSWER;
+                                        }
-- 
2.4.11
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Fri Dec 09 2016 - 09:04:09 GMT