X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com [74.125.82.68]) by lists.alpinelinux.org (Postfix) with ESMTP id B1ECF5C456C for ; Fri, 9 Dec 2016 09:04:19 +0000 (GMT) Received: by mail-wm0-f68.google.com with SMTP id m203so2582896wma.3 for ; Fri, 09 Dec 2016 01:04:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=yUdN94LKWHkGSsDUyiHXfc9Akg2CtgZkvJ74etOVcsk=; b=tGhd1odccEEpVwunM2KKgXqblUovNAzBA6QTlFjeLEpJku0phkWkX6khmpIsl7OOcm Ipv14BFE03n+i2yNRWye/8NIpCJyiUFqQgPdiaonJOeRLRKnMW73LYx14N1EVaS7vdmH A3YIQCCV71dd+cQE6AhRnTjZw7QsshyQq3aK06Ik3KwjbkDlNIb2+WxvpM5FSN+fvZI9 y3HaDclq+aMVHcCPohc7vntSRZM3L5GuyF6x3lerCMU2ooyE6ck4d1X+E2VE/AdQqbkC qTbMlcuOY8z9JdLDEEcBN37OpHkPD1AGftCbDSpTMNjsoGKwbL4/t4ASzUQN3Fgf3Mi3 Izew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=yUdN94LKWHkGSsDUyiHXfc9Akg2CtgZkvJ74etOVcsk=; b=FkyM341pglaFNNWebmW5ZdTQTo3BIDn1d/SdqgzB6wYOOZj4ee7CcCPQflNlHpbger jm2b6++XvoM3/FjH6/pNhRI+5Xmt2BtvihE70DIxzLjnuwbCVt5et/cKuwTENvgV8y3d jT3iKfenr/myaD1KI11zPCJWNNprgogS1yGTaG7rQZkfOqPKP5mVXNXnUHdOMzxTbqKk ewYnuqr2YFH3XGBEe8ROELP68rv/Rb2ZyrTjkUHoqY/YBfP6Q9Z6FgUcG8Dlccaeqh4/ FHCla+mzo5WjIClJGVN5hjpvzxRzUkHKI0YGSQWLyx58G0Tu674tchYo8xeYn8S1bFfJ TyjQ== X-Gm-Message-State: AKaTC00jyJFXU0+oyv2TcvYLFNMO0Qdah+fYSRiH5fpGTZXsrAhqAV92QQN1eyKHxqjWrA== X-Received: by 10.25.157.5 with SMTP id g5mr21964725lfe.112.1481274258564; Fri, 09 Dec 2016 01:04:18 -0800 (PST) Received: from v3-2.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id u204sm6247449lja.5.2016.12.09.01.04.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 09 Dec 2016 01:04:17 -0800 (PST) From: Sergey Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergey Lukin Subject: [alpine-aports] [PATCH v3.2] main/bind: security upgrade - fixes #6423 Date: Fri, 9 Dec 2016 09:04:09 +0000 Message-Id: <1481274249-11715-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.4.11 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2016-8864 --- main/bind/APKBUILD | 23 +++-- main/bind/CVE-2016-8864.patch | 201 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 215 insertions(+), 9 deletions(-) create mode 100644 main/bind/CVE-2016-8864.patch diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD index 6eeb9dd..2e7e1c7 100644 --- a/main/bind/APKBUILD +++ b/main/bind/APKBUILD @@ -1,11 +1,12 @@ -# Contributor: Carlo Landmeter # Maintainer: Natanael Copa +# Contributor: Carlo Landmeter +# Contributor: Sergey Lukin pkgname=bind pkgver=9.10.4_p3 _ver=${pkgver%_p*} _p=${pkgver#*_p} [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p" -pkgrel=0 +pkgrel=1 pkgdesc="The Berkeley Internet Name Domain Name Server and tools" url="http://www.isc.org" arch="all" @@ -25,15 +26,16 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz 127.zone localhost.zone named.ca + CVE-2016-8864.patch " # secfixes: # 9.10.4_p3: # - CVE-2016-2776 -_builddir="$srcdir/bind-${_ver}" +builddir="$srcdir/bind-${_ver}" prepare() { - cd "$_builddir" + cd "$builddir" ### http://bugs.gentoo.org/show_bug.cgi?id=227333 export CFLAGS="$CFLAGS -D_GNU_SOURCE" @@ -51,7 +53,7 @@ prepare() { } build() { - cd "$_builddir" + cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -76,7 +78,7 @@ build() { } package() { - cd "$_builddir" + cd "$builddir" install -d -m0770 -g named -o root "$pkgdir"/var/bind \ "$pkgdir"/var/bind/sec \ "$pkgdir"/var/bind/dyn \ @@ -125,7 +127,8 @@ a9de5fb1c027a7eedf440bf187594f07 named.conf.authoritative 886fe73bf37335df1ef15ff842b568b3 named.conf.recursive a7455b009b7fccd74ac6f6eaa6902a00 127.zone c3220168fabfb31a25e8c3a545545e34 localhost.zone -a94e29ac677846f3d4d618c50b7d34f1 named.ca" +a94e29ac677846f3d4d618c50b7d34f1 named.ca +9ae2ffa09c9ae920f68969c55081a3c7 CVE-2016-8864.patch" sha256sums="a075e5ce89fddccb0e64d1777d59161387dd5151cf4e7d1a93875a487812baef bind-9.10.4-P3.tar.gz 4c5dc352da0a12bdda2644e835f7eabde4f5687f1a98acd65b22be4ee587c086 bind.so_bsdcompat.patch 74e7a9ab5836d5182a55a9fc4ba24ea2665e4ef9307c4071ba6e2eab792d73ce named.initd @@ -134,7 +137,8 @@ c0e7b365dca072dc96a97c8f81dff012aff7fe57337c10b63cd9f292d03c207d named.confd 633f1b97fbf509880c278e92adedc85fd72d519f7a5b1ecd6b3fb727722f5098 named.conf.recursive 65b909fc1398dfa5b532ab395d6920758937093cf7e5b5bec8242dff4fe15e89 127.zone b6dff70386920adb21883566610b0a45b9de5a3847a870e4ad1902c5c7900399 localhost.zone -0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56 named.ca" +0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56 named.ca +e01cad1baedd07d6fb5391d3d53037c857785861d221bd7ca7c5d4d0f8cf0eda CVE-2016-8864.patch" sha512sums="6ffe0b488a5e5c4547723b1570b5b71287fbcb93b54a89d79c43ddd661bbf5c575edc8b4dae275a34916d3951907c2c6a4e58aee1ee9c87a4c3075de4671c124 bind-9.10.4-P3.tar.gz f3e3d1b680617485b9db20a59a10fec3b3b539d423984493228a7d5aaa29d699b9012ad60e863e56bdaf15b73952c22710d0ded1c86cd24417ac775ee062cfa3 bind.so_bsdcompat.patch 196c0a3b43cf89e8e3547d7fb63a93ff9a3306505658dfd9aa78e6861be6b226580b424dd3dd44b955b2d9f682b1dc62c457f3ac29ce86200ef070140608c015 named.initd @@ -143,4 +147,5 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793 3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone 340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone -badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca" +badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca +3d4a9d455d95a2a79fc3924c3ad2f5177289ddd94aa159c51be1a6ae05357f6c8dcf4895c51752fe69c37f2dfae8d90adc469c338e83dbd76d95419c3a3637db CVE-2016-8864.patch" diff --git a/main/bind/CVE-2016-8864.patch b/main/bind/CVE-2016-8864.patch new file mode 100644 index 0000000..67e58b8 --- /dev/null +++ b/main/bind/CVE-2016-8864.patch @@ -0,0 +1,201 @@ +Fix for CVE-2016-8864 +https://bugs.alpinelinux.org/issues/6423 +https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=8bd0c12d53bea6f299e92d20ee0a23b16a7f65bc + +diff --git a/CHANGES b/CHANGES +index 5b9e552..c709f58 100644 (file) +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,6 @@ ++4489. [security] It was possible to trigger assertions when processing ++ a response. (CVE-2016-8864) [RT #43465] ++ + --- 9.9.9-P3 released --- + + 4467. [security] It was possible to trigger a assertion when rendering +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 5f75bc0..2bc4461 100644 (file) +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -593,7 +593,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, + valarg->addrinfo = addrinfo; + + if (!ISC_LIST_EMPTY(fctx->validators)) +- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); ++ valoptions |= DNS_VALIDATOR_DEFER; ++ else ++ valoptions &= ~DNS_VALIDATOR_DEFER; + + result = dns_validator_create(fctx->res->view, name, type, rdataset, + sigrdataset, fctx->rmessage, +@@ -5277,13 +5279,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, + rdataset, + sigrdataset, + valoptions, task); +- /* +- * Defer any further validations. +- * This prevents multiple validators +- * from manipulating fctx->rmessage +- * simultaneously. +- */ +- valoptions |= DNS_VALIDATOR_DEFER; + } + } else if (CHAINING(rdataset)) { + if (rdataset->type == dns_rdatatype_cname) +@@ -5396,6 +5391,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, + eresult == DNS_R_NCACHENXRRSET); + } + event->result = eresult; ++ if (adbp != NULL && *adbp != NULL) { ++ if (anodep != NULL && *anodep != NULL) ++ dns_db_detachnode(*adbp, anodep); ++ dns_db_detach(adbp); ++ } + dns_db_attach(fctx->cache, adbp); + dns_db_transfernode(fctx->cache, &node, anodep); + clone_results(fctx); +@@ -5643,6 +5643,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, + fctx->attributes |= FCTX_ATTR_HAVEANSWER; + if (event != NULL) { + event->result = eresult; ++ if (adbp != NULL && *adbp != NULL) { ++ if (anodep != NULL && *anodep != NULL) ++ dns_db_detachnode(*adbp, anodep); ++ dns_db_detach(adbp); ++ } + dns_db_attach(fctx->cache, adbp); + dns_db_transfernode(fctx->cache, &node, anodep); + clone_results(fctx); +@@ -6464,13 +6469,15 @@ static isc_result_t + answer_response(fetchctx_t *fctx) { + isc_result_t result; + dns_message_t *message; +- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; ++ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; ++ dns_name_t *cname = NULL; + dns_rdataset_t *rdataset, *ns_rdataset; + isc_boolean_t done, external, chaining, aa, found, want_chaining; +- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; ++ isc_boolean_t have_answer, found_cname, found_dname, found_type; ++ isc_boolean_t wanted_chaining; + unsigned int aflag; + dns_rdatatype_t type; +- dns_fixedname_t fdname, fqname; ++ dns_fixedname_t fdname, fqname, fqdname; + dns_view_t *view; + + FCTXTRACE("answer_response"); +@@ -6484,6 +6491,7 @@ answer_response(fetchctx_t *fctx) { + + done = ISC_FALSE; + found_cname = ISC_FALSE; ++ found_dname = ISC_FALSE; + found_type = ISC_FALSE; + chaining = ISC_FALSE; + have_answer = ISC_FALSE; +@@ -6493,12 +6501,13 @@ answer_response(fetchctx_t *fctx) { + aa = ISC_TRUE; + else + aa = ISC_FALSE; +- qname = &fctx->name; ++ dqname = qname = &fctx->name; + type = fctx->type; + view = fctx->res->view; ++ dns_fixedname_init(&fqdname); + result = dns_message_firstname(message, DNS_SECTION_ANSWER); + while (!done && result == ISC_R_SUCCESS) { +- dns_namereln_t namereln; ++ dns_namereln_t namereln, dnamereln; + int order; + unsigned int nlabels; + +@@ -6506,6 +6515,8 @@ answer_response(fetchctx_t *fctx) { + dns_message_currentname(message, DNS_SECTION_ANSWER, &name); + external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); ++ dnamereln = dns_name_fullcompare(dqname, name, &order, ++ &nlabels); + if (namereln == dns_namereln_equal) { + wanted_chaining = ISC_FALSE; + for (rdataset = ISC_LIST_HEAD(name->list); +@@ -6600,7 +6611,7 @@ answer_response(fetchctx_t *fctx) { + } + } else if (rdataset->type == dns_rdatatype_rrsig + && rdataset->covers == +- dns_rdatatype_cname ++ dns_rdatatype_cname + && !found_type) { + /* + * We're looking for something else, +@@ -6630,11 +6641,18 @@ answer_response(fetchctx_t *fctx) { + * a CNAME or DNAME). + */ + INSIST(!external); +- if (aflag == +- DNS_RDATASETATTR_ANSWER) { ++ if ((rdataset->type != ++ dns_rdatatype_cname) || ++ !found_dname || ++ (aflag == ++ DNS_RDATASETATTR_ANSWER)) ++ { + have_answer = ISC_TRUE; ++ if (rdataset->type == ++ dns_rdatatype_cname) ++ cname = name; + name->attributes |= +- DNS_NAMEATTR_ANSWER; ++ DNS_NAMEATTR_ANSWER; + } + rdataset->attributes |= aflag; + if (aa) +@@ -6728,11 +6746,11 @@ answer_response(fetchctx_t *fctx) { + return (DNS_R_FORMERR); + } + +- if (namereln != dns_namereln_subdomain) { ++ if (dnamereln != dns_namereln_subdomain) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + +- dns_name_format(qname, qbuf, ++ dns_name_format(dqname, qbuf, + sizeof(qbuf)); + dns_name_format(name, obuf, + sizeof(obuf)); +@@ -6747,7 +6765,7 @@ answer_response(fetchctx_t *fctx) { + want_chaining = ISC_TRUE; + POST(want_chaining); + aflag = DNS_RDATASETATTR_ANSWER; +- result = dname_target(rdataset, qname, ++ result = dname_target(rdataset, dqname, + nlabels, &fdname); + if (result == ISC_R_NOSPACE) { + /* +@@ -6764,10 +6782,13 @@ answer_response(fetchctx_t *fctx) { + + dname = dns_fixedname_name(&fdname); + if (!is_answertarget_allowed(view, +- qname, rdataset->type, +- dname, &fctx->domain)) { ++ dqname, rdataset->type, ++ dname, &fctx->domain)) ++ { + return (DNS_R_SERVFAIL); + } ++ dqname = dns_fixedname_name(&fqdname); ++ dns_name_copy(dname, dqname, NULL); + } else { + /* + * We've found a signature that +@@ -6792,6 +6813,10 @@ answer_response(fetchctx_t *fctx) { + INSIST(!external); + if (aflag == DNS_RDATASETATTR_ANSWER) { + have_answer = ISC_TRUE; ++ found_dname = ISC_TRUE; ++ if (cname != NULL) ++ cname->attributes &= ++ ~DNS_NAMEATTR_ANSWER; + name->attributes |= + DNS_NAMEATTR_ANSWER; + } -- 2.4.11 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---