mirror of
https://git.yoctoproject.org/poky
synced 2026-04-24 21:32:12 +02:00
c3c55478f5
Fixes following vulnerabilities: CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure CVE-2016-1286 bind: malformed signature records for DNAME records can trigger assertion failure [YOCTO #9400] External References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286 References to the Upstream commits and Security Advisories: =========================================================== CVE-2016-1285: https://kb.isc.org/article/AA-01352 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=70037e040e587329cec82123e12b9f4f7c945f67 CVE-2016-1286_1: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=a3d327bf1ceaaeabb20223d8de85166e940b9f12 CVE-2016-1286_2: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=7602be276a73a6eb5431c5acd9718e68a55e8b61 (From OE-Core rev: 080d1a313e4982dd05846b375ebf936c46934d80) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
80 lines
2.4 KiB
Diff
80 lines
2.4 KiB
Diff
From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001
|
|
From: Mukund Sivaraman <muks@isc.org>
|
|
Date: Mon, 22 Feb 2016 12:22:43 +0530
|
|
Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
|
|
(CVE-2016-1286) (#41753)
|
|
|
|
(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
|
|
|
|
CVE: CVE-2016-1286
|
|
Upstream-Status: Backport
|
|
|
|
[Removed doc/arm/notes.xml changes from upstream patch.]
|
|
|
|
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
|
|
---
|
|
diff -ruN a/CHANGES b/CHANGES
|
|
--- a/CHANGES 2016-04-13 07:28:44.940873629 +0200
|
|
+++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200
|
|
@@ -1,3 +1,7 @@
|
|
+4319. [security] Fix resolver assertion failure due to improper
|
|
+ DNAME handling when parsing fetch reply messages.
|
|
+ (CVE-2016-1286) [RT #41753]
|
|
+
|
|
4318. [security] Malformed control messages can trigger assertions
|
|
in named and rndc. (CVE-2016-1285) [RT #41666]
|
|
|
|
diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
|
|
--- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200
|
|
+++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200
|
|
@@ -6967,21 +6967,26 @@
|
|
isc_boolean_t found_dname = ISC_FALSE;
|
|
dns_name_t *dname_name;
|
|
|
|
+ /*
|
|
+ * Only pass DNAME or RRSIG(DNAME).
|
|
+ */
|
|
+ if (rdataset->type != dns_rdatatype_dname &&
|
|
+ (rdataset->type != dns_rdatatype_rrsig ||
|
|
+ rdataset->covers != dns_rdatatype_dname))
|
|
+ continue;
|
|
+
|
|
+ /*
|
|
+ * If we're not chaining, then the DNAME and
|
|
+ * its signature should not be external.
|
|
+ */
|
|
+ if (!chaining && external) {
|
|
+ log_formerr(fctx, "external DNAME");
|
|
+ return (DNS_R_FORMERR);
|
|
+ }
|
|
+
|
|
found = ISC_FALSE;
|
|
aflag = 0;
|
|
if (rdataset->type == dns_rdatatype_dname) {
|
|
- /*
|
|
- * We're looking for something else,
|
|
- * but we found a DNAME.
|
|
- *
|
|
- * If we're not chaining, then the
|
|
- * DNAME should not be external.
|
|
- */
|
|
- if (!chaining && external) {
|
|
- log_formerr(fctx,
|
|
- "external DNAME");
|
|
- return (DNS_R_FORMERR);
|
|
- }
|
|
found = ISC_TRUE;
|
|
want_chaining = ISC_TRUE;
|
|
POST(want_chaining);
|
|
@@ -7010,9 +7015,7 @@
|
|
&fctx->domain)) {
|
|
return (DNS_R_SERVFAIL);
|
|
}
|
|
- } else if (rdataset->type == dns_rdatatype_rrsig
|
|
- && rdataset->covers ==
|
|
- dns_rdatatype_dname) {
|
|
+ } else {
|
|
/*
|
|
* We've found a signature that
|
|
* covers the DNAME.
|