Steve this is Dunfell worthy too. So please track it.
On Tue, May 26, 2020 at 1:51 PM Khem Raj <raj.k...@gmail.com> wrote: > > From: Rense Jacob <rense_jac...@comcast.com> > > backport for nvd.nist.gov/vuln/detail/CVE-2020-8616 > > Signed-off-by: Rense <rense_jac...@comcast.com> > Signed-off-by: Khem Raj <raj.k...@gmail.com> > --- > .../bind/bind/CVE-2020-8616.patch | 221 ++++++++++++++++++ > .../recipes-connectivity/bind/bind_9.11.13.bb | 1 + > 2 files changed, 222 insertions(+) > create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch > > diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch > b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch > new file mode 100644 > index 0000000000..16ff86016b > --- /dev/null > +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch > @@ -0,0 +1,221 @@ > +backport for nvd.nist.gov/vuln/detail/CVE-2020-8616 > + > +Upstream-Status: Backport > [downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch] > + > +Signed-off-by: Rense <rense_jac...@comcast.com> > +Signed-off-by: Khem Raj <raj.k...@gmail.com> > + > +Index: bind-9.11.13/lib/dns/adb.c > +=================================================================== > +--- bind-9.11.13.orig/lib/dns/adb.c > ++++ bind-9.11.13/lib/dns/adb.c > +@@ -404,16 +404,14 @@ static void log_quota(dns_adbentry_t *en > + */ > + #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != > 0) > + #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) > != 0) > +-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) > \ > +- != 0) > +-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ > +- != 0) > +-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) > +-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) > +-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) > +-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) > != 0) > +- > +-/* > ++#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) > != 0) > ++#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != > 0) > ++#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) > != 0) > ++#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) > != 0) > ++#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) > ++#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != > 0) > ++#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) > ++/* > + * These are currently used on simple unsigned ints, so they are > + * not really associated with any particular type. > + */ > +@@ -3155,21 +3153,25 @@ dns_adb_createfind2(dns_adb_t *adb, isc_ > + * Listen to negative cache hints, and don't start > + * another query. > + */ > +- if (NCACHE_RESULT(result) || AUTH_NX(result)) > ++ if (NCACHE_RESULT(result) || AUTH_NX(result)) { > + goto fetch; > +- > +- if (!NAME_FETCH_V6(adbname)) > ++ } > ++ if (!NAME_FETCH_V6(adbname)) { > + wanted_fetches |= DNS_ADBFIND_INET6; > ++ } > + } > + > + fetch: > + if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || > + (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) > ++ { > + have_address = true; > +- else > +- have_address = false; > +- if (wanted_fetches != 0 && > +- ! (FIND_AVOIDFETCHES(find) && have_address)) { > ++ } else { > ++ have_address = false; > ++ } > ++ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) > && > ++ !FIND_NOFETCH(find)) > ++ { > + /* > + * We're missing at least one address family. Either the > + * caller hasn't instructed us to avoid fetches, or we don't > +@@ -3177,8 +3179,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_ > + * be acceptable so we have to launch fetches. > + */ > + > +- if (FIND_STARTATZONE(find)) > ++ if (FIND_STARTATZONE(find)) { > + start_at_zone = true; > ++ } > + > + /* > + * Start V4. > +Index: bind-9.11.13/lib/dns/include/dns/adb.h > +=================================================================== > +--- bind-9.11.13.orig/lib/dns/include/dns/adb.h > ++++ bind-9.11.13/lib/dns/include/dns/adb.h > +@@ -209,6 +209,12 @@ struct dns_adbfind { > + #define DNS_ADBFIND_OVERQUOTA 0x00000400 > + > + /*% > ++ * Don't perform a fetch even if there are no address records available. > ++ */ > ++#define DNS_ADBFIND_NOFETCH 0x00000800 > ++ > ++ > ++/*% > + * The answers to queries come back as a list of these. > + */ > + struct dns_adbaddrinfo { > +Index: bind-9.11.13/lib/dns/resolver.c > +=================================================================== > +--- bind-9.11.13.orig/lib/dns/resolver.c > ++++ bind-9.11.13/lib/dns/resolver.c > +@@ -172,6 +172,15 @@ > + #define DEFAULT_MAX_QUERIES 75 > + #endif > + > ++/* > ++ * After NS_FAIL_LIMIT attempts to fetch a name server address, > ++ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, > ++ * stop trying to fetch, in order to avoid wasting resources. > ++ */ > ++#define NS_FAIL_LIMIT 4 > ++#define NS_RR_LIMIT 5 > ++ > ++ > + /* Number of hash buckets for zone counters */ > + #ifndef RES_DOMAIN_BUCKETS > + #define RES_DOMAIN_BUCKETS 523 > +@@ -3118,8 +3127,8 @@ sort_finds(dns_adbfindlist_t *findlist, > + static void > + findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, > + unsigned int options, unsigned int flags, isc_stdtime_t now, > +- bool *overquota, bool *need_alternate) > +-{ > ++ bool *overquota, bool *need_alternate, unsigned int *no_addresses) { > ++ > + dns_adbaddrinfo_t *ai; > + dns_adbfind_t *find; > + dns_resolver_t *res; > +@@ -3207,7 +3216,13 @@ findname(fetchctx_t *fctx, dns_name_t *n > + find->result_v6 != DNS_R_NXDOMAIN) || > + (res->dispatches6 == NULL && > + find->result_v4 != DNS_R_NXDOMAIN))) > ++ { > + *need_alternate = true; > ++ } > ++ if (no_addresses != NULL) { > ++ (*no_addresses)++; > ++ } > ++ > + } else { > + if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { > + if (overquota != NULL) > +@@ -3258,6 +3273,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool > + dns_rdata_ns_t ns; > + bool need_alternate = false; > + bool all_spilled = true; > ++ unsigned int no_addresses = 0; > + > + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); > + > +@@ -3425,21 +3441,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool > + * Extract the name from the NS record. > + */ > + result = dns_rdata_tostruct(&rdata, &ns, NULL); > +- if (result != ISC_R_SUCCESS) > ++ if (result != ISC_R_SUCCESS) { > + continue; > ++ } > ++ > ++ if (no_addresses > NS_FAIL_LIMIT && > ++ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) > ++ { > ++ stdoptions |= DNS_ADBFIND_NOFETCH; > ++ } > ++ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, > ++ &need_alternate, &no_addresses); > + > +- findname(fctx, &ns.name, 0, stdoptions, 0, now, > +- &overquota, &need_alternate); > + > +- if (!overquota) > ++ if (!overquota) { > + all_spilled = false; > +- > ++ } > + dns_rdata_reset(&rdata); > + dns_rdata_freestruct(&ns); > + } > +- if (result != ISC_R_NOMORE) > ++ if (result != ISC_R_NOMORE) { > + return (result); > +- > ++ } > + /* > + * Do we need to use 6 to 4? > + */ > +@@ -3453,7 +3476,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool > + if (!a->isaddress) { > + findname(fctx, &a->_u._n.name, a->_u._n.port, > + stdoptions, FCTX_ADDRINFO_FORWARDER, > +- now, NULL, NULL); > ++ now, NULL, NULL, NULL); > + continue; > + } > + if (isc_sockaddr_pf(&a->_u.addr) != family) > +@@ -3815,16 +3838,15 @@ fctx_try(fetchctx_t *fctx, bool retrying > + } > + } > + > +- if (dns_name_countlabels(&fctx->domain) > 2) { > +- result = isc_counter_increment(fctx->qc); > +- if (result != ISC_R_SUCCESS) { > +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, > +- DNS_LOGMODULE_RESOLVER, > ISC_LOG_DEBUG(3), > +- "exceeded max queries resolving '%s'", > +- fctx->info); > +- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); > +- return; > +- } > ++ > ++ result = isc_counter_increment(fctx->qc); > ++ if (result != ISC_R_SUCCESS) { > ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, > ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), > ++ "exceeded max queries resolving '%s'", > ++ fctx->info); > ++ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); > ++ return; > + } > + > + bucketnum = fctx->bucketnum; > diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb > b/meta/recipes-connectivity/bind/bind_9.11.13.bb > index 4e64171cc1..e81678583d 100644 > --- a/meta/recipes-connectivity/bind/bind_9.11.13.bb > +++ b/meta/recipes-connectivity/bind/bind_9.11.13.bb > @@ -18,6 +18,7 @@ SRC_URI = > "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ > file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ > file://0001-named-lwresd-V-and-start-log-hide-build-options.patch > \ > file://0001-avoid-start-failure-with-bind-user.patch \ > + file://CVE-2020-8616.patch \ > " > > SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057" > -- > 2.26.2 >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#138741): https://lists.openembedded.org/g/openembedded-core/message/138741 Mute This Topic: https://lists.openembedded.org/mt/74486932/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-