On Mon, 2015-09-07 at 16:21 -0700, Armin Kuster wrote: > From: Armin Kuster <[email protected]> > > three security fixes. > > Signed-off-by: Armin Kuster <[email protected]>
Patch queued in my joshuagl/fido-next tree - thanks! Joshua http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/ fido-next > --- > .../bind/bind/CVE-2015-1349.patch | 60 +++ > .../bind/bind/CVE-2015-4620.patch | 36 ++ > .../bind/bind/CVE-2015-5722.patch | 490 > +++++++++++++++++++++ > meta/recipes-connectivity/bind/bind_9.9.5.bb | 3 + > 4 files changed, 589 insertions(+) > create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015 > -1349.patch > create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015 > -4620.patch > create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015 > -5722.patch > > diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch > b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch > new file mode 100644 > index 0000000..dea7aae > --- /dev/null > +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch > @@ -0,0 +1,60 @@ > +CVE-2015-1349 bind: issue in trust anchor management can cause named > to crash > + > +commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892 > +Author: Evan Hunt <[email protected]> > +Date: Tue Feb 3 18:30:38 2015 -0800 > + > + [v9_9_6_patch] avoid crash due to managed-key rollover > + > + 4053. [security] Revoking a managed trust anchor > and supplying > + an untrusted replacement could cause > named > + to crash with an assertion failure. > + (CVE-2015-1349) [RT #38344] > + > +Upstream Status: Backport from Redhat > + > +https://bugzilla.redhat.com/attachment.cgi?id=993045 > + > +Signed-off-by: Armin Kuster <[email protected]> > + > +Index: bind-9.9.5/CHANGES > +=================================================================== > +--- bind-9.9.5.orig/CHANGES > ++++ bind-9.9.5/CHANGES > +@@ -1,3 +1,10 @@ > ++ --- 9.9.6-P2 released --- > ++ > ++4053. [security] Revoking a managed trust anchor and > supplying > ++ an untrusted replacement could cause named > ++ to crash with an assertion failure. > ++ (CVE-2015-1349) [RT #38344] > ++ > + --- 9.9.5 released --- > + > + --- 9.9.5rc2 released --- > +Index: bind-9.9.5/lib/dns/zone.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/zone.c > ++++ bind-9.9.5/lib/dns/zone.c > +@@ -8496,6 +8496,12 @@ keyfetch_done(isc_task_t *task, isc_even > + namebuf, tag); > + trustkey = ISC_TRUE; > + } > ++ } else { > ++ /* > ++ * No previously known key, and the key is > not > ++ * secure, so skip it. > ++ */ > ++ continue; > + } > + > + /* Delete old version */ > +@@ -8544,7 +8550,7 @@ keyfetch_done(isc_task_t *task, isc_even > + trust_key(zone, keyname, &dnskey, mctx); > + } > + > +- if (!deletekey) > ++ if (secure && !deletekey) > + set_refreshkeytimer(zone, &keydata, now); > + } > + > diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch > b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch > new file mode 100644 > index 0000000..1a5051e > --- /dev/null > +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch > @@ -0,0 +1,36 @@ > +CVE-2015-4620 bind: abort DoS caused by uninitialized value use in > isselfsigned() > + > +issue introduced by git commit > + > +https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h > =44f175a90a855326725439b2f1178f0dcca8f67d > + > +which is in this version of bind. > + > +Upstream Status: Backport from Redhat > + > +https://bugzilla.redhat.com/attachment.cgi?id=1044719 > + > +Signed-off-by: Armin Kuster <[email protected]> > + > +Index: bind-9.9.5/lib/dns/validator.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/validator.c > ++++ bind-9.9.5/lib/dns/validator.c > +@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r > + */ > + static isc_boolean_t > + isselfsigned(dns_validator_t *val) { > +- dns_fixedname_t fixed; > + dns_rdataset_t *rdataset, *sigrdataset; > + dns_rdata_t rdata = DNS_RDATA_INIT; > + dns_rdata_t sigrdata = DNS_RDATA_INIT; > +@@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) { > + result = dns_dnssec_verify3(name, rdataset, > dstkey, > + ISC_TRUE, > + val->view > ->maxbits, > +- mctx, > &sigrdata, > +- > dns_fixedname_name(&fixed)); > ++ mctx, > &sigrdata, NULL); > + dst_key_free(&dstkey); > + if (result != ISC_R_SUCCESS) > + continue; > diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch > b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch > new file mode 100644 > index 0000000..af20d5c > --- /dev/null > +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch > @@ -0,0 +1,490 @@ > +CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of > service > + > +Upstream Status: Backport from Redhat > + > +https://bugzilla.redhat.com/attachment.cgi?id=1069245 > + > +Signed-off-by: Armin Kuster <[email protected]> > + > +Index: bind-9.9.5/lib/dns/hmac_link.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/hmac_link.c > ++++ bind-9.9.5/lib/dns/hmac_link.c > +@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co > + hmacmd5ctx = isc_mem_get(dctx->mctx, > sizeof(isc_hmacmd5_t)); > + if (hmacmd5ctx == NULL) > + return (ISC_R_NOMEMORY); > +- isc_hmacmd5_init(hmacmd5ctx, hkey->key, > ISC_SHA1_BLOCK_LENGTH); > ++ isc_hmacmd5_init(hmacmd5ctx, hkey->key, > ISC_MD5_BLOCK_LENGTH); > + dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; > + return (ISC_R_SUCCESS); > + } > +@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c > + else if (hkey1 == NULL || hkey2 == NULL) > + return (ISC_FALSE); > + > +- if (isc_safe_memcmp(hkey1->key, hkey2->key, > ISC_SHA1_BLOCK_LENGTH)) > ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, > ISC_MD5_BLOCK_LENGTH)) > + return (ISC_TRUE); > + else > + return (ISC_FALSE); > +@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse > + isc_buffer_t b; > + isc_result_t ret; > + unsigned int bytes; > +- unsigned char data[ISC_SHA1_BLOCK_LENGTH]; > ++ unsigned char data[ISC_MD5_BLOCK_LENGTH]; > + > + UNUSED(callback); > + > + bytes = (key->key_size + 7) / 8; > +- if (bytes > ISC_SHA1_BLOCK_LENGTH) { > +- bytes = ISC_SHA1_BLOCK_LENGTH; > +- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8; > ++ if (bytes > ISC_MD5_BLOCK_LENGTH) { > ++ bytes = ISC_MD5_BLOCK_LENGTH; > ++ key->key_size = ISC_MD5_BLOCK_LENGTH * 8; > + } > + > +- memset(data, 0, ISC_SHA1_BLOCK_LENGTH); > ++ memset(data, 0, ISC_MD5_BLOCK_LENGTH); > + ret = dst__entropy_getdata(data, bytes, > ISC_TF(pseudorandom_ok != 0)); > + > + if (ret != ISC_R_SUCCESS) > +@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse > + isc_buffer_init(&b, data, bytes); > + isc_buffer_add(&b, bytes); > + ret = hmacmd5_fromdns(key, &b); > +- memset(data, 0, ISC_SHA1_BLOCK_LENGTH); > ++ memset(data, 0, ISC_MD5_BLOCK_LENGTH); > + > + return (ret); > + } > +@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff > + > + memset(hkey->key, 0, sizeof(hkey->key)); > + > +- if (r.length > ISC_SHA1_BLOCK_LENGTH) { > ++ if (r.length > ISC_MD5_BLOCK_LENGTH) { > + isc_md5_init(&md5ctx); > + isc_md5_update(&md5ctx, r.base, r.length); > + isc_md5_final(&md5ctx, hkey->key); > +@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff > + key->key_size = keylen * 8; > + key->keydata.hmacmd5 = hkey; > + > ++ isc_buffer_forward(data, r.length); > ++ > + return (ISC_R_SUCCESS); > + } > + > +@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf > + key->key_size = keylen * 8; > + key->keydata.hmacsha1 = hkey; > + > ++ isc_buffer_forward(data, r.length); > ++ > + return (ISC_R_SUCCESS); > + } > + > +@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b > + key->key_size = keylen * 8; > + key->keydata.hmacsha224 = hkey; > + > ++ isc_buffer_forward(data, r.length); > ++ > + return (ISC_R_SUCCESS); > + } > + > +@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b > + key->key_size = keylen * 8; > + key->keydata.hmacsha256 = hkey; > + > ++ isc_buffer_forward(data, r.length); > ++ > + return (ISC_R_SUCCESS); > + } > + > +@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b > + key->key_size = keylen * 8; > + key->keydata.hmacsha384 = hkey; > + > ++ isc_buffer_forward(data, r.length); > ++ > + return (ISC_R_SUCCESS); > + } > + > +@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b > + key->key_size = keylen * 8; > + key->keydata.hmacsha512 = hkey; > + > ++ isc_buffer_forward(data, r.length); > ++ > + return (ISC_R_SUCCESS); > + } > + > +Index: bind-9.9.5/lib/dns/include/dst/dst.h > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/include/dst/dst.h > ++++ bind-9.9.5/lib/dns/include/dst/dst.h > +@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_ > + #define DST_ALG_HMACSHA256 163 /* XXXMPA */ > + #define DST_ALG_HMACSHA384 164 /* XXXMPA */ > + #define DST_ALG_HMACSHA512 165 /* XXXMPA */ > ++#define DST_ALG_INDIRECT 252 > + #define DST_ALG_PRIVATE 254 > + #define DST_ALG_EXPAND 255 > + #define DST_MAX_ALGS 255 > +Index: bind-9.9.5/lib/dns/ncache.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/ncache.c > ++++ bind-9.9.5/lib/dns/ncache.c > +@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t > + dns_name_fromregion(&tname, &remaining); > + INSIST(remaining.length >= tname.length); > + isc_buffer_forward(&source, tname.length); > +- remaining.length -= tname.length; > +- remaining.base += tname.length; > ++ isc_region_consume(&remaining, tname.length); > + > + INSIST(remaining.length >= 2); > + type = isc_buffer_getuint16(&source); > +- remaining.length -= 2; > +- remaining.base += 2; > ++ isc_region_consume(&remaining, 2); > + > + if (type != dns_rdatatype_rrsig || > + !dns_name_equal(&tname, name)) { > +@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t > + INSIST(remaining.length >= 1); > + trust = isc_buffer_getuint8(&source); > + INSIST(trust <= dns_trust_ultimate); > +- remaining.length -= 1; > +- remaining.base += 1; > ++ isc_region_consume(&remaining, 1); > + > + raw = remaining.base; > + count = raw[0] * 256 + raw[1]; > +Index: bind-9.9.5/lib/dns/openssldh_link.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/openssldh_link.c > ++++ bind-9.9.5/lib/dns/openssldh_link.c > +@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) { > + > + static void > + uint16_toregion(isc_uint16_t val, isc_region_t *region) { > +- *region->base++ = (val & 0xff00) >> 8; > +- *region->base++ = (val & 0x00ff); > ++ *region->base = (val & 0xff00) >> 8; > ++ isc_region_consume(region, 1); > ++ *region->base = (val & 0x00ff); > ++ isc_region_consume(region, 1); > + } > + > + static isc_uint16_t > +@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) > + val = ((unsigned int)(cp[0])) << 8; > + val |= ((unsigned int)(cp[1])); > + > +- region->base += 2; > ++ isc_region_consume(region, 2); > ++ > + return (val); > + } > + > +@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is > + } > + else > + BN_bn2bin(dh->p, r.base); > +- r.base += plen; > ++ isc_region_consume(&r, plen); > + > + uint16_toregion(glen, &r); > + if (glen > 0) > + BN_bn2bin(dh->g, r.base); > +- r.base += glen; > ++ isc_region_consume(&r, glen); > + > + uint16_toregion(publen, &r); > + BN_bn2bin(dh->pub_key, r.base); > +- r.base += publen; > ++ isc_region_consume(&r, publen); > + > + isc_buffer_add(data, dnslen); > + > +@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu > + return (DST_R_INVALIDPUBLICKEY); > + } > + if (plen == 1 || plen == 2) { > +- if (plen == 1) > +- special = *r.base++; > +- else > ++ if (plen == 1) { > ++ special = *r.base; > ++ isc_region_consume(&r, 1); > ++ } else { > + special = uint16_fromregion(&r); > ++ } > + switch (special) { > + case 1: > + dh->p = &bn768; > +@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu > + DH_free(dh); > + return (DST_R_INVALIDPUBLICKEY); > + } > +- } > +- else { > ++ } else { > + dh->p = BN_bin2bn(r.base, plen, NULL); > +- r.base += plen; > ++ isc_region_consume(&r, plen); > + } > + > + /* > +@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu > + return (DST_R_INVALIDPUBLICKEY); > + } > + } > +- } > +- else { > ++ } else { > + if (glen == 0) { > + DH_free(dh); > + return (DST_R_INVALIDPUBLICKEY); > + } > + dh->g = BN_bin2bn(r.base, glen, NULL); > + } > +- r.base += glen; > ++ isc_region_consume(&r, glen); > + > + if (r.length < 2) { > + DH_free(dh); > +@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu > + return (DST_R_INVALIDPUBLICKEY); > + } > + dh->pub_key = BN_bin2bn(r.base, publen, NULL); > +- r.base += publen; > ++ isc_region_consume(&r, publen); > + > + key->key_size = BN_num_bits(dh->p); > + > +Index: bind-9.9.5/lib/dns/openssldsa_link.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/openssldsa_link.c > ++++ bind-9.9.5/lib/dns/openssldsa_link.c > +@@ -29,8 +29,6 @@ > + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > + */ > + > +-/* $Id$ */ > +- > + #ifdef OPENSSL > + #ifndef USE_EVP > + #define USE_EVP 1 > +@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc > + DSA *dsa = key->keydata.dsa; > + isc_region_t r; > + DSA_SIG *dsasig; > ++ unsigned int klen; > + #if USE_EVP > + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; > + EVP_PKEY *pkey; > +@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc > + ISC_R_FAILURE)); > + } > + free(sigbuf); > ++ > + #elif 0 > + /* Only use EVP for the Digest */ > + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { > +@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc > + "DSA_do_sign", > + DST_R_SIGNFAILURE)); > + #endif > +- *r.base++ = (key->key_size - 512)/64; > ++ > ++ klen = (key->key_size - 512)/64; > ++ if (klen > 255) > ++ return (ISC_R_FAILURE); > ++ *r.base = klen; > ++ isc_region_consume(&r, 1); > ++ > + BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); > +- r.base += ISC_SHA1_DIGESTLENGTH; > ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); > + BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); > +- r.base += ISC_SHA1_DIGESTLENGTH; > ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); > + DSA_SIG_free(dsasig); > + isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); > + > +@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, i > + if (r.length < (unsigned int) dnslen) > + return (ISC_R_NOSPACE); > + > +- *r.base++ = t; > ++ *r.base = t; > ++ isc_region_consume(&r, 1); > + BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); > +- r.base += ISC_SHA1_DIGESTLENGTH; > ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); > + BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); > +- r.base += p_bytes; > ++ isc_region_consume(&r, p_bytes); > + BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); > +- r.base += p_bytes; > ++ isc_region_consume(&r, p_bytes); > + BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); > +- r.base += p_bytes; > ++ isc_region_consume(&r, p_bytes); > + > + isc_buffer_add(data, dnslen); > + > +@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b > + return (ISC_R_NOMEMORY); > + dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; > + > +- t = (unsigned int) *r.base++; > ++ t = (unsigned int) *r.base; > ++ isc_region_consume(&r, 1); > + if (t > 8) { > + DSA_free(dsa); > + return (DST_R_INVALIDPUBLICKEY); > + } > + p_bytes = 64 + 8 * t; > + > +- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { > ++ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { > + DSA_free(dsa); > + return (DST_R_INVALIDPUBLICKEY); > + } > + > + dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); > +- r.base += ISC_SHA1_DIGESTLENGTH; > ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); > + > + dsa->p = BN_bin2bn(r.base, p_bytes, NULL); > +- r.base += p_bytes; > ++ isc_region_consume(&r, p_bytes); > + > + dsa->g = BN_bin2bn(r.base, p_bytes, NULL); > +- r.base += p_bytes; > ++ isc_region_consume(&r, p_bytes); > + > + dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); > +- r.base += p_bytes; > ++ isc_region_consume(&r, p_bytes); > + > + key->key_size = p_bytes * 8; > + > +Index: bind-9.9.5/lib/dns/opensslecdsa_link.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/opensslecdsa_link.c > ++++ bind-9.9.5/lib/dns/opensslecdsa_link.c > +@@ -14,8 +14,6 @@ > + * PERFORMANCE OF THIS SOFTWARE. > + */ > + > +-/* $Id$ */ > +- > + #include <config.h> > + > + #ifdef HAVE_OPENSSL_ECDSA > +@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, i > + "ECDSA_do_sign", > + DST_R_SIGNFAILURE)); > + BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); > +- r.base += siglen / 2; > ++ isc_region_consume(&r, siglen / 2); > + BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); > +- r.base += siglen / 2; > ++ isc_region_consume(&r, siglen / 2); > + ECDSA_SIG_free(ecdsasig); > + isc_buffer_add(sig, siglen); > + ret = ISC_R_SUCCESS; > +Index: bind-9.9.5/lib/dns/opensslrsa_link.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/opensslrsa_link.c > ++++ bind-9.9.5/lib/dns/opensslrsa_link.c > +@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b > + RSA *rsa; > + isc_region_t r; > + unsigned int e_bytes; > ++ unsigned int length; > + #if USE_EVP > + EVP_PKEY *pkey; > + #endif > +@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b > + isc_buffer_remainingregion(data, &r); > + if (r.length == 0) > + return (ISC_R_SUCCESS); > ++ length = r.length; > + > + rsa = RSA_new(); > + if (rsa == NULL) > +@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b > + RSA_free(rsa); > + return (DST_R_INVALIDPUBLICKEY); > + } > +- e_bytes = *r.base++; > +- r.length--; > ++ e_bytes = *r.base; > ++ isc_region_consume(&r, 1); > + > + if (e_bytes == 0) { > + if (r.length < 2) { > + RSA_free(rsa); > + return (DST_R_INVALIDPUBLICKEY); > + } > +- e_bytes = ((*r.base++) << 8); > +- e_bytes += *r.base++; > +- r.length -= 2; > ++ e_bytes = (*r.base) << 8; > ++ isc_region_consume(&r, 1); > ++ e_bytes += *r.base; > ++ isc_region_consume(&r, 1); > + } > + > + if (r.length < e_bytes) { > +@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b > + return (DST_R_INVALIDPUBLICKEY); > + } > + rsa->e = BN_bin2bn(r.base, e_bytes, NULL); > +- r.base += e_bytes; > +- r.length -= e_bytes; > ++ isc_region_consume(&r, e_bytes); > + > + rsa->n = BN_bin2bn(r.base, r.length, NULL); > + > + key->key_size = BN_num_bits(rsa->n); > + > +- isc_buffer_forward(data, r.length); > ++ isc_buffer_forward(data, length); > + > + #if USE_EVP > + pkey = EVP_PKEY_new(); > +Index: bind-9.9.5/lib/dns/resolver.c > +=================================================================== > +--- bind-9.9.5.orig/lib/dns/resolver.c > ++++ bind-9.9.5/lib/dns/resolver.c > +@@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_res > + > + REQUIRE(VALID_RESOLVER(resolver)); > + > ++ /* > ++ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. > ++ */ > ++ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) > ++ return (ISC_FALSE); > ++ > + #if USE_ALGLOCK > + RWLOCK(&resolver->alglock, isc_rwlocktype_read); > + #endif > +@@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_res > + #endif > + if (found) > + return (ISC_FALSE); > ++ > + return (dst_algorithm_supported(alg)); > + } > + > diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb > b/meta/recipes-connectivity/bind/bind_9.9.5.bb > index 9f0ab2f..d4fdd21 100644 > --- a/meta/recipes-connectivity/bind/bind_9.9.5.bb > +++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb > @@ -22,6 +22,9 @@ SRC_URI = " > ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ > file://bind-subdirs-run-serially.patch \ > file://bind-confgen-build-unix.o-once.patch \ > file://cve-2015-5477.patch \ > + file://CVE-2015-1349.patch \ > + file://CVE-2015-4620.patch \ > + file://CVE-2015-5722.patch \ > " > > SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
