Hello community,

here is the log from the commit of package bind for openSUSE:Factory checked in 
at 2016-09-28 02:38:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bind (Old)
 and      /work/SRC/openSUSE:Factory/.bind.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "bind"

Changes:
--------
--- /work/SRC/openSUSE:Factory/bind/bind.changes        2016-07-01 
09:55:05.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.bind.new/bind.changes   2016-09-28 
02:38:17.000000000 +0200
@@ -1,0 +2,5 @@
+Tue Sep 27 16:29:19 UTC 2016 - [email protected]
+
+- Apply cve-2016-2776.patch to fix CVE-2016-2776 (bsc#1000362).
+
+-------------------------------------------------------------------

New:
----
  cve-2016-2776.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ bind.spec ++++++
--- /var/tmp/diff_new_pack.OTEu7I/_old  2016-09-28 02:38:20.000000000 +0200
+++ /var/tmp/diff_new_pack.OTEu7I/_new  2016-09-28 02:38:20.000000000 +0200
@@ -45,6 +45,7 @@
 Patch53:        bind-sdb-ldap.patch
 Patch101:       runidn.diff
 Patch102:       idnkit-powerpc-ltconfig.patch
+Patch103:       cve-2016-2776.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libmysqlclient-devel
@@ -376,6 +377,8 @@
 %patch53
 %patch101 -p1
 %patch102 -p1
+%patch103 -p1
+
 # use the year from source gzip header instead of current one to make 
reproducible rpms
 year=$(perl -e 'sysread(STDIN, $h, 8); print 
(1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{S:0})
 sed -i "s/stdout, copyright, year/stdout, copyright, \"-$year\"/" lib/dns/gen.c



++++++ cve-2016-2776.patch ++++++
Index: bind-9.10.3-P4/lib/dns/message.c
===================================================================
--- bind-9.10.3-P4.orig/lib/dns/message.c       2016-09-27 18:38:44.843342507 
+0200
+++ bind-9.10.3-P4/lib/dns/message.c    2016-09-27 18:38:47.871359253 +0200
@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *m
        if (r.length < DNS_MESSAGE_HEADERLEN)
                return (ISC_R_NOSPACE);
 
-       if (r.length < msg->reserved)
+       if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
                return (ISC_R_NOSPACE);
 
        /*
@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *
 
        return (ISC_TRUE);
 }
-
 #endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+         dns_compress_t *cctx, isc_buffer_t *target,
+         unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+       isc_result_t result;
+
+       /*
+        * Shrink the space in the buffer by the reserved amount.
+        */
+       if (target->length - target->used < reserved)
+               return (ISC_R_NOSPACE);
+
+       target->length -= reserved;
+       result = dns_rdataset_towire(rdataset, owner_name,
+                                    cctx, target, options, countp);
+       target->length += reserved;
+
+       return (result);
+}
+
 isc_result_t
 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
                          unsigned int options)
@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t
        /*
         * Shrink the space in the buffer by the reserved amount.
         */
+       if (msg->buffer->length - msg->buffer->used < msg->reserved)
+               return (ISC_R_NOSPACE);
        msg->buffer->length -= msg->reserved;
 
        total = 0;
@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg
                 * Render.
                 */
                count = 0;
-               result = dns_rdataset_towire(msg->opt, dns_rootname,
-                                            msg->cctx, msg->buffer, 0,
-                                            &count);
+               result = renderset(msg->opt, dns_rootname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
                msg->counts[DNS_SECTION_ADDITIONAL] += count;
                if (result != ISC_R_SUCCESS)
                        return (result);
@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg
                if (result != ISC_R_SUCCESS)
                        return (result);
                count = 0;
-               result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-                                            msg->cctx, msg->buffer, 0,
-                                            &count);
+               result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
                msg->counts[DNS_SECTION_ADDITIONAL] += count;
                if (result != ISC_R_SUCCESS)
                        return (result);
@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg
                 * the owner name of a SIG(0) is irrelevant, and will not
                 * be set in a message being rendered.
                 */
-               result = dns_rdataset_towire(msg->sig0, dns_rootname,
-                                            msg->cctx, msg->buffer, 0,
-                                            &count);
+               result = renderset(msg->sig0, dns_rootname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
                msg->counts[DNS_SECTION_ADDITIONAL] += count;
                if (result != ISC_R_SUCCESS)
                        return (result);

Reply via email to