Bug#868952: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.5

[Salvatore Bonaccorso]

Hi Mike,

On Sat, Jul 22, 2017 at 11:47:56AM -0400, Michael Gilbert wrote:
> Hi Salvatore,
> 
> The changes look correct to me.  Please feel free to remove the delay
> on the NMU.

Thanks a lot! I rescheduled it.

Regards,
Salvatore

Bug#868952: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.5

[Michael Gilbert]

Hi Salvatore,

The changes look correct to me.  Please feel free to remove the delay
on the NMU.

Best wishes,
Mike

On Sat, Jul 22, 2017 at 3:57 AM, Salvatore Bonaccorso  wrote:
> Control: tags 868952 + patch
> Control: tags 868952 + pending
>
> Dear maintainer,
>
> I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.5) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
>
> Regards,
> Salvatore

Bug#868952: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.5

[Salvatore Bonaccorso]

Control: tags 868952 + patch
Control: tags 868952 + pending

Dear maintainer,

I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.5) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru bind9-9.10.3.dfsg.P4/debian/changelog bind9-9.10.3.dfsg.P4/debian/changelog
--- bind9-9.10.3.dfsg.P4/debian/changelog	2017-07-16 22:13:21.0 +0200
+++ bind9-9.10.3.dfsg.P4/debian/changelog	2017-07-21 22:28:32.0 +0200
@@ -1,3 +1,13 @@
+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
+signed TCP message sequences where not all the messages contain TSIG
+records. These may be used in AXFR and IXFR responses.
+(Closes: #868952)
+
+ -- Salvatore Bonaccorso   Fri, 21 Jul 2017 22:28:32 +0200
+
 bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch
--- bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch	1970-01-01 01:00:00.0 +0100
+++ bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch	2017-07-21 22:28:32.0 +0200
@@ -0,0 +1,565 @@
+From e66fca127cd907e73ca7accd49e42d7a24503242 Mon Sep 17 00:00:00 2001
+From: Mark Andrews 
+Date: Fri, 7 Jul 2017 23:19:05 +1000
+Subject: [PATCH] 4647.   [bug]   Change 4643 broke verification of
+ TSIG signed TCP message sequences where not all the
+ messages contain TSIG records.  These may be used in
+ AXFR and IXFR responses.  [RT #45509]
+
+---
+ lib/dns/tests/Makefile.in |   7 +
+ lib/dns/tests/tsig_test.c | 489 ++
+ lib/dns/tsig.c|  10 +-
+ 4 files changed, 509 insertions(+), 2 deletions(-)
+ create mode 100644 lib/dns/tests/tsig_test.c
+
+
+--- a/lib/dns/tests/Makefile.in
 b/lib/dns/tests/Makefile.in
+@@ -57,6 +57,7 @@ SRCS =		db_test.c \
+ 		rdataset_test.c \
+ 		rdatasetstats_test.c \
+ 		time_test.c \
++		tsig_test.c \
+ 		update_test.c \
+ 		zonemgr_test.c \
+ 		zt_test.c 
+@@ -81,6 +82,7 @@ TARGETS =	db_test@EXEEXT@ \
+ 		rdataset_test@EXEEXT@ \
+ 		rdatasetstats_test@EXEEXT@ \
+ 		time_test@EXEEXT@ \
++		tsig_test@EXEEXT@ \
+ 		update_test@EXEEXT@ \
+ 		zonemgr_test@EXEEXT@ \
+ 		zt_test@EXEEXT@
+@@ -206,6 +208,11 @@ dh_test@EXEEXT@: dh_test.@O@ dnstest.@O@
+ 			dh_test.@O@ dnstest.@O@ ${DNSLIBS} \
+ 			${ISCLIBS} ${LIBS}
+ 
++tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
++	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
++			tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
++			${ISCLIBS} ${LIBS}
++
+ unit::
+ 	sh ${top_srcdir}/unit/unittest.sh
+ 
+--- /dev/null
 b/lib/dns/tests/tsig_test.c
+@@ -0,0 +1,489 @@
++/*
++ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ */
++
++/* ! \file */
++
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++
++#include "dnstest.h"
++
++#ifdef HAVE_INTTYPES_H
++#include  /* uintptr_t */
++#endif
++
++static int debug = 0;
++
++static isc_result_t
++add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
++	dns_rdata_any_tsig_t tsig;
++	dns_rdata_t rdata = DNS_RDATA_INIT;
++	isc_buffer_t databuf;
++	isc_region_t r;
++	isc_result_t result;
++	unsigned char tsigbuf[1024];
++
++	isc_buffer_usedregion(buf, );
++	dns_rdata_fromregion(, dns_rdataclass_any,
++			 dns_rdatatype_tsig, );
++	isc_buffer_init(, tsigbuf, sizeof(tsigbuf));
++	CHECK(dns_rdata_tostruct(, , NULL));
++	isc_buffer_putuint16(, tsig.siglen);
++	isc_buffer_putmem(, tsig.signature, tsig.siglen);
++	isc_buffer_usedregion(, );
++	result = dst_context_adddata(tsigctx, );
++	dns_rdata_freestruct();
++ cleanup:
++	return (result);
++}
++
++static isc_result_t
++add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
++	dns_compress_t cctx;
++	dns_rdata_any_tsig_t tsig;
++	dns_rdata_t rdata = DNS_RDATA_INIT;
++	dns_rdatalist_t rdatalist;
++	dns_rdataset_t rdataset;
++	isc_buffer_t *dynbuf = NULL;
++	isc_buffer_t databuf;
++	isc_buffer_t sigbuf;
++	isc_region_t r;
++	isc_result_t result = ISC_R_SUCCESS;
++	isc_stdtime_t now;
++	unsigned char tsigbuf[1024];
++	unsigned int count;
++	unsigned int sigsize;
++	isc_boolean_t invalidate_ctx = ISC_FALSE;
++
++	CHECK(dns_compress_init(, -1, mctx));
++	invalidate_ctx = ISC_TRUE;
++
++	memset(, 0, sizeof(tsig));
++