1.CVE-2016-2775.patch
[security] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. (CVE-2016-2775) [RT #42694]
2.CVE-2016-2776.patch
[security] It was possible to trigger a assertion when rendering
a message. (CVE-2016-2776) [RT #43139]
Signed-off-by: zhengruoqin
---
.../bind/bind/CVE-2016-2775.patch | 82 +++
.../bind/bind/CVE-2016-2776.patch | 115 +
2 files changed, 197 insertions(+)
create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 000..c211aef
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,82 @@
+From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
+From: "Zheng Ruoqin"
+Date: Wed, 12 Oct 2016 19:52:59 +0900
+Subject: [PATCH]
+4406. [security] getrrsetbyname with a non absolute name could
+trigger an infinite recursion bug in lwresd
+and named with lwres configured if when combined
+with a search list entry the resulting name is
+too long. (CVE-2016-2775) [RT #42694]
+
+---
+ CHANGES | 6 ++
+ bin/named/lwdgrbn.c | 16 ++--
+ bin/tests/system/lwresd/lwtest.c | 9 -
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index d2e3360..d0a9d12 100644
+--- a/CHANGES
b/CHANGES
+@@ -1,3 +1,9 @@
++4406. [security] getrrsetbyname with a non absolute name could
++trigger an infinite recursion bug in lwresd
++and named with lwres configured if when combined
++with a search list entry the resulting name is
++too long. (CVE-2016-2775) [RT #42694]
++
+ 4322. [security] Duplicate EDNS COOKIE options in a response could
+trigger an assertion failure. (CVE-2016-2088)
+[RT #41809]
+diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
+index 3e7b15b..e1e9adc 100644
+--- a/bin/named/lwdgrbn.c
b/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+ INSIST(client->lookup == NULL);
+
+ dns_fixedname_init();
+- result = ns_lwsearchctx_current(>searchctx,
+- dns_fixedname_name());
++
+ /*
+- * This will return failure if relative name + suffix is too long.
+- * In this case, just go on to the next entry in the search path.
++ * Perform search across all search domains until success
++ * is returned. Return in case of failure.
+*/
+- if (result != ISC_R_SUCCESS)
+- start_lookup(client);
++while (ns_lwsearchctx_current(>searchctx,
++dns_fixedname_name()) != ISC_R_SUCCESS) {
++if (ns_lwsearchctx_next(>searchctx) != ISC_R_SUCCESS)
{
++ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++return;
++}
++}
+
+ result = dns_lookup_create(cm->mctx,
+ dns_fixedname_name(),
+diff --git a/bin/tests/system/lwresd/lwtest.c
b/bin/tests/system/lwresd/lwtest.c
+index ad9b551..3eb4a66 100644
+--- a/bin/tests/system/lwresd/lwtest.c
b/bin/tests/system/lwresd/lwtest.c
+@@ -768,7 +768,14 @@ main(void) {
+ test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
+ test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+ test_getrrsetbyname("", 1, 1, 0, 0, 0);
+-
++test_getrrsetbyname("123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789", 1, 1, 0, 0, 0);
++
+ if (fails == 0)
+ printf("I:ok\n");
+ return (fails);
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 000..66e0501
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0