Re: [OE-core] [PATCH] Add two patches for bind

2016-10-13 Thread Burton, Ross 
On 17 September 2016 at 14:55, Zheng Ruoqin 
wrote:

> 1.CVE-2016-2775.patch
> [security]  getrrsetbyname with a non absolute name could
> trigger an infinite recursion bug in lwresd
> and named with lwres configured if when combined
> with a search list entry the resulting name is
> too long. (CVE-2016-2775) [RT #42694]
>
> 2.CVE-2016-2776.patch
> [security]  It was possible to trigger a assertion when rendering
>a message. (CVE-2016-2776) [RT #43139]
>
> Signed-off-by: zhengruoqin 
>

The patches themselves need CVE, Signed-off-by, and Upstream-Status tags.

The commit message needs a better short summary (at least, "fix two CVEs",
ideally better).

Ross
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] Add two patches for bind

2016-10-12 Thread Zheng Ruoqin 
1.CVE-2016-2775.patch
[security]  getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. (CVE-2016-2775) [RT #42694]

2.CVE-2016-2776.patch
[security]  It was possible to trigger a assertion when rendering
   a message. (CVE-2016-2776) [RT #43139]

Signed-off-by: zhengruoqin 
---
 .../bind/bind/CVE-2016-2775.patch  |  82 +++
 .../bind/bind/CVE-2016-2776.patch  | 115 +
 2 files changed, 197 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 000..c211aef
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,82 @@
+From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
+From: "Zheng Ruoqin" 
+Date: Wed, 12 Oct 2016 19:52:59 +0900
+Subject: [PATCH]
+4406.   [security]  getrrsetbyname with a non absolute name could
+trigger an infinite recursion bug in lwresd
+and named with lwres configured if when combined
+with a search list entry the resulting name is
+too long. (CVE-2016-2775) [RT #42694]
+
+---
+ CHANGES  |  6 ++
+ bin/named/lwdgrbn.c  | 16 ++--
+ bin/tests/system/lwresd/lwtest.c |  9 -
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index d2e3360..d0a9d12 100644
+--- a/CHANGES
 b/CHANGES
+@@ -1,3 +1,9 @@
++4406.   [security]  getrrsetbyname with a non absolute name could
++trigger an infinite recursion bug in lwresd
++and named with lwres configured if when combined
++with a search list entry the resulting name is
++too long. (CVE-2016-2775) [RT #42694]
++
+ 4322.  [security]  Duplicate EDNS COOKIE options in a response could
+trigger an assertion failure. (CVE-2016-2088)
+[RT #41809]
+diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
+index 3e7b15b..e1e9adc 100644
+--- a/bin/named/lwdgrbn.c
 b/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+   INSIST(client->lookup == NULL);
+ 
+   dns_fixedname_init();
+-  result = ns_lwsearchctx_current(>searchctx,
+-  dns_fixedname_name());
++
+   /*
+-   * This will return failure if relative name + suffix is too long.
+-   * In this case, just go on to the next entry in the search path.
++ * Perform search across all search domains until success
++ * is returned. Return in case of failure.
+*/
+-  if (result != ISC_R_SUCCESS)
+-  start_lookup(client);
++while (ns_lwsearchctx_current(>searchctx,
++dns_fixedname_name()) != ISC_R_SUCCESS) {
++if (ns_lwsearchctx_next(>searchctx) != ISC_R_SUCCESS) 
{
++ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++return;
++}
++}
+ 
+   result = dns_lookup_create(cm->mctx,
+  dns_fixedname_name(),
+diff --git a/bin/tests/system/lwresd/lwtest.c 
b/bin/tests/system/lwresd/lwtest.c
+index ad9b551..3eb4a66 100644
+--- a/bin/tests/system/lwresd/lwtest.c
 b/bin/tests/system/lwresd/lwtest.c
+@@ -768,7 +768,14 @@ main(void) {
+   test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
+   test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+   test_getrrsetbyname("", 1, 1, 0, 0, 0);
+-
++test_getrrsetbyname("123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789.123456789.123456789.123456789."
++"123456789", 1, 1, 0, 0, 0);
++ 
+   if (fails == 0)
+   printf("I:ok\n");
+   return (fails);
+-- 
+2.7.4
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 000..66e0501
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0