[oe-commits] [openembedded-core] 08/20: bind: Security fix CVE-2016-2088
git at git.openembedded.org
git at git.openembedded.org
Fri Sep 23 22:22:32 UTC 2016
rpurdie pushed a commit to branch jethro
in repository openembedded-core.
commit 91e05c25eb221ff1dc2bde5cfaa0bea88345b1e4
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Sep 17 14:22:15 2016 -0700
bind: Security fix CVE-2016-2088
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../bind/bind/CVE-2016-2088.patch | 216 +++++++++++++++++++++
meta/recipes-connectivity/bind/bind_9.10.2-P4.bb | 1 +
2 files changed, 217 insertions(+)
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
new file mode 100644
index 0000000..f3f2cc8
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
@@ -0,0 +1,216 @@
+From d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka at isc.org>
+Date: Sat, 27 Feb 2016 11:23:50 +1100
+Subject: [PATCH] 4322. [security] Duplicate EDNS COOKIE options in a
+ response could trigger an assertion failure.
+ (CVE-2016-2088) [RT #41809]
+
+(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
+(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2088
+minor fixup to get to apply.
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ CHANGES | 5 +++++
+ bin/dig/dighost.c | 9 +++++++++
+ bin/named/client.c | 33 +++++++++++++++++++++++----------
+ doc/arm/notes.xml | 7 +++++++
+ lib/dns/resolver.c | 14 +++++++++++++-
+ 5 files changed, 57 insertions(+), 11 deletions(-)
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,7 @@
++4322. [security] Duplicate EDNS COOKIE options in a response could
++ trigger an assertion failure. (CVE-2016-2088)
++ [RT #41809]
++
+ 4319. [security] Fix resolver assertion failure due to improper
+ DNAME handling when parsing fetch reply messages.
+ (CVE-2016-1286) [RT #41753]
+Index: bind-9.10.2-P4/bin/dig/dighost.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/dig/dighost.c
++++ bind-9.10.2-P4/bin/dig/dighost.c
+@@ -3349,6 +3349,7 @@ process_opt(dig_lookup_t *l, dns_message
+ isc_buffer_t optbuf;
+ isc_uint16_t optcode, optlen;
+ dns_rdataset_t *opt = msg->opt;
++ isc_boolean_t seen_cookie = ISC_FALSE;
+
+ result = dns_rdataset_first(opt);
+ if (result == ISC_R_SUCCESS) {
+@@ -3360,8 +3361,16 @@ process_opt(dig_lookup_t *l, dns_message
+ optcode = isc_buffer_getuint16(&optbuf);
+ optlen = isc_buffer_getuint16(&optbuf);
+ switch (optcode) {
+- case DNS_OPT_SIT:
++ case DNS_OPT_SIT:
++ /*
++ * Only process the first cookie option.
++ */
++ if (seen_cookie) {
++ isc_buffer_forward(&optbuf, optlen);
++ break;
++ }
+ process_sit(l, msg, &optbuf, optlen);
++ seen_cookie = ISC_TRUE;
+ break;
+ default:
+ isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/bin/named/client.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/client.c
++++ bind-9.10.2-P4/bin/named/client.c
+@@ -121,7 +121,10 @@
+ */
+ #endif
+
+-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
++#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
++
++#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
++#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
+
+ /*% nameserver client manager structure */
+ struct ns_clientmgr {
+@@ -1391,7 +1394,7 @@ ns_client_addopt(ns_client_t *client, dn
+ {
+ char nsid[BUFSIZ], *nsidp;
+ #ifdef ISC_PLATFORM_USESIT
+- unsigned char sit[SIT_SIZE];
++ unsigned char sit[COOKIE_SIZE];
+ #endif
+ isc_result_t result;
+ dns_view_t *view;
+@@ -1416,7 +1419,7 @@ ns_client_addopt(ns_client_t *client, dn
+ flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
+
+ /* Set EDNS options if applicable */
+- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
++ if (WANTNSID(client) &&
+ (ns_g_server->server_id != NULL ||
+ ns_g_server->server_usehostname)) {
+ if (ns_g_server->server_usehostname) {
+@@ -1449,7 +1452,7 @@ ns_client_addopt(ns_client_t *client, dn
+
+ INSIST(count < DNS_EDNSOPTIONS);
+ ednsopts[count].code = DNS_OPT_SIT;
+- ednsopts[count].length = SIT_SIZE;
++ ednsopts[count].length = COOKIE_SIZE;
+ ednsopts[count].value = sit;
+ count++;
+ }
+@@ -1657,19 +1660,26 @@ compute_sit(ns_client_t *client, isc_uin
+
+ static void
+ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+- unsigned char dbuf[SIT_SIZE];
++ unsigned char dbuf[COOKIE_SIZE];
+ unsigned char *old;
+ isc_stdtime_t now;
+ isc_uint32_t when;
+ isc_uint32_t nonce;
+ isc_buffer_t db;
+
++ /*
++ * If we have already seen a ECS option skip this ECS option.
++ */
++ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
++ isc_buffer_forward(buf, optlen);
++ return;
++ }
+ client->attributes |= NS_CLIENTATTR_WANTSIT;
+
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_sitopt);
+
+- if (optlen != SIT_SIZE) {
++ if (optlen != COOKIE_SIZE) {
+ /*
+ * Not our token.
+ */
+@@ -1713,7 +1723,7 @@ process_sit(ns_client_t *client, isc_buf
+ isc_buffer_init(&db, dbuf, sizeof(dbuf));
+ compute_sit(client, when, nonce, &db);
+
+- if (memcmp(old, dbuf, SIT_SIZE) != 0) {
++ if (memcmp(old, dbuf, COOKIE_SIZE) != 0) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_sitnomatch);
+ return;
+@@ -1779,7 +1789,9 @@ process_opt(ns_client_t *client, dns_rda
+ optlen = isc_buffer_getuint16(&optbuf);
+ switch (optcode) {
+ case DNS_OPT_NSID:
+- isc_stats_increment(ns_g_server->nsstats,
++ if (!WANTNSID(client))
++ isc_stats_increment(
++ ns_g_server->nsstats,
+ dns_nsstatscounter_nsidopt);
+ client->attributes |= NS_CLIENTATTR_WANTNSID;
+ isc_buffer_forward(&optbuf, optlen);
+@@ -1790,7 +1802,9 @@ process_opt(ns_client_t *client, dns_rda
+ break;
+ #endif
+ case DNS_OPT_EXPIRE:
+- isc_stats_increment(ns_g_server->nsstats,
++ if (!WANTEXPIRE(client))
++ isc_stats_increment(
++ ns_g_server->nsstats,
+ dns_nsstatscounter_expireopt);
+ client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
+ isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7144,7 +7144,9 @@ process_opt(resquery_t *query, dns_rdata
+ unsigned char *sit;
+ dns_adbaddrinfo_t *addrinfo;
+ unsigned char cookie[8];
++ isc_boolean_t seen_cookie = ISC_FALSE;
+ #endif
++ isc_boolean_t seen_nsid = ISC_FALSE;
+
+ result = dns_rdataset_first(opt);
+ if (result == ISC_R_SUCCESS) {
+@@ -7158,14 +7160,23 @@ process_opt(resquery_t *query, dns_rdata
+ INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+ switch (optcode) {
+ case DNS_OPT_NSID:
+- if (query->options & DNS_FETCHOPT_WANTNSID)
++ if (!seen_nsid &&
++ query->options & DNS_FETCHOPT_WANTNSID)
+ log_nsid(&optbuf, optlen, query,
+ ISC_LOG_DEBUG(3),
+ query->fctx->res->mctx);
+ isc_buffer_forward(&optbuf, optlen);
++ seen_nsid = ISC_TRUE;
+ break;
+ #ifdef ISC_PLATFORM_USESIT
+ case DNS_OPT_SIT:
++ /*
++ * Only process the first cookie option.
++ */
++ if (seen_cookie) {
++ isc_buffer_forward(&optbuf, optlen);
++ break;
++ }
+ sit = isc_buffer_current(&optbuf);
+ compute_cc(query, cookie, sizeof(cookie));
+ INSIST(query->fctx->rmessage->sitbad == 0 &&
+@@ -7183,6 +7194,7 @@ process_opt(resquery_t *query, dns_rdata
+ isc_buffer_forward(&optbuf, optlen);
+ inc_stats(query->fctx->res,
+ dns_resstatscounter_sitin);
++ seen_cookie = ISC_TRUE;
+ break;
+ #endif
+ default:
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index f1951a0..0dfa314 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -28,6 +28,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2016-1285.patch \
file://CVE-2016-1286_1.patch \
file://CVE-2016-1286_2.patch \
+ file://CVE-2016-2088.patch \
"
SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list