From 9e49836a48ad91a245fb3ed26158a084768deda9e23332162e9fb792313ef24f Mon Sep 17 00:00:00 2001 From: Navin Kukreja Date: Wed, 15 Feb 2017 13:26:45 +0000 Subject: [PATCH] Accepting request 457420 from home:nkukreja:branches:network - Fix assertion failure or a NULL pointer read for configurations using both DNS64 and RPZ * CVE-2017-3135, bsc#1024130 * bind-CVE-2017-3135.patch OBS-URL: https://build.opensuse.org/request/show/457420 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=203 --- bind-CVE-2017-3135.patch | 645 +++++++++++++++++++++++++++++++++++++++ bind.changes | 7 + bind.spec | 2 + 3 files changed, 654 insertions(+) create mode 100644 bind-CVE-2017-3135.patch diff --git a/bind-CVE-2017-3135.patch b/bind-CVE-2017-3135.patch new file mode 100644 index 0000000..e02cdd7 --- /dev/null +++ b/bind-CVE-2017-3135.patch @@ -0,0 +1,645 @@ +Index: bind-9.10.4-P5/bin/tests/system/dname/ans3/ans.pl +=================================================================== +--- /dev/null ++++ bind-9.10.4-P5/bin/tests/system/dname/ans3/ans.pl +@@ -0,0 +1,95 @@ ++#!/usr/bin/env perl ++# ++# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++use strict; ++use warnings; ++ ++use IO::File; ++use Getopt::Long; ++use Net::DNS::Nameserver; ++ ++my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; ++print $pidf "$$\n" or die "cannot write pid file: $!"; ++$pidf->close or die "cannot close pid file: $!"; ++sub rmpid { unlink "ans.pid"; exit 1; }; ++ ++$SIG{INT} = \&rmpid; ++$SIG{TERM} = \&rmpid; ++ ++my $localaddr = "10.53.0.3"; ++my $localport = 5300; ++my $verbose = 0; ++my $ttl = 60; ++my $zone = "example.broken"; ++my $nsname = "ns3.$zone"; ++my $synth = "synth-then-dname.$zone"; ++my $synth2 = "synth2-then-dname.$zone"; ++ ++sub reply_handler { ++ my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_; ++ my ($rcode, @ans, @auth, @add); ++ ++ print ("request: $qname/$qtype\n"); ++ STDOUT->flush(); ++ ++ if ($qname eq "example.broken") { ++ if ($qtype eq "SOA") { ++ my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0"); ++ push @ans, $rr; ++ } elsif ($qtype eq "NS") { ++ my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname"); ++ push @ans, $rr; ++ $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr"); ++ push @add, $rr; ++ } ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "cname-to-$synth2") { ++ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2"); ++ push @ans, $rr; ++ $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name"); ++ push @ans, $rr; ++ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); ++ push @ans, $rr; ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "$synth" || $qname eq "$synth2") { ++ if ($qtype eq "DNAME") { ++ my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME ."); ++ push @ans, $rr; ++ } ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "name.$synth") { ++ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); ++ push @ans, $rr; ++ $rr = new Net::DNS::RR("$synth $ttl $qclass DNAME ."); ++ push @ans, $rr; ++ $rcode = "NOERROR"; ++ } elsif ($qname eq "name.$synth2") { ++ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); ++ push @ans, $rr; ++ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); ++ push @ans, $rr; ++ $rcode = "NOERROR"; ++ } else { ++ $rcode = "REFUSED"; ++ } ++ return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); ++} ++ ++GetOptions( ++ 'port=i' => \$localport, ++ 'verbose!' => \$verbose, ++); ++ ++my $ns = Net::DNS::Nameserver->new( ++ LocalAddr => $localaddr, ++ LocalPort => $localport, ++ ReplyHandler => \&reply_handler, ++ Verbose => $verbose, ++); ++ ++$ns->main_loop; +Index: bind-9.10.4-P5/bin/tests/system/dname/ns1/root.db +=================================================================== +--- bind-9.10.4-P5.orig/bin/tests/system/dname/ns1/root.db ++++ bind-9.10.4-P5/bin/tests/system/dname/ns1/root.db +@@ -12,8 +12,6 @@ + ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + ; PERFORMANCE OF THIS SOFTWARE. + +-; $Id: root.db,v 1.2 2011/03/18 21:14:19 fdupont Exp $ +- + $TTL 300 + . IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial +@@ -27,3 +25,6 @@ a.root-servers.nil. A 10.53.0.1 + + example. NS ns2.example. + ns2.example. A 10.53.0.2 ++ ++example.broken. NS ns3.example.broken. ++ns3.example.broken. A 10.53.0.3 +Index: bind-9.10.4-P5/bin/tests/system/dname/tests.sh +=================================================================== +--- bind-9.10.4-P5.orig/bin/tests/system/dname/tests.sh ++++ bind-9.10.4-P5/bin/tests/system/dname/tests.sh +@@ -20,6 +20,7 @@ SYSTEMTESTTOP=.. + . $SYSTEMTESTTOP/conf.sh + + status=0 ++n=0 + + echo "I:checking short dname from authoritative" + ret=0 +@@ -81,6 +82,26 @@ grep '^a.target.example.' dig.out.ns4.cn + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` + +-echo "I:exit status: $status" ++n=`expr $n + 1` ++echo "I:checking dname is returned with synthesized cname before dname ($n)" ++ret=0 ++$DIG @10.53.0.4 -p 5300 name.synth-then-dname.example.broken A > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 ++grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` + +-exit $status ++n=`expr $n + 1` ++echo "I:checking dname is returned with cname to synthesized cname before dname ($n)" ++ret=0 ++$DIG @10.53.0.4 -p 5300 cname-to-synth2-then-dname.example.broken A > dig.out.test$n ++grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 ++grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1 ++grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 ++grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++echo "I:exit status: $status" ++[ $status -eq 0 ] || exit 1 +Index: bind-9.10.4-P5/lib/dns/resolver.c +=================================================================== +--- bind-9.10.4-P5.orig/lib/dns/resolver.c ++++ bind-9.10.4-P5/lib/dns/resolver.c +@@ -6099,9 +6099,13 @@ cname_target(dns_rdataset_t *rdataset, d + return (ISC_R_SUCCESS); + } + ++/*% ++ * Construct the synthesised CNAME from the existing QNAME and ++ * the DNAME RR and store it in 'target'. ++ */ + static inline isc_result_t + dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, +- unsigned int nlabels, dns_fixedname_t *fixeddname) ++ unsigned int nlabels, dns_name_t *target) + { + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; +@@ -6121,14 +6125,33 @@ dname_target(dns_rdataset_t *rdataset, d + + dns_fixedname_init(&prefix); + dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); +- dns_fixedname_init(fixeddname); + result = dns_name_concatenate(dns_fixedname_name(&prefix), +- &dname.dname, +- dns_fixedname_name(fixeddname), NULL); ++ &dname.dname, target, NULL); + dns_rdata_freestruct(&dname); + return (result); + } + ++/*% ++ * Check if it was possible to construct 'qname' from 'lastcname' ++ * and 'rdataset'. ++ */ ++static inline isc_result_t ++fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname, ++ unsigned int nlabels, const dns_name_t *qname) ++{ ++ dns_fixedname_t fixed; ++ isc_result_t result; ++ dns_name_t *target; ++ ++ dns_fixedname_init(&fixed); ++ target = dns_fixedname_name(&fixed); ++ result = dname_target(rdataset, lastcname, nlabels, target); ++ if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target)) ++ return (ISC_R_NOTFOUND); ++ ++ return (ISC_R_SUCCESS); ++} ++ + static isc_boolean_t + is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, + dns_rdataset_t *rdataset) +@@ -6745,12 +6768,12 @@ answer_response(fetchctx_t *fctx) { + isc_result_t result; + dns_message_t *message; + dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; +- dns_name_t *cname = NULL; ++ dns_name_t *cname = NULL, *lastcname = NULL; + dns_rdataset_t *rdataset, *ns_rdataset; +- isc_boolean_t done, external, chaining, aa, found, want_chaining; ++ isc_boolean_t done, external, aa, found, want_chaining; + isc_boolean_t have_answer, found_cname, found_dname, found_type; + isc_boolean_t wanted_chaining; +- unsigned int aflag; ++ unsigned int aflag, chaining; + dns_rdatatype_t type; + dns_fixedname_t fdname, fqname; + dns_view_t *view; +@@ -6768,9 +6791,9 @@ answer_response(fetchctx_t *fctx) { + found_cname = ISC_FALSE; + found_dname = ISC_FALSE; + found_type = ISC_FALSE; +- chaining = ISC_FALSE; + have_answer = ISC_FALSE; + want_chaining = ISC_FALSE; ++ chaining = 0; + POST(want_chaining); + if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) + aa = ISC_TRUE; +@@ -6781,14 +6804,15 @@ answer_response(fetchctx_t *fctx) { + view = fctx->res->view; + result = dns_message_firstname(message, DNS_SECTION_ANSWER); + while (!done && result == ISC_R_SUCCESS) { +- dns_namereln_t namereln; +- int order; +- unsigned int nlabels; ++ dns_namereln_t namereln, lastreln; ++ int order, lastorder; ++ unsigned int nlabels, lastnlabels; + + name = NULL; + dns_message_currentname(message, DNS_SECTION_ANSWER, &name); + external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); ++ + if (namereln == dns_namereln_equal) { + wanted_chaining = ISC_FALSE; + for (rdataset = ISC_LIST_HEAD(name->list); +@@ -6894,6 +6918,7 @@ answer_response(fetchctx_t *fctx) { + &fctx->domain)) { + return (DNS_R_SERVFAIL); + } ++ lastcname = name; + } else if (rdataset->type == dns_rdatatype_rrsig + && rdataset->covers == + dns_rdatatype_cname +@@ -6917,7 +6942,7 @@ answer_response(fetchctx_t *fctx) { + rdataset->attributes |= + DNS_RDATASETATTR_CACHE; + rdataset->trust = dns_trust_answer; +- if (!chaining) { ++ if (chaining == 0) { + /* + * This data is "the" answer + * to our question only if +@@ -6994,10 +7019,21 @@ answer_response(fetchctx_t *fctx) { + * cause us to ignore the signatures of + * CNAMEs. + */ +- if (wanted_chaining) +- chaining = ISC_TRUE; ++ if (wanted_chaining && chaining < 2U) ++ chaining++; + } else { + dns_rdataset_t *dnameset = NULL; ++ isc_boolean_t synthcname = ISC_FALSE; ++ ++ if (lastcname != NULL) { ++ lastreln = dns_name_fullcompare(lastcname, ++ name, ++ &lastorder, ++ &lastnlabels); ++ if (lastreln == dns_namereln_subdomain && ++ lastnlabels == dns_name_countlabels(name)) ++ synthcname = ISC_TRUE; ++ } + + /* + * Look for a DNAME (or its SIG). Anything else is +@@ -7026,7 +7062,7 @@ answer_response(fetchctx_t *fctx) { + * If we're not chaining, then the DNAME and + * its signature should not be external. + */ +- if (!chaining && external) { ++ if (chaining == 0 && external) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + +@@ -7044,16 +7080,9 @@ answer_response(fetchctx_t *fctx) { + /* + * If DNAME + synthetic CNAME then the + * namereln is dns_namereln_subdomain. +- * +- * If synthetic CNAME + DNAME then the +- * namereln is dns_namereln_commonancestor +- * and the number of label must match the +- * DNAME. This order is not RFC compliant. + */ +- + if (namereln != dns_namereln_subdomain && +- (namereln != dns_namereln_commonancestor || +- nlabels != dns_name_countlabels(name))) ++ !synthcname) + { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; +@@ -7073,8 +7102,19 @@ answer_response(fetchctx_t *fctx) { + want_chaining = ISC_TRUE; + POST(want_chaining); + aflag = DNS_RDATASETATTR_ANSWER; +- result = dname_target(rdataset, qname, +- nlabels, &fdname); ++ dns_fixedname_init(&fdname); ++ dname = dns_fixedname_name(&fdname); ++ if (synthcname) { ++ result = fromdname(rdataset, ++ lastcname, ++ lastnlabels, ++ qname); ++ } else { ++ result = dname_target(rdataset, ++ qname, ++ nlabels, ++ dname); ++ } + if (result == ISC_R_NOSPACE) { + /* + * We can't construct the +@@ -7088,8 +7128,8 @@ answer_response(fetchctx_t *fctx) { + else + dnameset = rdataset; + +- dname = dns_fixedname_name(&fdname); +- if (!is_answertarget_allowed(view, ++ if (!synthcname && ++ !is_answertarget_allowed(view, + qname, rdataset->type, + dname, &fctx->domain)) + { +@@ -7110,7 +7150,13 @@ answer_response(fetchctx_t *fctx) { + name->attributes |= DNS_NAMEATTR_CACHE; + rdataset->attributes |= DNS_RDATASETATTR_CACHE; + rdataset->trust = dns_trust_answer; +- if (!chaining) { ++ /* ++ * If we are not chaining or the first CNAME ++ * is a synthesised CNAME before the DNAME. ++ */ ++ if ((chaining == 0) || ++ (chaining == 1U && synthcname)) ++ { + /* + * This data is "the" answer to + * our question only if we're +@@ -7120,9 +7166,12 @@ answer_response(fetchctx_t *fctx) { + if (aflag == DNS_RDATASETATTR_ANSWER) { + have_answer = ISC_TRUE; + found_dname = ISC_TRUE; +- if (cname != NULL) ++ if (cname != NULL && ++ synthcname) ++ { + cname->attributes &= + ~DNS_NAMEATTR_ANSWER; ++ } + name->attributes |= + DNS_NAMEATTR_ANSWER; + } +@@ -7140,26 +7189,35 @@ answer_response(fetchctx_t *fctx) { + * DNAME chaining. + */ + if (dnameset != NULL) { +- /* +- * Copy the dname into the qname fixed name. +- * +- * Although we check for failure of the copy +- * operation, in practice it should never fail +- * since we already know that the result fits +- * in a fixedname. +- */ +- dns_fixedname_init(&fqname); +- qname = dns_fixedname_name(&fqname); +- result = dns_name_copy(dname, qname, NULL); +- if (result != ISC_R_SUCCESS) +- return (result); ++ if (!synthcname) { ++ /* ++ * Copy the dname into the qname fixed ++ * name. ++ * ++ * Although we check for failure of the ++ * copy operation, in practice it ++ * should never fail since we already ++ * know that the result fits in a ++ * fixedname. ++ */ ++ dns_fixedname_init(&fqname); ++ qname = dns_fixedname_name(&fqname); ++ result = dns_name_copy(dname, qname, ++ NULL); ++ if (result != ISC_R_SUCCESS) ++ return (result); ++ } + wanted_chaining = ISC_TRUE; + name->attributes |= DNS_NAMEATTR_CHAINING; + dnameset->attributes |= + DNS_RDATASETATTR_CHAINING; + } +- if (wanted_chaining) +- chaining = ISC_TRUE; ++ /* ++ * Ensure that we can't ever get chaining == 1 ++ * above if we have processed a DNAME. ++ */ ++ if (wanted_chaining && chaining < 2U) ++ chaining += 2; + } + result = dns_message_nextname(message, DNS_SECTION_ANSWER); + } +@@ -7184,7 +7242,7 @@ answer_response(fetchctx_t *fctx) { + /* + * Did chaining end before we got the final answer? + */ +- if (chaining) { ++ if (chaining != 0) { + /* + * Yes. This may be a negative reply, so hand off + * authority section processing to the noanswer code. +@@ -7233,7 +7291,7 @@ answer_response(fetchctx_t *fctx) { + DNS_NAMEATTR_CACHE; + rdataset->attributes |= + DNS_RDATASETATTR_CACHE; +- if (aa && !chaining) ++ if (aa && chaining == 0) + rdataset->trust = + dns_trust_authauthority; + else +Index: bind-9.10.4-P5/bin/named/query.c +=================================================================== +--- bind-9.10.4-P5.orig/bin/named/query.c ++++ bind-9.10.4-P5/bin/named/query.c +@@ -6237,7 +6237,7 @@ query_find(ns_client_t *client, dns_fetc + dns_rpz_st_t *rpz_st; + isc_boolean_t resuming; + int line = -1; +- isc_boolean_t dns64_exclude, dns64; ++ isc_boolean_t dns64_exclude, dns64, rpz; + isc_boolean_t nxrewrite = ISC_FALSE; + isc_boolean_t redirected = ISC_FALSE; + dns_clientinfomethods_t cm; +@@ -6250,6 +6250,7 @@ query_find(ns_client_t *client, dns_fetc + char mbuf[BUFSIZ]; + char qbuf[DNS_NAME_FORMATSIZE]; + #endif ++ dns_name_t *rpzqname; + + CTRACE(ISC_LOG_DEBUG(3), "query_find"); + +@@ -6275,7 +6276,7 @@ query_find(ns_client_t *client, dns_fetc + zone = NULL; + need_wildcardproof = ISC_FALSE; + empty_wild = ISC_FALSE; +- dns64_exclude = dns64 = ISC_FALSE; ++ dns64_exclude = dns64 = rpz = ISC_FALSE; + options = 0; + resuming = ISC_FALSE; + is_zone = ISC_FALSE; +@@ -6465,6 +6466,7 @@ query_find(ns_client_t *client, dns_fetc + authoritative = ISC_FALSE; + version = NULL; + need_wildcardproof = ISC_FALSE; ++ rpz = ISC_FALSE; + + if (client->view->checknames && + !dns_rdata_checkowner(client->query.qname, +@@ -6606,11 +6608,29 @@ query_find(ns_client_t *client, dns_fetc + } + + /* +- * Now look for an answer in the database. ++ * Now look for an answer in the database. If this is a dns64 ++ * AAAA lookup on a rpz database adjust the qname. + */ +- result = dns_db_findext(db, client->query.qname, version, type, ++ if (dns64 && rpz) ++ rpzqname = client->query.rpz_st->p_name; ++ else ++ rpzqname = client->query.qname; ++ ++ result = dns_db_findext(db, rpzqname, version, type, + client->query.dboptions, client->now, + &node, fname, &cm, &ci, rdataset, sigrdataset); ++ /* ++ * Fixup fname and sigrdataset. ++ */ ++ if (dns64 && rpz) { ++ isc_result_t rresult; ++ ++ rresult = dns_name_copy(client->query.qname, fname, NULL); ++ RUNTIME_CHECK(rresult == ISC_R_SUCCESS); ++ if (sigrdataset != NULL && ++ dns_rdataset_isassociated(sigrdataset)) ++ dns_rdataset_disassociate(sigrdataset); ++ } + + if (!is_zone) + dns_cache_updatestats(client->view->cache, result); +@@ -6840,10 +6860,12 @@ query_find(ns_client_t *client, dns_fetc + case DNS_RPZ_POLICY_NXDOMAIN: + result = DNS_R_NXDOMAIN; + nxrewrite = ISC_TRUE; ++ rpz = ISC_TRUE; + break; + case DNS_RPZ_POLICY_NODATA: + result = DNS_R_NXRRSET; + nxrewrite = ISC_TRUE; ++ rpz = ISC_TRUE; + break; + case DNS_RPZ_POLICY_RECORD: + result = rpz_st->m.result; +@@ -6863,6 +6885,7 @@ query_find(ns_client_t *client, dns_fetc + rdataset->ttl = ISC_MIN(rdataset->ttl, + rpz_st->m.ttl); + } ++ rpz = ISC_TRUE; + break; + case DNS_RPZ_POLICY_WILDCNAME: + result = dns_rdataset_first(rdataset); +@@ -6905,7 +6928,6 @@ query_find(ns_client_t *client, dns_fetc + NS_CLIENTATTR_WANTAD); + client->message->flags &= ~DNS_MESSAGEFLAG_AD; + query_putrdataset(client, &sigrdataset); +- rpz_st->q.is_zone = is_zone; + is_zone = ISC_TRUE; + rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, + rpz_st->m.type, zone, rpz_st->p_name); +@@ -7289,15 +7311,6 @@ query_find(ns_client_t *client, dns_fetc + rdataset = NULL; + sigrdataset = NULL; + type = qtype = dns_rdatatype_a; +- rpz_st = client->query.rpz_st; +- if (rpz_st != NULL) { +- /* +- * Arrange for RPZ rewriting of any A records. +- */ +- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) +- is_zone = rpz_st->q.is_zone; +- rpz_st_clear(client); +- } + dns64 = ISC_TRUE; + goto db_find; + } +@@ -7612,15 +7625,6 @@ query_find(ns_client_t *client, dns_fetc + sigrdataset = NULL; + fname = NULL; + type = qtype = dns_rdatatype_a; +- rpz_st = client->query.rpz_st; +- if (rpz_st != NULL) { +- /* +- * Arrange for RPZ rewriting of any A records. +- */ +- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) +- is_zone = rpz_st->q.is_zone; +- rpz_st_clear(client); +- } + dns64 = ISC_TRUE; + goto db_find; + } +@@ -8154,15 +8158,6 @@ query_find(ns_client_t *client, dns_fetc + rdataset = NULL; + sigrdataset = NULL; + type = qtype = dns_rdatatype_a; +- rpz_st = client->query.rpz_st; +- if (rpz_st != NULL) { +- /* +- * Arrange for RPZ rewriting of any A records. +- */ +- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) +- is_zone = rpz_st->q.is_zone; +- rpz_st_clear(client); +- } + dns64_exclude = dns64 = ISC_TRUE; + goto db_find; + } +Index: bind-9.10.4-P5/lib/dns/message.c +=================================================================== +--- bind-9.10.4-P5.orig/lib/dns/message.c ++++ bind-9.10.4-P5/lib/dns/message.c +@@ -1219,8 +1219,8 @@ getsection(isc_buffer_t *source, dns_mes + { + isc_region_t r; + unsigned int count, rdatalen; +- dns_name_t *name; +- dns_name_t *name2; ++ dns_name_t *name = NULL; ++ dns_name_t *name2 = NULL; + dns_offsets_t *offsets; + dns_rdataset_t *rdataset; + dns_rdatalist_t *rdatalist; +@@ -1230,7 +1230,7 @@ getsection(isc_buffer_t *source, dns_mes + dns_rdata_t *rdata; + dns_ttl_t ttl; + dns_namelist_t *section; +- isc_boolean_t free_name, free_rdataset; ++ isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE; + isc_boolean_t preserve_order, best_effort, seen_problem; + isc_boolean_t issigzero; + +Index: bind-9.10.4-P5/lib/dns/rdataset.c +=================================================================== +--- bind-9.10.4-P5.orig/lib/dns/rdataset.c ++++ bind-9.10.4-P5/lib/dns/rdataset.c +@@ -338,6 +338,7 @@ towiresorted(dns_rdataset_t *rdataset, c + */ + + REQUIRE(DNS_RDATASET_VALID(rdataset)); ++ REQUIRE(rdataset->methods != NULL); + REQUIRE(countp != NULL); + REQUIRE((order == NULL) == (order_arg == NULL)); + REQUIRE(cctx != NULL && cctx->mctx != NULL); diff --git a/bind.changes b/bind.changes index d94c988..d828c83 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 15 12:50:42 UTC 2017 - navin.kukreja@suse.com + +- Fix assertion failure or a NULL pointer read for configurations using both DNS64 and RPZ + * CVE-2017-3135, bsc#1024130 + * bind-CVE-2017-3135.patch + ------------------------------------------------------------------- Thu Jan 12 04:43:56 UTC 2017 - sflees@suse.de diff --git a/bind.spec b/bind.spec index 09e264e..0ef4ac4 100644 --- a/bind.spec +++ b/bind.spec @@ -45,6 +45,7 @@ Patch52: named-bootconf.diff Patch53: bind-sdb-ldap.patch Patch101: runidn.diff Patch102: idnkit-powerpc-ltconfig.patch +Patch103: bind-CVE-2017-3135.patch BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libmysqlclient-devel @@ -376,6 +377,7 @@ Name Domain (BIND) DNS server is found in the package named bind. %patch53 %patch101 -p1 %patch102 -p1 +%patch103 -p1 # use the year from source gzip header instead of current one to make reproducible rpms year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{S:0})