From 41f90b8125f0d9acabd8018a27a5f3436816f3fe6848918c20adf18ea9d3d9cd Mon Sep 17 00:00:00 2001 From: Navin Kukreja Date: Tue, 23 Jan 2018 22:28:59 +0000 Subject: [PATCH] Accepting request 568769 from home:nkukreja:branches:network - Apply bind-CVE-2017-3145.patch to fix CVE-2017-3145 (bsc#1076118) OBS-URL: https://build.opensuse.org/request/show/568769 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=228 --- bind-CVE-2017-3145.patch | 138 +++++++++++++++++++++++++++++++++++++++ bind.changes | 5 ++ bind.spec | 4 +- 3 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 bind-CVE-2017-3145.patch diff --git a/bind-CVE-2017-3145.patch b/bind-CVE-2017-3145.patch new file mode 100644 index 0000000..0751c1a --- /dev/null +++ b/bind-CVE-2017-3145.patch @@ -0,0 +1,138 @@ +diff --git a/CHANGES b/CHANGES +index 5aa5053..32f920d 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,9 @@ ++ --- 9.11.2-P1 released --- ++ ++4858. [security] Addresses could be referenced after being freed ++ in resolver.c, causing an assertion failure. ++ (CVE-2017-3145) [RT #46839] ++ + --- 9.11.2 released --- + + --- 9.11.2rc2 released --- +diff --git a/lib/dns/api b/lib/dns/api +index 711bfd8..eadd740 100644 +--- a/lib/dns/api ++++ b/lib/dns/api +@@ -9,5 +9,5 @@ + # 9.11: 160-169 + # 9.12: 1200-1299 + LIBINTERFACE = 169 +-LIBREVISION = 1 ++LIBREVISION = 2 + LIBAGE = 0 +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8eb1d97..eb1ebcf 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -831,7 +831,7 @@ fctx_stoptimer(fetchctx_t *fctx) { + * cannot fail in that case. + */ + result = isc_timer_reset(fctx->timer, isc_timertype_inactive, +- NULL, NULL, ISC_TRUE); ++ NULL, NULL, ISC_TRUE); + if (result != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "isc_timer_reset(): %s", +@@ -839,7 +839,6 @@ fctx_stoptimer(fetchctx_t *fctx) { + } + } + +- + static inline isc_result_t + fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) { + /* +@@ -1116,7 +1115,8 @@ fctx_cleanupfinds(fetchctx_t *fctx) { + + for (find = ISC_LIST_HEAD(fctx->finds); + find != NULL; +- find = next_find) { ++ find = next_find) ++ { + next_find = ISC_LIST_NEXT(find, publink); + ISC_LIST_UNLINK(fctx->finds, find, publink); + dns_adb_destroyfind(&find); +@@ -1132,7 +1132,8 @@ fctx_cleanupaltfinds(fetchctx_t *fctx) { + + for (find = ISC_LIST_HEAD(fctx->altfinds); + find != NULL; +- find = next_find) { ++ find = next_find) ++ { + next_find = ISC_LIST_NEXT(find, publink); + ISC_LIST_UNLINK(fctx->altfinds, find, publink); + dns_adb_destroyfind(&find); +@@ -1148,7 +1149,8 @@ fctx_cleanupforwaddrs(fetchctx_t *fctx) { + + for (addr = ISC_LIST_HEAD(fctx->forwaddrs); + addr != NULL; +- addr = next_addr) { ++ addr = next_addr) ++ { + next_addr = ISC_LIST_NEXT(addr, publink); + ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink); + dns_adb_freeaddrinfo(fctx->adb, &addr); +@@ -1163,7 +1165,8 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) { + + for (addr = ISC_LIST_HEAD(fctx->altaddrs); + addr != NULL; +- addr = next_addr) { ++ addr = next_addr) ++ { + next_addr = ISC_LIST_NEXT(addr, publink); + ISC_LIST_UNLINK(fctx->altaddrs, addr, publink); + dns_adb_freeaddrinfo(fctx->adb, &addr); +@@ -1171,16 +1174,20 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) { + } + + static inline void +-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response, +- isc_boolean_t age_untried) ++fctx_stopqueries(fetchctx_t *fctx, isc_boolean_t no_response, ++ isc_boolean_t age_untried) + { +- FCTXTRACE("stopeverything"); ++ FCTXTRACE("stopqueries"); + fctx_cancelqueries(fctx, no_response, age_untried); ++ fctx_stoptimer(fctx); ++} ++ ++static inline void ++fctx_cleanupall(fetchctx_t *fctx) { + fctx_cleanupfinds(fctx); + fctx_cleanupaltfinds(fctx); + fctx_cleanupforwaddrs(fctx); + fctx_cleanupaltaddrs(fctx); +- fctx_stoptimer(fctx); + } + + static void +@@ -1431,7 +1438,8 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) { + age_untried = ISC_TRUE; + + fctx->reason = NULL; +- fctx_stopeverything(fctx, no_response, age_untried); ++ ++ fctx_stopqueries(fctx, no_response, age_untried); + + LOCK(&res->buckets[fctx->bucketnum].lock); + +@@ -4022,11 +4030,12 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) { + dns_resolver_cancelfetch(fctx->nsfetch); + + /* +- * Shut down anything that is still running on behalf of this +- * fetch. To avoid deadlock with the ADB, we must do this +- * before we lock the bucket lock. ++ * Shut down anything still running on behalf of this ++ * fetch, and clean up finds and addresses. To avoid deadlock ++ * with the ADB, we must do this before we lock the bucket lock. + */ +- fctx_stopeverything(fctx, ISC_FALSE, ISC_FALSE); ++ fctx_stopqueries(fctx, ISC_FALSE, ISC_FALSE); ++ fctx_cleanupall(fctx); + + LOCK(&res->buckets[bucketnum].lock); + diff --git a/bind.changes b/bind.changes index 8575bc0..bc3aebf 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Jan 23 21:59:24 UTC 2018 - navin.kukreja@suse.com + +- Apply bind-CVE-2017-3145.patch to fix CVE-2017-3145 (bsc#1076118) + ------------------------------------------------------------------- Wed Dec 6 13:35:59 UTC 2017 - vcizek@suse.com diff --git a/bind.spec b/bind.spec index 0b1f237..415f06d 100644 --- a/bind.spec +++ b/bind.spec @@ -1,7 +1,7 @@ # # spec file for package bind # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -72,6 +72,7 @@ Patch4: perl-path.diff Patch51: pie_compile.diff Patch52: named-bootconf.diff Patch53: bind-sdb-ldap.patch +Patch54: bind-CVE-2017-3145.patch BuildRequires: libcap-devel BuildRequires: libmysqlclient-devel BuildRequires: libopenssl-devel @@ -299,6 +300,7 @@ This package provides a module which allows commands to be sent to rndc directly %patch51 %patch52 %patch53 +%patch54 -p1 # use the year from source gzip header instead of current one to make reproducible rpms year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{SOURCE0})