diff --git a/bind.changes b/bind.changes index b663378..f404391 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Sep 27 16:29:19 UTC 2016 - psimons@suse.com + +- Apply cve-2016-2776.patch to fix CVE-2016-2776 (bsc#1000362). + ------------------------------------------------------------------- Thu Jun 16 09:57:29 UTC 2016 - max@suse.com diff --git a/bind.spec b/bind.spec index 2870fcb..f893059 100644 --- a/bind.spec +++ b/bind.spec @@ -45,6 +45,7 @@ Patch52: named-bootconf.diff Patch53: bind-sdb-ldap.patch Patch101: runidn.diff Patch102: idnkit-powerpc-ltconfig.patch +Patch103: cve-2016-2776.patch BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libmysqlclient-devel @@ -376,6 +377,8 @@ Name Domain (BIND) DNS server is found in the package named bind. %patch53 %patch101 -p1 %patch102 -p1 +%patch103 -p1 + # use the year from source gzip header instead of current one to make reproducible rpms year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{S:0}) sed -i "s/stdout, copyright, year/stdout, copyright, \"-$year\"/" lib/dns/gen.c diff --git a/cve-2016-2776.patch b/cve-2016-2776.patch new file mode 100644 index 0000000..23078f5 --- /dev/null +++ b/cve-2016-2776.patch @@ -0,0 +1,89 @@ +Index: bind-9.10.3-P4/lib/dns/message.c +=================================================================== +--- bind-9.10.3-P4.orig/lib/dns/message.c 2016-09-27 18:38:44.843342507 +0200 ++++ bind-9.10.3-P4/lib/dns/message.c 2016-09-27 18:38:47.871359253 +0200 +@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *m + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_NOSPACE); + +- if (r.length < msg->reserved) ++ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) + return (ISC_R_NOSPACE); + + /* +@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t * + + return (ISC_TRUE); + } +- + #endif ++ ++static isc_result_t ++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, ++ dns_compress_t *cctx, isc_buffer_t *target, ++ unsigned int reserved, unsigned int options, unsigned int *countp) ++{ ++ isc_result_t result; ++ ++ /* ++ * Shrink the space in the buffer by the reserved amount. ++ */ ++ if (target->length - target->used < reserved) ++ return (ISC_R_NOSPACE); ++ ++ target->length -= reserved; ++ result = dns_rdataset_towire(rdataset, owner_name, ++ cctx, target, options, countp); ++ target->length += reserved; ++ ++ return (result); ++} ++ + isc_result_t + dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, + unsigned int options) +@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t + /* + * Shrink the space in the buffer by the reserved amount. + */ ++ if (msg->buffer->length - msg->buffer->used < msg->reserved) ++ return (ISC_R_NOSPACE); + msg->buffer->length -= msg->reserved; + + total = 0; +@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg + * Render. + */ + count = 0; +- result = dns_rdataset_towire(msg->opt, dns_rootname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->opt, dns_rootname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); +@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg + if (result != ISC_R_SUCCESS) + return (result); + count = 0; +- result = dns_rdataset_towire(msg->tsig, msg->tsigname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->tsig, msg->tsigname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result); +@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg + * the owner name of a SIG(0) is irrelevant, and will not + * be set in a message being rendered. + */ +- result = dns_rdataset_towire(msg->sig0, dns_rootname, +- msg->cctx, msg->buffer, 0, +- &count); ++ result = renderset(msg->sig0, dns_rootname, msg->cctx, ++ msg->buffer, msg->reserved, 0, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) + return (result);