[bind/f14] Fix CVE-2011-2464
Adam Tkac
atkac at fedoraproject.org
Wed Jul 6 20:44:37 UTC 2011
commit ae2319ec286422ce7992affc40780c73b94dcebd
Author: Adam Tkac <atkac at redhat.com>
Date: Wed Jul 6 22:43:59 2011 +0200
Fix CVE-2011-2464
Signed-off-by: Adam Tkac <atkac at redhat.com>
bind.spec | 7 +-
bind97-CVE-2011-2464.patch | 402 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 408 insertions(+), 1 deletions(-)
---
diff --git a/bind.spec b/bind.spec
index 13ba865..a5f2399 100644
--- a/bind.spec
+++ b/bind.spec
@@ -21,7 +21,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.7.4
-Release: 0.2.%{PREVER}%{?dist}
+Release: 0.3.%{PREVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -59,6 +59,7 @@ Patch109:bind97-rh478718.patch
Patch110:bind97-rh570851.patch
Patch112:bind97-rh645544.patch
Patch113:bind97-CVE-2011-1910.patch
+Patch114:bind97-CVE-2011-2464.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -243,6 +244,7 @@ mkdir m4
%patch110 -p1 -b .rh570851
%patch112 -p1 -b .rh645544
%patch113 -p1 -b .CVE-2011-1910
+%patch114 -p1 -b .CVE-2011-2464
# Sparc and s390 arches need to use -fPIE
%ifarch sparcv9 sparc64 s390 s390x
@@ -678,6 +680,9 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Wed Jul 06 2011 Adam Tkac <atkac redhat com> 32:9.7.4-0.3.b1
+- fix CVE-2011-2464
+
* Fri May 27 2011 Adam Tkac <atkac redhat com> 32:9.7.4-0.2.b1
- fix CVE-2011-1910
diff --git a/bind97-CVE-2011-2464.patch b/bind97-CVE-2011-2464.patch
new file mode 100644
index 0000000..ffc7681
--- /dev/null
+++ b/bind97-CVE-2011-2464.patch
@@ -0,0 +1,402 @@
+diff -up bind-9.7.4b1/lib/dns/include/dns/rdataset.h.CVE-2011-2464 bind-9.7.4b1/lib/dns/include/dns/rdataset.h
+--- bind-9.7.4b1/lib/dns/include/dns/rdataset.h.CVE-2011-2464 2010-02-25 06:25:53.000000000 +0100
++++ bind-9.7.4b1/lib/dns/include/dns/rdataset.h 2011-07-06 22:21:24.757733118 +0200
+@@ -203,6 +203,7 @@ struct dns_rdataset {
+ #define DNS_RDATASETATTR_RESIGN 0x00040000
+ #define DNS_RDATASETATTR_CLOSEST 0x00080000
+ #define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */
++#define DNS_RDATASETATTR_NEGATIVE 0x00200000
+
+ /*%
+ * _OMITDNSSEC:
+diff -up bind-9.7.4b1/lib/dns/masterdump.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/masterdump.c
+--- bind-9.7.4b1/lib/dns/masterdump.c.CVE-2011-2464 2011-03-18 10:07:02.000000000 +0100
++++ bind-9.7.4b1/lib/dns/masterdump.c 2011-07-06 22:22:43.675723422 +0200
+@@ -410,6 +410,7 @@ rdataset_totext(dns_rdataset_t *rdataset
+ isc_uint32_t current_ttl;
+ isc_boolean_t current_ttl_valid;
+ dns_rdatatype_t type;
++ unsigned int type_start;
+
+ REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+@@ -491,29 +492,26 @@ rdataset_totext(dns_rdataset_t *rdataset
+ * Type.
+ */
+
+- if (rdataset->type == 0) {
++ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+ type = rdataset->covers;
+ } else {
+ type = rdataset->type;
+ }
+
+- {
+- unsigned int type_start;
+- INDENT_TO(type_column);
+- type_start = target->used;
+- if (rdataset->type == 0)
+- RETERR(str_totext("\\-", target));
+- result = dns_rdatatype_totext(type, target);
+- if (result != ISC_R_SUCCESS)
+- return (result);
+- column += (target->used - type_start);
+- }
++ INDENT_TO(type_column);
++ type_start = target->used;
++ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
++ RETERR(str_totext("\\-", target));
++ result = dns_rdatatype_totext(type, target);
++ if (result != ISC_R_SUCCESS)
++ return (result);
++ column += (target->used - type_start);
+
+ /*
+ * Rdata.
+ */
+ INDENT_TO(rdata_column);
+- if (rdataset->type == 0) {
++ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+ if (NXDOMAIN(rdataset))
+ RETERR(str_totext(";-$NXDOMAIN\n", target));
+ else
+@@ -899,7 +897,7 @@ dump_rdatasets_text(isc_mem_t *mctx, dns
+ sizeof(trustnames[0])));
+ fprintf(f, "; %s\n", trustnames[trust]);
+ }
+- if (rds->type == 0 &&
++ if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
+ (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
+ /* Omit negative cache entries */
+ } else {
+@@ -1064,7 +1062,7 @@ dump_rdatasets_raw(isc_mem_t *mctx, dns_
+ dns_rdataset_init(&rdataset);
+ dns_rdatasetiter_current(rdsiter, &rdataset);
+
+- if (rdataset.type == 0 &&
++ if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
+ (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
+ /* Omit negative cache entries */
+ } else {
+diff -up bind-9.7.4b1/lib/dns/message.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/message.c
+--- bind-9.7.4b1/lib/dns/message.c.CVE-2011-2464 2011-03-12 05:58:28.000000000 +0100
++++ bind-9.7.4b1/lib/dns/message.c 2011-07-06 22:21:24.760733118 +0200
+@@ -2515,7 +2515,7 @@ dns_message_peekheader(isc_buffer_t *sou
+
+ isc_result_t
+ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
+- unsigned int first_section;
++ unsigned int clear_after;
+ isc_result_t result;
+
+ REQUIRE(DNS_MESSAGE_VALID(msg));
+@@ -2527,15 +2527,15 @@ dns_message_reply(dns_message_t *msg, is
+ msg->opcode != dns_opcode_notify)
+ want_question_section = ISC_FALSE;
+ if (msg->opcode == dns_opcode_update)
+- first_section = DNS_SECTION_ADDITIONAL;
++ clear_after = DNS_SECTION_PREREQUISITE;
+ else if (want_question_section) {
+ if (!msg->question_ok)
+ return (DNS_R_FORMERR);
+- first_section = DNS_SECTION_ANSWER;
++ clear_after = DNS_SECTION_ANSWER;
+ } else
+- first_section = DNS_SECTION_QUESTION;
++ clear_after = DNS_SECTION_QUESTION;
+ msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
+- msgresetnames(msg, first_section);
++ msgresetnames(msg, clear_after);
+ msgresetopt(msg);
+ msgresetsigs(msg, ISC_TRUE);
+ msginitprivate(msg);
+diff -up bind-9.7.4b1/lib/dns/ncache.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/ncache.c
+--- bind-9.7.4b1/lib/dns/ncache.c.CVE-2011-2464 2011-07-06 22:21:24.754733118 +0200
++++ bind-9.7.4b1/lib/dns/ncache.c 2011-07-06 22:21:24.761733118 +0200
+@@ -294,6 +294,7 @@ dns_ncache_addoptout(dns_message_t *mess
+ RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
+ == ISC_R_SUCCESS);
+ ncrdataset.trust = trust;
++ ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
+ if (message->rcode == dns_rcode_nxdomain)
+ ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
+ if (optout)
+@@ -324,6 +325,7 @@ dns_ncache_towire(dns_rdataset_t *rdatas
+
+ REQUIRE(rdataset != NULL);
+ REQUIRE(rdataset->type == 0);
++ REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+
+ savedbuffer = *target;
+ count = 0;
+@@ -552,6 +554,7 @@ dns_ncache_getrdataset(dns_rdataset_t *n
+
+ REQUIRE(ncacherdataset != NULL);
+ REQUIRE(ncacherdataset->type == 0);
++ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+ REQUIRE(name != NULL);
+ REQUIRE(!dns_rdataset_isassociated(rdataset));
+ REQUIRE(type != dns_rdatatype_rrsig);
+@@ -628,6 +631,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+
+ REQUIRE(ncacherdataset != NULL);
+ REQUIRE(ncacherdataset->type == 0);
++ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+ REQUIRE(name != NULL);
+ REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+@@ -727,6 +731,7 @@ dns_ncache_current(dns_rdataset_t *ncach
+
+ REQUIRE(ncacherdataset != NULL);
+ REQUIRE(ncacherdataset->type == 0);
++ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+ REQUIRE(found != NULL);
+ REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+diff -up bind-9.7.4b1/lib/dns/nsec3.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/nsec3.c
+--- bind-9.7.4b1/lib/dns/nsec3.c.CVE-2011-2464 2011-03-12 05:58:28.000000000 +0100
++++ bind-9.7.4b1/lib/dns/nsec3.c 2011-07-06 22:21:24.762733118 +0200
+@@ -1579,7 +1579,7 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_db
+
+ isc_result_t
+ dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+- dns_rdatatype_t type, dns_diff_t *diff)
++ dns_rdatatype_t privatetype, dns_diff_t *diff)
+ {
+ dns_dbnode_t *node = NULL;
+ dns_rdata_nsec3param_t nsec3param;
+@@ -1624,9 +1624,9 @@ dns_nsec3_delnsec3sx(dns_db_t *db, dns_d
+ dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+- if (type == 0)
++ if (privatetype == 0)
+ goto success;
+- result = dns_db_findrdataset(db, node, version, type, 0, 0,
++ result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+ &rdataset, NULL);
+ if (result == ISC_R_NOTFOUND)
+ goto success;
+@@ -1681,7 +1681,7 @@ dns_nsec3_active(dns_db_t *db, dns_dbver
+
+ isc_result_t
+ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+- isc_boolean_t complete, dns_rdatatype_t type,
++ isc_boolean_t complete, dns_rdatatype_t privatetype,
+ isc_boolean_t *answer)
+ {
+ dns_dbnode_t *node = NULL;
+@@ -1730,11 +1730,11 @@ dns_nsec3_activex(dns_db_t *db, dns_dbve
+ *answer = ISC_FALSE;
+
+ try_private:
+- if (type == 0 || complete) {
++ if (privatetype == 0 || complete) {
+ *answer = ISC_FALSE;
+ return (ISC_R_SUCCESS);
+ }
+- result = dns_db_findrdataset(db, node, version, type, 0, 0,
++ result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+ &rdataset, NULL);
+
+ dns_db_detachnode(db, &node);
+diff -up bind-9.7.4b1/lib/dns/rbtdb.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/rbtdb.c
+--- bind-9.7.4b1/lib/dns/rbtdb.c.CVE-2011-2464 2011-03-11 08:11:58.000000000 +0100
++++ bind-9.7.4b1/lib/dns/rbtdb.c 2011-07-06 22:21:24.766733118 +0200
+@@ -278,6 +278,7 @@ typedef ISC_LIST(dns_rbtnode_t)
+ #define RDATASET_ATTR_RESIGN 0x0020
+ #define RDATASET_ATTR_STATCOUNT 0x0040
+ #define RDATASET_ATTR_OPTOUT 0x0080
++#define RDATASET_ATTR_NEGATIVE 0x0100
+
+ typedef struct acache_cbarg {
+ dns_rdatasetadditional_t type;
+@@ -316,6 +317,8 @@ struct acachectl {
+ (((header)->attributes & RDATASET_ATTR_RESIGN) != 0)
+ #define OPTOUT(header) \
+ (((header)->attributes & RDATASET_ATTR_OPTOUT) != 0)
++#define NEGATIVE(header) \
++ (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
+
+ #define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */
+
+@@ -698,11 +701,13 @@ update_rrsetstats(dns_rbtdb_t *rbtdb, rd
+ /* At the moment we count statistics only for cache DB */
+ INSIST(IS_CACHE(rbtdb));
+
+- if (NXDOMAIN(header))
+- statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+- else if (RBTDB_RDATATYPE_BASE(header->type) == 0) {
+- statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+- base = RBTDB_RDATATYPE_EXT(header->type);
++ if (NEGATIVE(header)) {
++ if (NXDOMAIN(header))
++ statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
++ else {
++ statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
++ base = RBTDB_RDATATYPE_EXT(header->type);
++ }
+ } else
+ base = RBTDB_RDATATYPE_BASE(header->type);
+
+@@ -2760,6 +2765,8 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rb
+ rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
+ rdataset->ttl = header->rdh_ttl - now;
+ rdataset->trust = header->trust;
++ if (NEGATIVE(header))
++ rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
+ if (NXDOMAIN(header))
+ rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+ if (OPTOUT(header))
+@@ -4793,7 +4800,7 @@ cache_find(dns_db_t *db, dns_name_t *nam
+ *nodep = node;
+ }
+
+- if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
++ if (NEGATIVE(found)) {
+ /*
+ * We found a negative cache entry.
+ */
+@@ -5465,7 +5472,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn
+ if (found == NULL)
+ return (ISC_R_NOTFOUND);
+
+- if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
++ if (NEGATIVE(found)) {
+ /*
+ * We found a negative cache entry.
+ */
+@@ -5676,7 +5683,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
+ negtype = 0;
+ if (rbtversion == NULL && !newheader_nx) {
+ rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+- if (rdtype == 0) {
++ if (NEGATIVE(newheader)) {
+ /*
+ * We're adding a negative cache entry.
+ */
+@@ -6218,6 +6225,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *
+ } else {
+ newheader->serial = 1;
+ newheader->resign = 0;
++ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
++ newheader->attributes |= RDATASET_ATTR_NEGATIVE;
+ if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+ newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
+ if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
+@@ -7916,7 +7925,7 @@ rdatasetiter_next(dns_rdatasetiter_t *it
+
+ type = header->type;
+ rdtype = RBTDB_RDATATYPE_BASE(header->type);
+- if (rdtype == 0) {
++ if (NEGATIVE(header)) {
+ covers = RBTDB_RDATATYPE_EXT(header->type);
+ negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+ } else
+diff -up bind-9.7.4b1/lib/dns/rdataset.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/rdataset.c
+--- bind-9.7.4b1/lib/dns/rdataset.c.CVE-2011-2464 2011-03-12 05:58:28.000000000 +0100
++++ bind-9.7.4b1/lib/dns/rdataset.c 2011-07-06 22:21:24.768733118 +0200
+@@ -324,7 +324,7 @@ towiresorted(dns_rdataset_t *rdataset, c
+ count = 1;
+ result = dns_rdataset_first(rdataset);
+ INSIST(result == ISC_R_NOMORE);
+- } else if (rdataset->type == 0) {
++ } else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+ /*
+ * This is a negative caching rdataset.
+ */
+diff -up bind-9.7.4b1/lib/dns/resolver.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/resolver.c
+--- bind-9.7.4b1/lib/dns/resolver.c.CVE-2011-2464 2011-07-06 22:21:24.750733118 +0200
++++ bind-9.7.4b1/lib/dns/resolver.c 2011-07-06 22:21:24.771733118 +0200
+@@ -426,6 +426,7 @@ struct dns_resolver {
+ FCTX_ADDRINFO_TRIED) != 0)
+
+ #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
++#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+
+ static void destroy(dns_resolver_t *res);
+ static void empty_bucket(dns_resolver_t *res);
+@@ -1050,7 +1051,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_re
+ * Negative results must be indicated in event->result.
+ */
+ if (dns_rdataset_isassociated(event->rdataset) &&
+- event->rdataset->type == dns_rdatatype_none) {
++ NEGATIVE(event->rdataset)) {
+ INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
+ event->result == DNS_R_NCACHENXRRSET);
+ }
+@@ -4218,7 +4219,7 @@ validated(isc_task_t *task, isc_event_t
+ if (result != ISC_R_SUCCESS &&
+ result != DNS_R_UNCHANGED)
+ goto noanswer_response;
+- if (ardataset != NULL && ardataset->type == 0) {
++ if (ardataset != NULL && NEGATIVE(ardataset)) {
+ if (NXDOMAIN(ardataset))
+ eresult = DNS_R_NCACHENXDOMAIN;
+ else
+@@ -4542,7 +4543,7 @@ cache_name(fetchctx_t *fctx, dns_name_t
+ result = ISC_R_SUCCESS;
+ if (!need_validation &&
+ ardataset != NULL &&
+- ardataset->type == 0) {
++ NEGATIVE(ardataset)) {
+ /*
+ * The answer in the cache is
+ * better than the answer we
+@@ -4672,7 +4673,7 @@ cache_name(fetchctx_t *fctx, dns_name_t
+ if (result == DNS_R_UNCHANGED) {
+ if (ANSWER(rdataset) &&
+ ardataset != NULL &&
+- ardataset->type == 0) {
++ NEGATIVE(ardataset)) {
+ /*
+ * The answer in the cache is better
+ * than the answer we found, and is
+@@ -4702,7 +4703,7 @@ cache_name(fetchctx_t *fctx, dns_name_t
+ * Negative results must be indicated in event->result.
+ */
+ if (dns_rdataset_isassociated(event->rdataset) &&
+- event->rdataset->type == dns_rdatatype_none) {
++ NEGATIVE(event->rdataset)) {
+ INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
+ eresult == DNS_R_NCACHENXRRSET);
+ }
+@@ -4782,7 +4783,7 @@ ncache_adderesult(dns_message_t *message
+ * care about whether it is DNS_R_NCACHENXDOMAIN or
+ * DNS_R_NCACHENXRRSET then extract it.
+ */
+- if (ardataset->type == 0) {
++ if (NEGATIVE(ardataset)) {
+ /*
+ * The cache data is a negative cache entry.
+ */
+diff -up bind-9.7.4b1/lib/dns/validator.c.CVE-2011-2464 bind-9.7.4b1/lib/dns/validator.c
+--- bind-9.7.4b1/lib/dns/validator.c.CVE-2011-2464 2011-03-11 08:11:59.000000000 +0100
++++ bind-9.7.4b1/lib/dns/validator.c 2011-07-06 22:21:24.774733118 +0200
+@@ -129,6 +129,8 @@
+ #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
+ #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
+
++#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
++
+ static void
+ destroy(dns_validator_t *val);
+
+@@ -735,7 +737,7 @@ dsvalidated(isc_task_t *task, isc_event_
+ name = dns_fixedname_name(&val->fname);
+ if ((val->attributes & VALATTR_INSECURITY) != 0 &&
+ val->frdataset.covers == dns_rdatatype_ds &&
+- val->frdataset.type == 0 &&
++ NEGATIVE(&val->frdataset) &&
+ isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
+ if (val->mustbesecure) {
+ validator_log(val, ISC_LOG_WARNING,
+@@ -4030,7 +4032,7 @@ validator_start(isc_task_t *task, isc_ev
+ val->attributes |= VALATTR_NEEDNODATA;
+ result = nsecvalidate(val, ISC_FALSE);
+ } else if (val->event->rdataset != NULL &&
+- val->event->rdataset->type == 0)
++ NEGATIVE(val->event->rdataset))
+ {
+ /*
+ * This is a nonexistence validation.
More information about the scm-commits
mailing list