mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 00:59:48 +00:00
Code Issues Projects Releases Wiki Activity

bind: Security fix CVE-2016-2088

Browse Source 
(From OE-Core rev: 91e05c25eb221ff1dc2bde5cfaa0bea88345b1e4)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2016-09-17 14:22:15 -07:00
committed by Richard Purdie
parent 9f1dc20619
commit 9657825ef3
2 changed files with 217 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
+216
View File
@@ -0,0 +1,216 @@
From d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Sat, 27 Feb 2016 11:23:50 +1100
Subject: [PATCH] 4322. [security] Duplicate EDNS COOKIE options in a
response could trigger an assertion failure.
(CVE-2016-2088) [RT #41809]
(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
Upstream-Status: Backport
CVE: CVE-2016-2088
minor fixup to get to apply.
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
CHANGES | 5 +++++
bin/dig/dighost.c | 9 +++++++++
bin/named/client.c | 33 +++++++++++++++++++++++----------
doc/arm/notes.xml | 7 +++++++
lib/dns/resolver.c | 14 +++++++++++++-
5 files changed, 57 insertions(+), 11 deletions(-)
Index: bind-9.10.2-P4/CHANGES
===================================================================
--- bind-9.10.2-P4.orig/CHANGES
+++ bind-9.10.2-P4/CHANGES
@@ -1,3 +1,7 @@
+4322. [security] Duplicate EDNS COOKIE options in a response could
+ trigger an assertion failure. (CVE-2016-2088)
+ [RT #41809]
+
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
Index: bind-9.10.2-P4/bin/dig/dighost.c
===================================================================
--- bind-9.10.2-P4.orig/bin/dig/dighost.c
+++ bind-9.10.2-P4/bin/dig/dighost.c
@@ -3349,6 +3349,7 @@ process_opt(dig_lookup_t *l, dns_message
isc_buffer_t optbuf;
isc_uint16_t optcode, optlen;
dns_rdataset_t *opt = msg->opt;
+ isc_boolean_t seen_cookie = ISC_FALSE;
result = dns_rdataset_first(opt);
if (result == ISC_R_SUCCESS) {
@@ -3360,8 +3361,16 @@ process_opt(dig_lookup_t *l, dns_message
optcode = isc_buffer_getuint16(&optbuf);
optlen = isc_buffer_getuint16(&optbuf);
switch (optcode) {
- case DNS_OPT_SIT:
+ case DNS_OPT_SIT:
+ /*
+ * Only process the first cookie option.
+ */
+ if (seen_cookie) {
+ isc_buffer_forward(&optbuf, optlen);
+ break;
+ }
process_sit(l, msg, &optbuf, optlen);
+ seen_cookie = ISC_TRUE;
break;
default:
isc_buffer_forward(&optbuf, optlen);
Index: bind-9.10.2-P4/bin/named/client.c
===================================================================
--- bind-9.10.2-P4.orig/bin/named/client.c
+++ bind-9.10.2-P4/bin/named/client.c
@@ -121,7 +121,10 @@
*/
#endif
-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
+
+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
/*% nameserver client manager structure */
struct ns_clientmgr {
@@ -1391,7 +1394,7 @@ ns_client_addopt(ns_client_t *client, dn
{
char nsid[BUFSIZ], *nsidp;
#ifdef ISC_PLATFORM_USESIT
- unsigned char sit[SIT_SIZE];
+ unsigned char sit[COOKIE_SIZE];
#endif
isc_result_t result;
dns_view_t *view;
@@ -1416,7 +1419,7 @@ ns_client_addopt(ns_client_t *client, dn
flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
/* Set EDNS options if applicable */
- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
+ if (WANTNSID(client) &&
(ns_g_server->server_id != NULL ||
ns_g_server->server_usehostname)) {
if (ns_g_server->server_usehostname) {
@@ -1449,7 +1452,7 @@ ns_client_addopt(ns_client_t *client, dn
INSIST(count < DNS_EDNSOPTIONS);
ednsopts[count].code = DNS_OPT_SIT;
- ednsopts[count].length = SIT_SIZE;
+ ednsopts[count].length = COOKIE_SIZE;
ednsopts[count].value = sit;
count++;
}
@@ -1657,19 +1660,26 @@ compute_sit(ns_client_t *client, isc_uin
static void
process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
- unsigned char dbuf[SIT_SIZE];
+ unsigned char dbuf[COOKIE_SIZE];
unsigned char *old;
isc_stdtime_t now;
isc_uint32_t when;
isc_uint32_t nonce;
isc_buffer_t db;
+ /*
+ * If we have already seen a ECS option skip this ECS option.
+ */
+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
+ isc_buffer_forward(buf, optlen);
+ return;
+ }
client->attributes |= NS_CLIENTATTR_WANTSIT;
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_sitopt);
- if (optlen != SIT_SIZE) {
+ if (optlen != COOKIE_SIZE) {
/*
* Not our token.
*/
@@ -1713,7 +1723,7 @@ process_sit(ns_client_t *client, isc_buf
isc_buffer_init(&db, dbuf, sizeof(dbuf));
compute_sit(client, when, nonce, &db);
- if (memcmp(old, dbuf, SIT_SIZE) != 0) {
+ if (memcmp(old, dbuf, COOKIE_SIZE) != 0) {
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_sitnomatch);
return;
@@ -1779,7 +1789,9 @@ process_opt(ns_client_t *client, dns_rda
optlen = isc_buffer_getuint16(&optbuf);
switch (optcode) {
case DNS_OPT_NSID:
- isc_stats_increment(ns_g_server->nsstats,
+ if (!WANTNSID(client))
+ isc_stats_increment(
+ ns_g_server->nsstats,
dns_nsstatscounter_nsidopt);
client->attributes |= NS_CLIENTATTR_WANTNSID;
isc_buffer_forward(&optbuf, optlen);
@@ -1790,7 +1802,9 @@ process_opt(ns_client_t *client, dns_rda
break;
#endif
case DNS_OPT_EXPIRE:
- isc_stats_increment(ns_g_server->nsstats,
+ if (!WANTEXPIRE(client))
+ isc_stats_increment(
+ ns_g_server->nsstats,
dns_nsstatscounter_expireopt);
client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
isc_buffer_forward(&optbuf, optlen);
Index: bind-9.10.2-P4/lib/dns/resolver.c
===================================================================
--- bind-9.10.2-P4.orig/lib/dns/resolver.c
+++ bind-9.10.2-P4/lib/dns/resolver.c
@@ -7144,7 +7144,9 @@ process_opt(resquery_t *query, dns_rdata
unsigned char *sit;
dns_adbaddrinfo_t *addrinfo;
unsigned char cookie[8];
+ isc_boolean_t seen_cookie = ISC_FALSE;
#endif
+ isc_boolean_t seen_nsid = ISC_FALSE;
result = dns_rdataset_first(opt);
if (result == ISC_R_SUCCESS) {
@@ -7158,14 +7160,23 @@ process_opt(resquery_t *query, dns_rdata
INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
switch (optcode) {
case DNS_OPT_NSID:
- if (query->options & DNS_FETCHOPT_WANTNSID)
+ if (!seen_nsid &&
+ query->options & DNS_FETCHOPT_WANTNSID)
log_nsid(&optbuf, optlen, query,
ISC_LOG_DEBUG(3),
query->fctx->res->mctx);
isc_buffer_forward(&optbuf, optlen);
+ seen_nsid = ISC_TRUE;
break;
#ifdef ISC_PLATFORM_USESIT
case DNS_OPT_SIT:
+ /*
+ * Only process the first cookie option.
+ */
+ if (seen_cookie) {
+ isc_buffer_forward(&optbuf, optlen);
+ break;
+ }
sit = isc_buffer_current(&optbuf);
compute_cc(query, cookie, sizeof(cookie));
INSIST(query->fctx->rmessage->sitbad == 0 &&
@@ -7183,6 +7194,7 @@ process_opt(resquery_t *query, dns_rdata
isc_buffer_forward(&optbuf, optlen);
inc_stats(query->fctx->res,
dns_resstatscounter_sitin);
+ seen_cookie = ISC_TRUE;
break;
#endif
default:
meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+1
View File
@@ -28,6 +28,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2016-1285.patch \
file://CVE-2016-1286_1.patch \
file://CVE-2016-1286_2.patch \
file://CVE-2016-2088.patch \
"
SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"