diff --git a/SOURCES/bind-9.11-CVE-2020-8616-test.patch b/SOURCES/bind-9.11-CVE-2020-8616-test.patch new file mode 100644 index 0000000..a1d2823 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8616-test.patch @@ -0,0 +1,292 @@ +From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001 +From: Stephen Morris +Date: Thu, 5 Mar 2020 18:46:46 +0000 +Subject: [PATCH] Add test for reduction in number of fetches + +Add a system test that counts how many address fetches are made +for different numbers of NS records and checks that the number +are successfully limited. + +(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2) +--- + bin/tests/system/resolver/clean.sh | 4 +- + bin/tests/system/resolver/ns4/named.conf.in | 5 ++ + bin/tests/system/resolver/ns4/root.db | 4 + + bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++ + bin/tests/system/resolver/ns5/named.conf.in | 9 ++- + bin/tests/system/resolver/ns6/named.conf.in | 15 ++++ + bin/tests/system/resolver/ns6/targetns.db | 23 ++++++ + bin/tests/system/resolver/tests.sh | 34 ++++++++ + 8 files changed, 180 insertions(+), 3 deletions(-) + create mode 100644 bin/tests/system/resolver/ns4/sourcens.db + create mode 100644 bin/tests/system/resolver/ns6/targetns.db + +diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh +index 4dfde1f3e7..b3e4bc0b5d 100644 +--- a/bin/tests/system/resolver/clean.sh ++++ b/bin/tests/system/resolver/clean.sh +@@ -17,8 +17,7 @@ rm -f */named.memstats + rm -f */named.run + rm -f */ans.run + rm -f */*.jdb +-rm -f dig.out dig.out.* +-rm -f dig.*.out.* ++rm -f dig.out dig.out.* dig.*.out.* + rm -f dig.*.foo.* + rm -f dig.*.bar.* + rm -f dig.*.prime.* +@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db + rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db + rm -f ns6/dsset-ds.example.net* + rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl ++rm -f ns6/named.stats* + rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl + rm -f ns7/server.db ns7/server.db.jnl + rm -f resolve.out.*.test* +diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in +index c679dc3151..56fe5d0dd8 100644 +--- a/bin/tests/system/resolver/ns4/named.conf.in ++++ b/bin/tests/system/resolver/ns4/named.conf.in +@@ -50,6 +50,11 @@ zone "broken" { + file "broken.db"; + }; + ++zone "sourcens" { ++ type master; ++ file "sourcens.db"; ++}; ++ + key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db +index 721765d1be..ae541340da 100644 +--- a/bin/tests/system/resolver/ns4/root.db ++++ b/bin/tests/system/resolver/ns4/root.db +@@ -24,3 +24,7 @@ example.net. NS ns.example.net. + ns.example.net. A 10.53.0.6 + no-questions. NS ns.no-questions. + ns.no-questions. A 10.53.0.8 ++sourcens. NS ns.sourcens. ++ns.sourcens. A 10.53.0.4 ++targetns. NS ns.targetns. ++ns.targetns. A 10.53.0.6 +diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db +new file mode 100644 +index 0000000000..b02cc6e835 +--- /dev/null ++++ b/bin/tests/system/resolver/ns4/sourcens.db +@@ -0,0 +1,89 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++; This zone contains a set of delegations with varying numbers of NS ++; records. This is used to check that BIND is limiting the number of ++; NS records it follows when resolving a delegation. It tests all ++; numbers of NS records up to twice the number followed. ++ ++$TTL 60 ++@ IN SOA marka.isc.org. ns.server. ( ++ 2010 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 600 ; minimum ++ ) ++@ NS ns ++ns A 10.53.0.4 ++ ++target1 NS ns.fake11.targetns. ++ ++target2 NS ns.fake21.targetns. ++ NS ns.fake22.targetns. ++ ++target3 NS ns.fake31.targetns. ++ NS ns.fake32.targetns. ++ NS ns.fake33.targetns. ++ ++target4 NS ns.fake41.targetns. ++ NS ns.fake42.targetns. ++ NS ns.fake43.targetns. ++ NS ns.fake44.targetns. ++ ++target5 NS ns.fake51.targetns. ++ NS ns.fake52.targetns. ++ NS ns.fake53.targetns. ++ NS ns.fake54.targetns. ++ NS ns.fake55.targetns. ++ ++target6 NS ns.fake61.targetns. ++ NS ns.fake62.targetns. ++ NS ns.fake63.targetns. ++ NS ns.fake64.targetns. ++ NS ns.fake65.targetns. ++ NS ns.fake66.targetns. ++ ++target7 NS ns.fake71.targetns. ++ NS ns.fake72.targetns. ++ NS ns.fake73.targetns. ++ NS ns.fake74.targetns. ++ NS ns.fake75.targetns. ++ NS ns.fake76.targetns. ++ NS ns.fake77.targetns. ++ ++target8 NS ns.fake81.targetns. ++ NS ns.fake82.targetns. ++ NS ns.fake83.targetns. ++ NS ns.fake84.targetns. ++ NS ns.fake85.targetns. ++ NS ns.fake86.targetns. ++ NS ns.fake87.targetns. ++ NS ns.fake88.targetns. ++ ++target9 NS ns.fake91.targetns. ++ NS ns.fake92.targetns. ++ NS ns.fake93.targetns. ++ NS ns.fake94.targetns. ++ NS ns.fake95.targetns. ++ NS ns.fake96.targetns. ++ NS ns.fake97.targetns. ++ NS ns.fake98.targetns. ++ NS ns.fake99.targetns. ++ ++target10 NS ns.fake101.targetns. ++ NS ns.fake102.targetns. ++ NS ns.fake103.targetns. ++ NS ns.fake104.targetns. ++ NS ns.fake105.targetns. ++ NS ns.fake106.targetns. ++ NS ns.fake107.targetns. ++ NS ns.fake108.targetns. ++ NS ns.fake109.targetns. ++ NS ns.fake1010.targetns. +diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in +index 07205c9938..90818e4556 100644 +--- a/bin/tests/system/resolver/ns5/named.conf.in ++++ b/bin/tests/system/resolver/ns5/named.conf.in +@@ -46,4 +46,11 @@ zone "delegation-only" { + type delegation-only; + }; + +-include "trusted.conf"; ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; +diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in +index 7df48558b8..4b01f9ba14 100644 +--- a/bin/tests/system/resolver/ns6/named.conf.in ++++ b/bin/tests/system/resolver/ns6/named.conf.in +@@ -22,6 +22,7 @@ options { + recursion no; + // minimal-responses yes; + querylog yes; ++ statistics-file "named.stats"; + /* + * test that named loads with root-delegation-only that + * has a exclude list. +@@ -67,3 +68,17 @@ zone "delegation-only" { + type master; + file "delegation-only.db"; + }; ++ ++zone "targetns" { ++ type master; ++ file "targetns.db"; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; +diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db +new file mode 100644 +index 0000000000..036e64580b +--- /dev/null ++++ b/bin/tests/system/resolver/ns6/targetns.db +@@ -0,0 +1,23 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++; In the test for checking how many NS records BIND will follow, this ++; zone marks the server as the one to which the NS lookups will be ++; directed. ++ ++$TTL 300 ++@ IN SOA marka.isc.org. ns.server. ( ++ 2010 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 600 ; minimum ++ ) ++ NS ns ++ns A 10.53.0.6 +diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh +index 12d2819e30..178ba4d79b 100755 +--- a/bin/tests/system/resolver/tests.sh ++++ b/bin/tests/system/resolver/tests.sh +@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then + status=`expr $status + $ret` + fi + ++n=`expr $n + 1` ++echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" ++# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS ++# records pointing to non-existent nameservers in the targetns zone on ns6. ++ret=0 ++$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test ++for nscount in 1 2 3 4 5 6 7 8 9 10 ++do ++ # Verify number of NS records at source server ++ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} ++ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l` ++ test $sourcerecs -eq $nscount || ret=1 ++ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens" ++ # Expected queries = 2 * number of NS records, up to a maximum of 10. ++ expected=`expr 2 \* $nscount` ++ if [ $expected -gt 10 ]; then expected=10; fi ++ # Work out the queries made by checking statistics on the target before and after the test ++ $RNDCCMD 10.53.0.6 stats || ret=1 ++ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats` ++ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} ++ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 ++ $RNDCCMD 10.53.0.6 stats || ret=1 ++ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats` ++ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} ++ # Check number of queries during the test is as expected ++ actual=`expr $final_count - $initial_count` ++ if [ $actual -ne $expected ]; then ++ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" ++ ret=1 ++ fi ++done ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ + n=`expr $n + 1` + echo_i "RT21594 regression test check setup ($n)" + ret=0 +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-CVE-2020-8617-test.patch b/SOURCES/bind-9.11-CVE-2020-8617-test.patch new file mode 100644 index 0000000..1d81c73 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8617-test.patch @@ -0,0 +1,78 @@ +From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 25 Mar 2020 17:44:51 +1100 +Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a + request + +(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1) +--- + bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++ + bin/tests/system/tsig/tests.sh | 9 +++++++++ + 2 files changed, 46 insertions(+) + create mode 100644 bin/tests/system/tsig/badtime + +diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime +new file mode 100644 +index 0000000000..7926404cfb +--- /dev/null ++++ b/bin/tests/system/tsig/badtime +@@ -0,0 +1,37 @@ ++# Transaction ID ++1122 ++# Standard query ++0000 ++# Questions: 1, Additional: 1 ++0001 0000 0000 0001 ++# QNAME: isc.org ++03 69 73 63 03 6F 72 67 00 ++# Type: A (Host Address) ++0001 ++# Class: IN ++0001 ++# Specially crafted TSIG Resource Record ++# Name: "sha256" ++06 73 68 61 32 35 36 00 ++# Type: TSIG (Transaction Signature) ++00fa ++# Class: ANY ++00ff ++# TTL: 0 ++00000000 ++# RdLen: 29 ++001d ++# Algorithm Name: hmac-sha256 ++0b 68 6D 61 63 2D 73 68 61 32 35 36 00 ++# Time Signed: Jan 1, 1970 01:00:00.000000000 CET ++00 00 00 00 00 00 ++# Fudge: 300 ++012c ++# MAC Size: 0; MAC: empty ++0000 ++# Original ID: 0 ++0000 ++# Error: BADSIG ++0010 ++# Other Data Length: 0 ++0000 +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index cade35bc1d..284aea1056 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then + echo "I: failed"; status=1 + fi + ++echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" ++ret=0 ++$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null ++$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 ++grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 ++if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++fi ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +-- +2.21.1 + diff --git a/SOURCES/bind-9.11-edns512-tcp-loops.patch b/SOURCES/bind-9.11-edns512-tcp-loops.patch new file mode 100644 index 0000000..7c66164 --- /dev/null +++ b/SOURCES/bind-9.11-edns512-tcp-loops.patch @@ -0,0 +1,78 @@ +From b2822c93b89588bceb5213ab7c2e8c30d91e5e6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 31 Oct 2019 08:48:35 +0100 +Subject: [PATCH] Prevent query loops for misbehaving servers + +If a TCP connection fails while attempting to send a query to a server, +the fetch context will be restarted without marking the target server as +a bad one. If this happens for a server which: + + - was already marked with the DNS_FETCHOPT_EDNS512 flag, + - responds to EDNS queries with the UDP payload size set to 512 bytes, + - does not send response packets larger than 512 bytes, + +and the response for the query being sent is larger than 512 byes, then +named will pointlessly alternate between sending UDP queries with EDNS +UDP payload size set to 512 bytes (which are responded to with truncated +answers) and TCP connections until the fetch context retry limit is +reached. Prevent such query loops by marking the server as bad for a +given fetch context if the advertised EDNS UDP payload size for that +server gets reduced to 512 bytes and it is impossible to reach it using +TCP. + +(cherry picked from commit 6cd115994e0d10631172c56a7dab1ace83e946b4) +(cherry picked from commit a6331686a8e3a5a2b0d1313de84978cd6d9ef65c) +--- + bin/tests/system/legacy/tests.sh | 11 +++++++++++ + lib/dns/resolver.c | 13 +++++++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh +index c4356f2456..7c30dcbc12 100755 +--- a/bin/tests/system/legacy/tests.sh ++++ b/bin/tests/system/legacy/tests.sh +@@ -142,6 +142,17 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++n=`expr $n + 1` ++echo_i "checking recursive lookup to edns 512 + no tcp server does not cause query loops ($n)" ++ret=0 ++sent=`grep -c -F "sending packet to 10.53.0.7" ns1/named.run` ++if [ $sent -ge 10 ]; then ++ echo_i "ns1 sent $sent queries to ns7, expected less than 10" ++ ret=1 ++fi ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ + if $SHELL ../testcrypto.sh > /dev/null 2>&1 + then + $PERL $SYSTEMTESTTOP/stop.pl . ns1 +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index e13d684a4a..93ba77056e 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -2744,6 +2744,19 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { + * No route to remote. + */ + isc_socket_detach(&query->tcpsocket); ++ /* ++ * Do not query this server again in this fetch context ++ * if we already tried reducing the advertised EDNS UDP ++ * payload size to 512 bytes and the server is ++ * unavailable over TCP. This prevents query loops ++ * lasting until the fetch context restart limit is ++ * reached when attempting to get answers whose size ++ * exceeds 512 bytes from broken servers. ++ */ ++ if ((query->options & DNS_FETCHOPT_EDNS512) != 0) { ++ add_bad(fctx, query->addrinfo, sevent->result, ++ badns_unreachable); ++ } + fctx_cancelquery(&query, NULL, NULL, ISC_TRUE, ISC_FALSE); + retry = ISC_TRUE; + break; +-- +2.21.3 + diff --git a/SOURCES/bind-9.11.13-CVE-2020-8616.patch b/SOURCES/bind-9.11.13-CVE-2020-8616.patch new file mode 100644 index 0000000..bf79ec4 --- /dev/null +++ b/SOURCES/bind-9.11.13-CVE-2020-8616.patch @@ -0,0 +1,169 @@ +From e2aed3e1885bbc6d94d8845edbd9a8dfb869eb67 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 15 May 2020 14:55:26 +0200 +Subject: [PATCH] CVE-2020-8616 + +5395. [security] Further limit the number of queries that can be + triggered from a request. Root and TLD servers + are no longer exempt from max-recursion-queries. + Fetches for missing name server address records + are limited to 4 for any domain. (CVE-2020-8616) + [GL #1388] +--- + lib/dns/adb.c | 18 ++++++++-------- + lib/dns/include/dns/adb.h | 4 ++++ + lib/dns/resolver.c | 45 ++++++++++++++++++++++++++------------- + 3 files changed, 43 insertions(+), 24 deletions(-) + +diff --git a/lib/dns/adb.c b/lib/dns/adb.c +index 1eb00c2..ea06a95 100644 +--- a/lib/dns/adb.c ++++ b/lib/dns/adb.c +@@ -402,14 +402,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...) + */ + #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0) + #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0) +-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \ +- != 0) +-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ +- != 0) +-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) +-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) +-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) +-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) ++#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) ++#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) ++#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) ++#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) ++#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) ++#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) ++#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) + + /* + * These are currently used on simple unsigned ints, so they are +@@ -3167,7 +3166,8 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + else + have_address = ISC_FALSE; + if (wanted_fetches != 0 && +- ! (FIND_AVOIDFETCHES(find) && have_address)) { ++ ! (FIND_AVOIDFETCHES(find) && have_address) && ++ ! FIND_NOFETCH(find)) { + /* + * We're missing at least one address family. Either the + * caller hasn't instructed us to avoid fetches, or we don't +diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h +index bfc8e43..0efaf89 100644 +--- a/lib/dns/include/dns/adb.h ++++ b/lib/dns/include/dns/adb.h +@@ -204,6 +204,10 @@ struct dns_adbfind { + * lame for this query. + */ + #define DNS_ADBFIND_OVERQUOTA 0x00000400 ++/*% ++ * Don't perform a fetch even if there are no address records available. ++ */ ++#define DNS_ADBFIND_NOFETCH 0x00000800 + + /*% + * The answers to queries come back as a list of these. +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 9df33c7..e13d684 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -175,6 +175,14 @@ + #define DEFAULT_MAX_QUERIES 75 + #endif + ++/* ++ * After NS_FAIL_LIMIT attempts to fetch a name server address, ++ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, ++ * stop trying to fetch, in order to avoid wasting resources. ++ */ ++#define NS_FAIL_LIMIT 4 ++#define NS_RR_LIMIT 5 ++ + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS + #define RES_DOMAIN_BUCKETS 523 +@@ -3086,8 +3094,8 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { + static void + findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, + unsigned int options, unsigned int flags, isc_stdtime_t now, +- isc_boolean_t *overquota, isc_boolean_t *need_alternate) +-{ ++ isc_boolean_t *overquota, isc_boolean_t *need_alternate, ++ unsigned int *no_addresses) { + dns_adbaddrinfo_t *ai; + dns_adbfind_t *find; + dns_resolver_t *res; +@@ -3176,6 +3184,9 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, + (res->dispatches6 == NULL && + find->result_v4 != DNS_R_NXDOMAIN))) + *need_alternate = ISC_TRUE; ++ if (no_addresses != NULL) { ++ (*no_addresses)++; ++ } + } else { + if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { + if (overquota != NULL) +@@ -3226,6 +3237,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + dns_rdata_ns_t ns; + isc_boolean_t need_alternate = ISC_FALSE; + isc_boolean_t all_spilled = ISC_TRUE; ++ unsigned int no_addresses = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3384,8 +3396,13 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + if (result != ISC_R_SUCCESS) + continue; + +- findname(fctx, &ns.name, 0, stdoptions, 0, now, +- &overquota, &need_alternate); ++ if (no_addresses > NS_FAIL_LIMIT && ++ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) ++ { ++ stdoptions |= DNS_ADBFIND_NOFETCH; ++ } ++ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, ++ &need_alternate, &no_addresses); + + if (!overquota) + all_spilled = ISC_FALSE; +@@ -3409,7 +3426,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { + if (!a->isaddress) { + findname(fctx, &a->_u._n.name, a->_u._n.port, + stdoptions, FCTX_ADDRINFO_FORWARDER, +- now, NULL, NULL); ++ now, NULL, NULL, NULL); + continue; + } + if (isc_sockaddr_pf(&a->_u.addr) != family) +@@ -3771,16 +3788,14 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) { + } + } + +- if (dns_name_countlabels(&fctx->domain) > 2) { +- result = isc_counter_increment(fctx->qc); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), +- "exceeded max queries resolving '%s'", +- fctx->info); +- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); +- return; +- } ++ result = isc_counter_increment(fctx->qc); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), ++ "exceeded max queries resolving '%s'", ++ fctx->info); ++ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); ++ return; + } + + bucketnum = fctx->bucketnum; +-- +2.21.1 + diff --git a/SOURCES/bind-9.11.13-CVE-2020-8617.patch b/SOURCES/bind-9.11.13-CVE-2020-8617.patch new file mode 100644 index 0000000..a6b83df --- /dev/null +++ b/SOURCES/bind-9.11.13-CVE-2020-8617.patch @@ -0,0 +1,40 @@ +From f6ca6392adf7f5a94c804d8a8a1233d90170f490 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 15 May 2020 14:56:33 +0200 +Subject: [PATCH] CVE-2020-8617 + +5390. [security] Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. (CVE-2020-8617) + [GL #1703] +--- + lib/dns/tsig.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index c6f9d1b..aee8eb0 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -1431,8 +1431,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + goto cleanup_context; + } + msg->verified_sig = 1; +- } else if (tsig.error != dns_tsigerror_badsig && +- tsig.error != dns_tsigerror_badkey) { ++ } else if (!response || (tsig.error != dns_tsigerror_badsig && ++ tsig.error != dns_tsigerror_badkey)) ++ { + tsig_log(msg->tsigkey, 2, "signature was empty"); + return (DNS_R_TSIGVERIFYFAILURE); + } +@@ -1488,7 +1489,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + } + } + +- if (tsig.error != dns_rcode_noerror) { ++ if (response && tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) + ret = DNS_R_CLOCKSKEW; +-- +2.21.1 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index aec0105..9f6f81f 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.3 +Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.6 Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -163,6 +163,11 @@ Patch176: bind-9.11-rh1753259.patch Patch177: bind-9.11-rh1743572-2.patch Patch178: bind-9.11-rh1781576.patch Patch179: bind-9.11-disab-timer-test.patch +Patch180: bind-9.11.13-CVE-2020-8616.patch +Patch181: bind-9.11.13-CVE-2020-8617.patch +Patch185: bind-9.11-CVE-2020-8616-test.patch +Patch186: bind-9.11-CVE-2020-8617-test.patch +Patch187: bind-9.11-edns512-tcp-loops.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -519,6 +524,11 @@ are used for building ISC DHCP. %patch176 -p1 -b .rh1753259 %patch177 -p1 -b .rh1743572 %patch178 -p1 -b .rh1781576 +%patch180 -p1 -b .CVE-2020-8616 +%patch181 -p1 -b .CVE-2020-8617 +%patch185 -p1 -b .CVE-2020-8616-test +%patch186 -p1 -b .CVE-2020-8616-test +%patch187 -p1 -b .edns512-loops # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1500,6 +1510,16 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Wed May 27 2020 Petr Menšík - 32:9.11.4-16.P2.6 +- Fix EDNS512 loops on broken servers + +* Fri May 22 2020 Petr Menšík - 32:9.11.4-16.P2.5 +- Add CVE tests to codebase + +* Tue May 19 2020 Petr Menšík - 32:9.11.4-16.P2.4 +- Limit number of queries triggered by a request (CVE-2020-8616) +- Fix invalid tsig request (CVE-2020-8617) + * Wed Mar 04 2020 Miroslav Lichvar - 32:9.11.4-16.P2.3 - Disable atomic operations on ppc64, ppc64le, aarch64, ppc (#1779589)