diff --git a/SOURCES/bind-9.11.13-CVE-2020-8616.patch b/SOURCES/bind-9.11.13-CVE-2020-8616.patch new file mode 100644 index 0000000..7cec50c --- /dev/null +++ b/SOURCES/bind-9.11.13-CVE-2020-8616.patch @@ -0,0 +1,222 @@ +From 165181b794e185af8621300e2a68777a04af8358 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 15 May 2020 14:55:26 +0200 +Subject: [PATCH] CVE-2020-8616 + +5395. [security] Further limit the number of queries that can be + triggered from a request. Root and TLD servers + are no longer exempt from max-recursion-queries. + Fetches for missing name server address records + are limited to 4 for any domain. (CVE-2020-8616) + [GL #1388] +--- + lib/dns/adb.c | 33 +++++++++++++---------- + lib/dns/include/dns/adb.h | 4 +++ + lib/dns/resolver.c | 55 ++++++++++++++++++++++++++------------- + 3 files changed, 60 insertions(+), 32 deletions(-) + +diff --git a/lib/dns/adb.c b/lib/dns/adb.c +index 3d12221..ec183d0 100644 +--- a/lib/dns/adb.c ++++ b/lib/dns/adb.c +@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...) + */ + #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0) + #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0) +-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \ +- != 0) +-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ +- != 0) +-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) +-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) +-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) +-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) ++#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) ++#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) ++#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) ++#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) ++#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) ++#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) ++#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) + + /* + * These are currently used on simple unsigned ints, so they are +@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + * Listen to negative cache hints, and don't start + * another query. + */ +- if (NCACHE_RESULT(result) || AUTH_NX(result)) ++ if (NCACHE_RESULT(result) || AUTH_NX(result)) { + goto fetch; ++ } + +- if (!NAME_FETCH_V6(adbname)) ++ if (!NAME_FETCH_V6(adbname)) { + wanted_fetches |= DNS_ADBFIND_INET6; ++ } + } + + fetch: + if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || + (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) ++ { + have_address = true; +- else ++ } else { + have_address = false; +- if (wanted_fetches != 0 && +- ! (FIND_AVOIDFETCHES(find) && have_address)) { ++ } ++ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && ++ !FIND_NOFETCH(find)) ++ { + /* + * We're missing at least one address family. Either the + * caller hasn't instructed us to avoid fetches, or we don't +@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + * be acceptable so we have to launch fetches. + */ + +- if (FIND_STARTATZONE(find)) ++ if (FIND_STARTATZONE(find)) { + start_at_zone = true; ++ } + + /* + * Start V4. +diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h +index ca35bac..3e27c9e 100644 +--- a/lib/dns/include/dns/adb.h ++++ b/lib/dns/include/dns/adb.h +@@ -207,6 +207,10 @@ struct dns_adbfind { + * lame for this query. + */ + #define DNS_ADBFIND_OVERQUOTA 0x00000400 ++/*% ++ * Don't perform a fetch even if there are no address records available. ++ */ ++#define DNS_ADBFIND_NOFETCH 0x00000800 + + /*% + * The answers to queries come back as a list of these. +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 164fc01..79ad212 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -173,6 +173,14 @@ + #define DEFAULT_MAX_QUERIES 75 + #endif + ++/* ++ * After NS_FAIL_LIMIT attempts to fetch a name server address, ++ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, ++ * stop trying to fetch, in order to avoid wasting resources. ++ */ ++#define NS_FAIL_LIMIT 4 ++#define NS_RR_LIMIT 5 ++ + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS + #define RES_DOMAIN_BUCKETS 523 +@@ -3121,8 +3129,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { + static void + findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, + unsigned int options, unsigned int flags, isc_stdtime_t now, +- bool *overquota, bool *need_alternate) +-{ ++ bool *overquota, bool *need_alternate, unsigned int *no_addresses) { + dns_adbaddrinfo_t *ai; + dns_adbfind_t *find; + dns_resolver_t *res; +@@ -3210,7 +3217,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, + find->result_v6 != DNS_R_NXDOMAIN) || + (res->dispatches6 == NULL && + find->result_v4 != DNS_R_NXDOMAIN))) ++ { + *need_alternate = true; ++ } ++ if (no_addresses != NULL) { ++ (*no_addresses)++; ++ } + } else { + if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { + if (overquota != NULL) +@@ -3261,6 +3273,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + dns_rdata_ns_t ns; + bool need_alternate = false; + bool all_spilled = true; ++ unsigned int no_addresses = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3428,20 +3441,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + * Extract the name from the NS record. + */ + result = dns_rdata_tostruct(&rdata, &ns, NULL); +- if (result != ISC_R_SUCCESS) ++ if (result != ISC_R_SUCCESS) { + continue; ++ } + +- findname(fctx, &ns.name, 0, stdoptions, 0, now, +- &overquota, &need_alternate); ++ if (no_addresses > NS_FAIL_LIMIT && ++ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) ++ { ++ stdoptions |= DNS_ADBFIND_NOFETCH; ++ } ++ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, ++ &need_alternate, &no_addresses); + +- if (!overquota) ++ if (!overquota) { + all_spilled = false; ++ } + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); + } +- if (result != ISC_R_NOMORE) ++ if (result != ISC_R_NOMORE) { + return (result); ++ } + + /* + * Do we need to use 6 to 4? +@@ -3456,7 +3477,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (!a->isaddress) { + findname(fctx, &a->_u._n.name, a->_u._n.port, + stdoptions, FCTX_ADDRINFO_FORWARDER, +- now, NULL, NULL); ++ now, NULL, NULL, NULL); + continue; + } + if (isc_sockaddr_pf(&a->_u.addr) != family) +@@ -3818,16 +3839,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { + } + } + +- if (dns_name_countlabels(&fctx->domain) > 2) { +- result = isc_counter_increment(fctx->qc); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), +- "exceeded max queries resolving '%s'", +- fctx->info); +- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); +- return; +- } ++ result = isc_counter_increment(fctx->qc); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), ++ "exceeded max queries resolving '%s'", ++ fctx->info); ++ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); ++ return; + } + + bucketnum = fctx->bucketnum; +-- +2.21.1 + diff --git a/SOURCES/bind-9.11.13-CVE-2020-8617.patch b/SOURCES/bind-9.11.13-CVE-2020-8617.patch new file mode 100644 index 0000000..a6b83df --- /dev/null +++ b/SOURCES/bind-9.11.13-CVE-2020-8617.patch @@ -0,0 +1,40 @@ +From f6ca6392adf7f5a94c804d8a8a1233d90170f490 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 15 May 2020 14:56:33 +0200 +Subject: [PATCH] CVE-2020-8617 + +5390. [security] Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. (CVE-2020-8617) + [GL #1703] +--- + lib/dns/tsig.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index c6f9d1b..aee8eb0 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -1431,8 +1431,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + goto cleanup_context; + } + msg->verified_sig = 1; +- } else if (tsig.error != dns_tsigerror_badsig && +- tsig.error != dns_tsigerror_badkey) { ++ } else if (!response || (tsig.error != dns_tsigerror_badsig && ++ tsig.error != dns_tsigerror_badkey)) ++ { + tsig_log(msg->tsigkey, 2, "signature was empty"); + return (DNS_R_TSIGVERIFYFAILURE); + } +@@ -1488,7 +1489,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + } + } + +- if (tsig.error != dns_rcode_noerror) { ++ if (response && tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) + ret = DNS_R_CLOCKSKEW; +-- +2.21.1 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 3a2b8b4..68295f0 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -63,7 +63,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.13 -Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -155,6 +155,8 @@ Patch177:bind-9.11-serve-stale.patch Patch178:bind-9.11-dhcp-time-monotonic.patch Patch179:bind-9.11-rh1790879.patch Patch180:bind-9.11.13-rwlock.patch +Patch181:bind-9.11.13-CVE-2020-8617.patch +Patch182:bind-9.11.13-CVE-2020-8616.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -509,6 +511,8 @@ are used for building ISC DHCP. %patch178 -p1 -b .time-monotonic %patch179 -p1 -b .rh1790879 %patch180 -p1 -b .rwlock +%patch181 -p1 -b .CVE-2020-8617 +%patch182 -p1 -b .CVE-2020-8616 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1486,6 +1490,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Fri May 15 2020 Petr Menšík - 32:9.11.13-5 +- Limit number of queries triggered by a request (CVE-2020-8616) + +* Fri May 15 2020 Petr Menšík - 32:9.11.13-4 +- Fix invalid tsig request (CVE-2020-8617) + * Thu Feb 27 2020 Miroslav Lichvar - 32:9.11.13-3 - Fix rwlock to be thread-safe (#1740511)