fix CVE-2024-11187
This commit is contained in:
Funda Wang
parent
a95016184c
commit
3a51d98192
268
backport-CVE-2024-11187.patch
Normal file
268
backport-CVE-2024-11187.patch
Normal file
@ -0,0 +1,268 @@
|
||||
From f59faf9d92acde0be9510e7d182fc1735b9f4a7e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Wed, 8 Jan 2025 16:46:48 +0100
|
||||
Subject: [PATCH 1/2] Isolate using the -T noaa flag only for part of the
|
||||
resolver test
|
||||
|
||||
Instead of running the whole resolver/ns4 server with -T noaa flag,
|
||||
use it only for the part where it is actually needed. The -T noaa
|
||||
could interfere with other parts of the test because the answers don't
|
||||
have the authoritative-answer bit set, and we could have false
|
||||
positives (or false negatives) in the test because the authoritative
|
||||
server doesn't follow the DNS protocol for all the tests in the resolver
|
||||
system test.
|
||||
|
||||
(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
|
||||
---
|
||||
bin/tests/system/resolver/ns4/named.noaa | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
|
||||
|
||||
diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
|
||||
deleted file mode 100644
|
||||
index 3b121ad9da7..00000000000
|
||||
--- a/bin/tests/system/resolver/ns4/named.noaa
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
|
||||
-
|
||||
-Add -T noaa.
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
||||
From 89b256efae2d7ed61690fc241a661194481c815d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Thu, 19 Dec 2024 16:40:52 +0100
|
||||
Subject: [PATCH 2/2] Limit the additional processing for large RDATA sets
|
||||
|
||||
When answering queries, don't add data to the additional section if
|
||||
the answer has more than 13 names in the RDATA. This limits the
|
||||
number of lookups into the database(s) during a single client query,
|
||||
reducing query processing load.
|
||||
|
||||
Also, don't append any additional data to type=ANY queries. The
|
||||
answer to ANY is already big enough.
|
||||
|
||||
(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
|
||||
---
|
||||
bin/named/query.c | 8 +++++---
|
||||
bin/tests/system/additional/tests.sh | 2 +-
|
||||
bin/tests/system/resolver/tests.sh | 8 ++++++++
|
||||
lib/dns/include/dns/rdataset.h | 10 +++++++++-
|
||||
lib/dns/rdataset.c | 8 +++++++-
|
||||
lib/dns/resolver.c | 16 ++++++++++------
|
||||
6 files changed, 40 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/bin/named/query.c b/bin/named/query.c
|
||||
index 897beb7313e..5cba4a22c6b 100644
|
||||
--- a/bin/named/query.c
|
||||
+++ b/bin/named/query.c
|
||||
@@ -1827,7 +1827,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
|
||||
*/
|
||||
eresult = dns_rdataset_additionaldata(trdataset,
|
||||
query_addadditional,
|
||||
- client);
|
||||
+ client,
|
||||
+ DNS_RDATASET_MAXADDITIONAL);
|
||||
}
|
||||
|
||||
cleanup:
|
||||
@@ -2422,7 +2423,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
|
||||
rdataset->rdclass);
|
||||
rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
|
||||
|
||||
- if (NOADDITIONAL(client))
|
||||
+ if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
|
||||
return;
|
||||
|
||||
/*
|
||||
@@ -2433,7 +2434,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
|
||||
additionalctx.client = client;
|
||||
additionalctx.rdataset = rdataset;
|
||||
(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
|
||||
- &additionalctx);
|
||||
+ &additionalctx,
|
||||
+ DNS_RDATASET_MAXADDITIONAL);
|
||||
CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
|
||||
}
|
||||
|
||||
diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
|
||||
index 6400723a557..a33cc8aed26 100644
|
||||
--- a/bin/tests/system/additional/tests.sh
|
||||
+++ b/bin/tests/system/additional/tests.sh
|
||||
@@ -261,7 +261,7 @@ n=`expr $n + 1`
|
||||
echo_i "testing with 'minimal-any no;' ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
|
||||
-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=`expr status + 1`
|
||||
fi
|
||||
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
|
||||
index b3c9f2179c7..e727c887bf2 100755
|
||||
--- a/bin/tests/system/resolver/tests.sh
|
||||
+++ b/bin/tests/system/resolver/tests.sh
|
||||
@@ -281,6 +281,10 @@ done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
|
||||
+touch ns4/named.noaa
|
||||
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "RT21594 regression test check setup ($n)"
|
||||
ret=0
|
||||
@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
|
||||
+rm ns4/named.noaa
|
||||
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
|
||||
ret=0
|
||||
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
|
||||
index ed9119a62d4..cd9b014205e 100644
|
||||
--- a/lib/dns/include/dns/rdataset.h
|
||||
+++ b/lib/dns/include/dns/rdataset.h
|
||||
@@ -53,6 +53,8 @@
|
||||
#include <dns/types.h>
|
||||
#include <dns/rdatastruct.h>
|
||||
|
||||
+#define DNS_RDATASET_MAXADDITIONAL 13
|
||||
+
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
typedef enum {
|
||||
@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
|
||||
|
||||
isc_result_t
|
||||
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
||||
- dns_additionaldatafunc_t add, void *arg);
|
||||
+ dns_additionaldatafunc_t add, void *arg,
|
||||
+ size_t limit);
|
||||
/*%<
|
||||
* For each rdata in rdataset, call 'add' for each name and type in the
|
||||
* rdata which is subject to additional section processing.
|
||||
@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
||||
*\li If a call to dns_rdata_additionaldata() is not successful, the
|
||||
* result returned will be the result of dns_rdataset_additionaldata().
|
||||
*
|
||||
+ *\li If 'limit' is non-zero and the number of the rdatasets is larger
|
||||
+ * than 'limit', no additional data will be processed.
|
||||
+ *
|
||||
* Returns:
|
||||
*
|
||||
*\li #ISC_R_SUCCESS
|
||||
*
|
||||
+ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
|
||||
+ *
|
||||
*\li Any error that dns_rdata_additionaldata() can return.
|
||||
*/
|
||||
|
||||
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
|
||||
index b42dea5cd37..75f07c9e579 100644
|
||||
--- a/lib/dns/rdataset.c
|
||||
+++ b/lib/dns/rdataset.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <dns/ncache.h>
|
||||
#include <dns/rdata.h>
|
||||
#include <dns/rdataset.h>
|
||||
+#include <dns/result.h>
|
||||
|
||||
static const char *trustnames[] = {
|
||||
"none",
|
||||
@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
|
||||
|
||||
isc_result_t
|
||||
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
||||
- dns_additionaldatafunc_t add, void *arg)
|
||||
+ dns_additionaldatafunc_t add, void *arg,
|
||||
+ size_t limit)
|
||||
{
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
isc_result_t result;
|
||||
@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
||||
REQUIRE(DNS_RDATASET_VALID(rdataset));
|
||||
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
|
||||
|
||||
+ if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
|
||||
+ return (DNS_R_TOOMANYRECORDS);
|
||||
+ }
|
||||
+
|
||||
result = dns_rdataset_first(rdataset);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return (result);
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index a4e4f4c6f6a..ed3d0b1b95f 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -6472,7 +6472,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
|
||||
rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
|
||||
(void)dns_rdataset_additionaldata(rdataset,
|
||||
check_related,
|
||||
- &chkarg);
|
||||
+ &chkarg, 0);
|
||||
rescan = true;
|
||||
}
|
||||
}
|
||||
@@ -7106,8 +7106,12 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
|
||||
FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
|
||||
chkarg.fctx = fctx;
|
||||
chkarg.rmessage = message;
|
||||
+
|
||||
+ /*
|
||||
+ * Mark the glue records in the additional section to be cached.
|
||||
+ */
|
||||
(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
|
||||
- &chkarg);
|
||||
+ &chkarg, 0);
|
||||
#if CHECK_FOR_GLUE_IN_ANSWER
|
||||
/*
|
||||
* Look in the answer section for "glue" that is incorrectly
|
||||
@@ -7123,7 +7127,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
|
||||
chkarg.fcx = fctx;
|
||||
chkarg.rmessage = message;
|
||||
(void)dns_rdataset_additionaldata(ns_rdataset,
|
||||
- check_answer, &chkarg);
|
||||
+ check_answer, &chkarg, 0);
|
||||
}
|
||||
#endif
|
||||
FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
|
||||
@@ -7365,7 +7369,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
||||
chkarg.rmessage = message;
|
||||
(void)dns_rdataset_additionaldata(rdataset,
|
||||
check_related,
|
||||
- &chkarg);
|
||||
+ &chkarg, 0);
|
||||
}
|
||||
} else if (aname != NULL) {
|
||||
dns_chkarg_t chkarg;
|
||||
@@ -7393,7 +7397,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
||||
chkarg.fctx = fctx;
|
||||
chkarg.rmessage = message;
|
||||
(void)dns_rdataset_additionaldata(ardataset, check_related,
|
||||
- &chkarg);
|
||||
+ &chkarg, 0);
|
||||
for (sigrdataset = ISC_LIST_HEAD(aname->list);
|
||||
sigrdataset != NULL;
|
||||
sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
|
||||
@@ -7556,7 +7560,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
||||
(void)dns_rdataset_additionaldata(
|
||||
rdataset,
|
||||
check_related,
|
||||
- &chkarg);
|
||||
+ &chkarg, 0);
|
||||
done = true;
|
||||
}
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
|
||||
10
bind.spec
10
bind.spec
@ -19,7 +19,7 @@ Name: bind
|
||||
Summary: Domain Name System (DNS) Server (named)
|
||||
License: MPLv2.0
|
||||
Version: 9.11.21
|
||||
Release: 19
|
||||
Release: 20
|
||||
Epoch: 32
|
||||
Url: http://www.isc.org/products/BIND/
|
||||
Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
|
||||
@ -250,6 +250,7 @@ Patch6073:backport-0001-CVE-2024-1737.patch
|
||||
Patch6074:backport-0002-CVE-2024-1737.patch
|
||||
Patch6075:backport-0003-CVE-2024-1737.patch
|
||||
Patch6076:backport-0004-CVE-2024-1737.patch
|
||||
Patch6077:backport-CVE-2024-11187.patch
|
||||
|
||||
%description
|
||||
Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
|
||||
@ -539,6 +540,7 @@ cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
|
||||
%patch6074 -p1
|
||||
%patch6075 -p1
|
||||
%patch6076 -p1
|
||||
%patch6077 -p1
|
||||
|
||||
%patch199 -p1
|
||||
|
||||
@ -1320,6 +1322,12 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Apr 22 2025 Funda Wang <fundawang@yeah.net> - 32:9.11.21-20
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-11187
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2024-11187
|
||||
|
||||
* Fri Aug 02 2024 chengyechun <chengyechun1@huawei.com> - 32:9.11.21-19
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-1975,CVE-2024-1737
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user