fix CVE-2024-11187

2025-04-24 09:16:53 +08:00 · 2025-04-24 09:16:53 +08:00 · 3a51d98192
commit 3a51d98192
parent a95016184c
2 changed files with 277 additions and 1 deletions
--- a/backport-CVE-2024-11187.patch
+++ b/backport-CVE-2024-11187.patch
@ -0,0 +1,268 @@
 From f59faf9d92acde0be9510e7d182fc1735b9f4a7e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 8 Jan 2025 16:46:48 +0100
 Subject: [PATCH 1/2] Isolate using the -T noaa flag only for part of the
 resolver test
 Instead of running the whole resolver/ns4 server with -T noaa flag,
 use it only for the part where it is actually needed.  The -T noaa
 could interfere with other parts of the test because the answers don't
 have the authoritative-answer bit set, and we could have false
 positives (or false negatives) in the test because the authoritative
 server doesn't follow the DNS protocol for all the tests in the resolver
 system test.
 (cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
 ---
 bin/tests/system/resolver/ns4/named.noaa | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
 diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
 deleted file mode 100644
 index 3b121ad9da7..00000000000
 --- a/bin/tests/system/resolver/ns4/named.noaa
 +++ /dev/null
@@ -1,5 +0,0 @@
 -Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 -
 -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 -
 -Add -T noaa.
 -- 
 GitLab
 From 89b256efae2d7ed61690fc241a661194481c815d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Thu, 19 Dec 2024 16:40:52 +0100
 Subject: [PATCH 2/2] Limit the additional processing for large RDATA sets
 When answering queries, don't add data to the additional section if
 the answer has more than 13 names in the RDATA.  This limits the
 number of lookups into the database(s) during a single client query,
 reducing query processing load.
 Also, don't append any additional data to type=ANY queries. The
 answer to ANY is already big enough.
 (cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
 ---
 bin/named/query.c                    |  8 +++++---
 bin/tests/system/additional/tests.sh |  2 +-
 bin/tests/system/resolver/tests.sh   |  8 ++++++++
 lib/dns/include/dns/rdataset.h       | 10 +++++++++-
 lib/dns/rdataset.c                   |  8 +++++++-
 lib/dns/resolver.c                   | 16 ++++++++++------
 6 files changed, 40 insertions(+), 12 deletions(-)
 diff --git a/bin/named/query.c b/bin/named/query.c
 index 897beb7313e..5cba4a22c6b 100644
 --- a/bin/named/query.c
 +++ b/bin/named/query.c
@@ -1827,7 +1827,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		 */
 		eresult = dns_rdataset_additionaldata(trdataset,
 						      query_addadditional,
 -						      client);
 +						      client,
 +						      DNS_RDATASET_MAXADDITIONAL);
 	}
  cleanup:
@@ -2422,7 +2423,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 						       rdataset->rdclass);
 	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
 -	if (NOADDITIONAL(client))
 +	if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
 		return;
 	/*
@@ -2433,7 +2434,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 	additionalctx.client = client;
 	additionalctx.rdataset = rdataset;
 	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
 -					  &additionalctx);
 +					  &additionalctx,
 +					  DNS_RDATASET_MAXADDITIONAL);
 	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
 }
 diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
 index 6400723a557..a33cc8aed26 100644
 --- a/bin/tests/system/additional/tests.sh
 +++ b/bin/tests/system/additional/tests.sh
@@ -261,7 +261,7 @@ n=`expr $n + 1`
 echo_i "testing with 'minimal-any no;' ($n)"
 ret=0
 $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
 -grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
 +grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
     echo_i "failed"; status=`expr status + 1`
 fi
 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
 index b3c9f2179c7..e727c887bf2 100755
 --- a/bin/tests/system/resolver/tests.sh
 +++ b/bin/tests/system/resolver/tests.sh
@@ -281,6 +281,10 @@ done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 +$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
 +touch ns4/named.noaa
 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
 +
 n=`expr $n + 1`
 echo_i "RT21594 regression test check setup ($n)"
 ret=0
@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 +$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
 +rm ns4/named.noaa
 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
 +
 n=`expr $n + 1`
 echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
 ret=0
 diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
 index ed9119a62d4..cd9b014205e 100644
 --- a/lib/dns/include/dns/rdataset.h
 +++ b/lib/dns/include/dns/rdataset.h
@@ -53,6 +53,8 @@
 #include <dns/types.h>
 #include <dns/rdatastruct.h>
 +#define DNS_RDATASET_MAXADDITIONAL 13
 +
 ISC_LANG_BEGINDECLS
 typedef enum {
@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 isc_result_t
 dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 -			    dns_additionaldatafunc_t add, void *arg);
 +			    dns_additionaldatafunc_t add, void *arg,
 +			    size_t limit);
 /*%<
  * For each rdata in rdataset, call 'add' for each name and type in the
  * rdata which is subject to additional section processing.
@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
  *\li	If a call to dns_rdata_additionaldata() is not successful, the
  *	result returned will be the result of dns_rdataset_additionaldata().
  *
 + *\li	If 'limit' is non-zero and the number of the rdatasets is larger
 + *	than 'limit', no additional data will be processed.
 + *
  * Returns:
  *
  *\li	#ISC_R_SUCCESS
  *
 + *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
 + *
  *\li	Any error that dns_rdata_additionaldata() can return.
  */
 diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
 index b42dea5cd37..75f07c9e579 100644
 --- a/lib/dns/rdataset.c
 +++ b/lib/dns/rdataset.c
@@ -28,6 +28,7 @@
 #include <dns/ncache.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 +#include <dns/result.h>
 static const char *trustnames[] = {
 	"none",
@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 isc_result_t
 dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 -			    dns_additionaldatafunc_t add, void *arg)
 +			    dns_additionaldatafunc_t add, void *arg,
 +			    size_t limit)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
 +	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
 +		return (DNS_R_TOOMANYRECORDS);
 +	}
 +
 	result = dns_rdataset_first(rdataset);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index a4e4f4c6f6a..ed3d0b1b95f 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -6472,7 +6472,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
 				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
 				(void)dns_rdataset_additionaldata(rdataset,
 								  check_related,
 -								  &chkarg);
 +								  &chkarg, 0);
 				rescan = true;
 			}
 		}
@@ -7106,8 +7106,12 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
 		FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
 		chkarg.fctx = fctx;
 		chkarg.rmessage = message;
 +
 +		/*
 +		 * Mark the glue records in the additional section to be cached.
 +		 */
 		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
 -						  &chkarg);
 +						  &chkarg, 0);
 #if CHECK_FOR_GLUE_IN_ANSWER
 		/*
 		 * Look in the answer section for "glue" that is incorrectly
@@ -7123,7 +7127,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
 			chkarg.fcx = fctx;
 			chkarg.rmessage = message;
 			(void)dns_rdataset_additionaldata(ns_rdataset,
 -							  check_answer, &chkarg);
 +							  check_answer, &chkarg, 0);
 		}
 #endif
 		FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
@@ -7365,7 +7369,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 			chkarg.rmessage = message;
 			(void)dns_rdataset_additionaldata(rdataset,
 							  check_related,
 -							  &chkarg);
 +							  &chkarg, 0);
 		}
 	} else if (aname != NULL) {
 		dns_chkarg_t chkarg;
@@ -7393,7 +7397,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 		chkarg.fctx = fctx;
 		chkarg.rmessage = message;
 		(void)dns_rdataset_additionaldata(ardataset, check_related,
 -						  &chkarg);
 +						  &chkarg, 0);
 		for (sigrdataset = ISC_LIST_HEAD(aname->list);
 		     sigrdataset != NULL;
 		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
@@ -7556,7 +7560,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 					(void)dns_rdataset_additionaldata(
 							rdataset,
 							check_related,
 -							&chkarg);
 +							&chkarg, 0);
 					done = true;
 				}
 			}
 -- 
 GitLab
--- a/bind.spec
+++ b/bind.spec
@ -19,7 +19,7 @@ Name:           bind
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPLv2.0
 Version:        9.11.21
-Release:        19
+Release:        20
 Epoch:          32
 Url:            http://www.isc.org/products/BIND/
 Source0:        https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
@ -250,6 +250,7 @@ Patch6073:backport-0001-CVE-2024-1737.patch
 Patch6074:backport-0002-CVE-2024-1737.patch
 Patch6075:backport-0003-CVE-2024-1737.patch
 Patch6076:backport-0004-CVE-2024-1737.patch
 Patch6077:backport-CVE-2024-11187.patch
 %description
 Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
@ -539,6 +540,7 @@ cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
 %patch6074 -p1
 %patch6075 -p1
 %patch6076 -p1
 %patch6077 -p1
 %patch199 -p1
@ -1320,6 +1322,12 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Tue Apr 22 2025 Funda Wang <fundawang@yeah.net> - 32:9.11.21-20
 - Type:CVE
 - CVE:CVE-2024-11187
 - SUG:NA
 - DESC:fix CVE-2024-11187
 * Fri Aug 02 2024 chengyechun <chengyechun1@huawei.com> - 32:9.11.21-19
 - Type:CVE
 - CVE:CVE-2024-1975,CVE-2024-1737