!239 fix CVE-2024-11187

From: @fundawang Reviewed-by: @jiangheng12 Signed-off-by: @jiangheng12
2025-05-15 02:08:17 +00:00 · 2025-05-15 02:08:17 +00:00 · 7c5dd2418c
commit 7c5dd2418c
parent a95016184c 3a51d98192
2 changed files with 277 additions and 1 deletions
--- a/backport-CVE-2024-11187.patch
+++ b/backport-CVE-2024-11187.patch
@ -0,0 +1,268 @@
+From f59faf9d92acde0be9510e7d182fc1735b9f4a7e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Wed, 8 Jan 2025 16:46:48 +0100
+Subject: [PATCH 1/2] Isolate using the -T noaa flag only for part of the
+ resolver test
+
+Instead of running the whole resolver/ns4 server with -T noaa flag,
+use it only for the part where it is actually needed.  The -T noaa
+could interfere with other parts of the test because the answers don't
+have the authoritative-answer bit set, and we could have false
+positives (or false negatives) in the test because the authoritative
+server doesn't follow the DNS protocol for all the tests in the resolver
+system test.
+
+(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
+---
+ bin/tests/system/resolver/ns4/named.noaa | 5 -----
+ 1 file changed, 5 deletions(-)
+ delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
+
+diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
+deleted file mode 100644
+index 3b121ad9da7..00000000000
+--- a/bin/tests/system/resolver/ns4/named.noaa
+++ /dev/null
+@@ -1,5 +0,0 @@
+-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+-
+-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+-
+-Add -T noaa.
+-- 
+GitLab
+
+
+From 89b256efae2d7ed61690fc241a661194481c815d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 19 Dec 2024 16:40:52 +0100
+Subject: [PATCH 2/2] Limit the additional processing for large RDATA sets
+
+When answering queries, don't add data to the additional section if
+the answer has more than 13 names in the RDATA.  This limits the
+number of lookups into the database(s) during a single client query,
+reducing query processing load.
+
+Also, don't append any additional data to type=ANY queries. The
+answer to ANY is already big enough.
+
+(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
+---
+ bin/named/query.c                    |  8 +++++---
+ bin/tests/system/additional/tests.sh |  2 +-
+ bin/tests/system/resolver/tests.sh   |  8 ++++++++
+ lib/dns/include/dns/rdataset.h       | 10 +++++++++-
+ lib/dns/rdataset.c                   |  8 +++++++-
+ lib/dns/resolver.c                   | 16 ++++++++++------
+ 6 files changed, 40 insertions(+), 12 deletions(-)
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 897beb7313e..5cba4a22c6b 100644
+--- a/bin/named/query.c
+++ b/bin/named/query.c
+@@ -1827,7 +1827,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
+ 		 */
+ 		eresult = dns_rdataset_additionaldata(trdataset,
+ 						      query_addadditional,
+-						      client);
+						      client,
+						      DNS_RDATASET_MAXADDITIONAL);
+ 	}
+ 
+  cleanup:
+@@ -2422,7 +2423,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
+ 						       rdataset->rdclass);
+ 	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+ 
+-	if (NOADDITIONAL(client))
+	if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
+ 		return;
+ 
+ 	/*
+@@ -2433,7 +2434,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
+ 	additionalctx.client = client;
+ 	additionalctx.rdataset = rdataset;
+ 	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
+-					  &additionalctx);
+					  &additionalctx,
+					  DNS_RDATASET_MAXADDITIONAL);
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
+ }
+ 
+diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
+index 6400723a557..a33cc8aed26 100644
+--- a/bin/tests/system/additional/tests.sh
+++ b/bin/tests/system/additional/tests.sh
+@@ -261,7 +261,7 @@ n=`expr $n + 1`
+ echo_i "testing with 'minimal-any no;' ($n)"
+ ret=0
+ $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
+grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+     echo_i "failed"; status=`expr status + 1`
+ fi
+diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
+index b3c9f2179c7..e727c887bf2 100755
+--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
+@@ -281,6 +281,10 @@ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
+touch ns4/named.noaa
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
+
+ n=`expr $n + 1`
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
+rm ns4/named.noaa
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
+
+ n=`expr $n + 1`
+ echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
+ ret=0
+diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
+index ed9119a62d4..cd9b014205e 100644
+--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
+@@ -53,6 +53,8 @@
+ #include <dns/types.h>
+ #include <dns/rdatastruct.h>
+ 
+#define DNS_RDATASET_MAXADDITIONAL 13
+
+ ISC_LANG_BEGINDECLS
+ 
+ typedef enum {
+@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
+ 
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+-			    dns_additionaldatafunc_t add, void *arg);
+			    dns_additionaldatafunc_t add, void *arg,
+			    size_t limit);
+ /*%<
+  * For each rdata in rdataset, call 'add' for each name and type in the
+  * rdata which is subject to additional section processing.
+@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+  *\li	If a call to dns_rdata_additionaldata() is not successful, the
+  *	result returned will be the result of dns_rdataset_additionaldata().
+  *
+ *\li	If 'limit' is non-zero and the number of the rdatasets is larger
+ *	than 'limit', no additional data will be processed.
+ *
+  * Returns:
+  *
+  *\li	#ISC_R_SUCCESS
+  *
+ *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
+ *
+  *\li	Any error that dns_rdata_additionaldata() can return.
+  */
+ 
+diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
+index b42dea5cd37..75f07c9e579 100644
+--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
+@@ -28,6 +28,7 @@
+ #include <dns/ncache.h>
+ #include <dns/rdata.h>
+ #include <dns/rdataset.h>
+#include <dns/result.h>
+ 
+ static const char *trustnames[] = {
+ 	"none",
+@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
+ 
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+-			    dns_additionaldatafunc_t add, void *arg)
+			    dns_additionaldatafunc_t add, void *arg,
+			    size_t limit)
+ {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
+@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
+	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+		return (DNS_R_TOOMANYRECORDS);
+	}
+
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS)
+ 		return (result);
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index a4e4f4c6f6a..ed3d0b1b95f 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -6472,7 +6472,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
+ 				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
+ 				(void)dns_rdataset_additionaldata(rdataset,
+ 								  check_related,
+-								  &chkarg);
+								  &chkarg, 0);
+ 				rescan = true;
+ 			}
+ 		}
+@@ -7106,8 +7106,12 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
+ 		FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
+ 		chkarg.fctx = fctx;
+ 		chkarg.rmessage = message;
+
+		/*
+		 * Mark the glue records in the additional section to be cached.
+		 */
+ 		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
+-						  &chkarg);
+						  &chkarg, 0);
+ #if CHECK_FOR_GLUE_IN_ANSWER
+ 		/*
+ 		 * Look in the answer section for "glue" that is incorrectly
+@@ -7123,7 +7127,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
+ 			chkarg.fcx = fctx;
+ 			chkarg.rmessage = message;
+ 			(void)dns_rdataset_additionaldata(ns_rdataset,
+-							  check_answer, &chkarg);
+							  check_answer, &chkarg, 0);
+ 		}
+ #endif
+ 		FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
+@@ -7365,7 +7369,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 			chkarg.rmessage = message;
+ 			(void)dns_rdataset_additionaldata(rdataset,
+ 							  check_related,
+-							  &chkarg);
+							  &chkarg, 0);
+ 		}
+ 	} else if (aname != NULL) {
+ 		dns_chkarg_t chkarg;
+@@ -7393,7 +7397,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 		chkarg.fctx = fctx;
+ 		chkarg.rmessage = message;
+ 		(void)dns_rdataset_additionaldata(ardataset, check_related,
+-						  &chkarg);
+						  &chkarg, 0);
+ 		for (sigrdataset = ISC_LIST_HEAD(aname->list);
+ 		     sigrdataset != NULL;
+ 		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+@@ -7556,7 +7560,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 					(void)dns_rdataset_additionaldata(
+ 							rdataset,
+ 							check_related,
+-							&chkarg);
+							&chkarg, 0);
+ 					done = true;
+ 				}
+ 			}
+-- 
+GitLab
+
--- a/bind.spec
+++ b/bind.spec
@ -19,7 +19,7 @@ Name:           bind
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPLv2.0
 Version:        9.11.21
-Release:        19
+Release:        20
 Epoch:          32
 Url:            http://www.isc.org/products/BIND/
 Source0:        https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
@ -250,6 +250,7 @@ Patch6073:backport-0001-CVE-2024-1737.patch
 Patch6074:backport-0002-CVE-2024-1737.patch
 Patch6075:backport-0003-CVE-2024-1737.patch
 Patch6076:backport-0004-CVE-2024-1737.patch
+Patch6077:backport-CVE-2024-11187.patch

 %description
 Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
@ -539,6 +540,7 @@ cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
 %patch6074 -p1
 %patch6075 -p1
 %patch6076 -p1
+%patch6077 -p1

 %patch199 -p1

@ -1320,6 +1322,12 @@ rm -rf ${RPM_BUILD_ROOT}


 %changelog
+* Tue Apr 22 2025 Funda Wang <fundawang@yeah.net> - 32:9.11.21-20
+- Type:CVE
+- CVE:CVE-2024-11187
+- SUG:NA
+- DESC:fix CVE-2024-11187
+
 * Fri Aug 02 2024 chengyechun <chengyechun1@huawei.com> - 32:9.11.21-19
 - Type:CVE
 - CVE:CVE-2024-1975,CVE-2024-1737