!130 fix CVE-2022-2795 CVE-2022-38177 CVE-2022-38178 CVE-2022-2906 CVE-2022-2881

From: @yuh-kevin 
Reviewed-by: @zengwefeng 
Signed-off-by: @zengwefeng

backport-CVE-2022-2795.patch

@@ -0,0 +1,60 @@
+From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH] Bound the amount of work performed for delegations
+
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index d2cf14bbc8b..73a0ee9f779 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -195,6 +195,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3902,6 +3909,11 @@ normal_nses:
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);
+-- 
+GitLab
+

backport-CVE-2022-2881.patch

@@ -0,0 +1,41 @@
+From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Tue, 16 Aug 2022 16:26:02 -0700
+Subject: [PATCH] compression buffer was not reused correctly
+
+when the compression buffer was reused for multiple statistics
+requests, responses could grow beyond the correct size. this was
+because the buffer was not cleared before reuse; compressed data
+was still written to the beginning of the buffer, but then the size
+of used region was increased by the amount written, rather than set
+to the amount written. this caused responses to grow larger and
+larger, potentially reading past the end of the allocated buffer.
+
+(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b)
+---
+ lib/isc/httpd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
+index 6259347..88d8716 100644
+--- a/lib/isc/httpd.c
++++ b/lib/isc/httpd.c
+@@ -243,6 +243,7 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
+ 	if (r.length > 0) {
+ 		isc_mem_put(mctx, r.base, r.length);
+ 	}
++       isc_buffer_initnull(buffer);
+ }
+ 
+ static void
+@@ -923,6 +924,7 @@ isc_httpd_compress(isc_httpd_t *httpd) {
+ 	if (result != ISC_R_SUCCESS) {
+ 		return result;
+ 	}
++       isc_buffer_clear(&httpd->compbuffer);
+ 	isc_buffer_region(&httpd->compbuffer, &r);
+ 
+ 	/*
+-- 
+2.23.0
+

backport-CVE-2022-2906.patch

@@ -0,0 +1,121 @@
+From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Thu, 18 Aug 2022 08:59:09 +0000
+Subject: [PATCH] Fix memory leaks in DH code
+
+When used with OpenSSL v3.0.0+, the `openssldh_compare()`,
+`openssldh_paramcompare()`, and `openssldh_todns()` functions
+fail to cleanup the used memory on some error paths.
+
+Use `DST_RET` instead of `return`, when there is memory to be
+released before returning from the functions.
+
+(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9)
+---
+ lib/dns/openssldh_link.c | 34 ++++++++++++++++++++--------------
+ 1 file changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
+index 30de343..2af1d30 100644
+--- a/lib/dns/openssldh_link.c
++++ b/lib/dns/openssldh_link.c
+@@ -68,6 +68,7 @@
+ 	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+ 	"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
+ 
++#define DST_RET(a) {ret = a; goto err;}
+ 
+ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
+ 
+@@ -186,7 +187,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+ 
+ static bool
+ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+-	DH *dh1, *dh2;
++	bool ret = true;
++       DH *dh1, *dh2;
+ 	const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
+ 	const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
+ 	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+@@ -206,20 +208,21 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 
+ 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
+ 	    BN_cmp(pub_key1, pub_key2) != 0)
+-		return (false);
++		DST_RET(false);
+ 
+ 	if (priv_key1 != NULL || priv_key2 != NULL) {
+-		if (priv_key1 == NULL || priv_key2 == NULL)
+-			return (false);
+-		if (BN_cmp(priv_key1, priv_key2) != 0)
+-			return (false);
++		if (priv_key1 == NULL || priv_key2 == NULL ||
++                BN_cmp(priv_key1, priv_key2) != 0)
++			DST_RET(false);
+ 	}
+-	return (true);
++err:
++	return (ret);
+ }
+ 
+ static bool
+ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+-	DH *dh1, *dh2;
++	bool ret = true;
++       DH *dh1, *dh2;
+ 	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+ 
+ 	dh1 = key1->keydata.dh;
+@@ -234,8 +237,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	DH_get0_pqg(dh2, &p2, NULL, &g2);
+ 
+ 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0)
+-		return (false);
+-	return (true);
++		DST_RET(false);
++
++err:
++	return (ret);
+ }
+ 
+ #if OPENSSL_VERSION_NUMBER > 0x00908000L
+@@ -393,7 +398,8 @@ uint16_fromregion(isc_region_t *region) {
+ 
+ static isc_result_t
+ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+-	DH *dh;
++	isc_result_t ret = ISC_R_SUCCESS;
++    DH *dh;
+ 	const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+ 	isc_region_t r;
+ 	uint16_t dnslen, plen, glen, publen;
+@@ -420,7 +426,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	publen = BN_num_bytes(pub_key);
+ 	dnslen = plen + glen + publen + 6;
+ 	if (r.length < (unsigned int) dnslen)
+-		return (ISC_R_NOSPACE);
++		DST_RET(ISC_R_NOSPACE);
+ 
+ 	uint16_toregion(plen, &r);
+ 	if (plen == 1) {
+@@ -445,7 +451,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+-	return (ISC_R_SUCCESS);
++err:
++	return (ret);
+ }
+ 
+ static isc_result_t
+@@ -659,7 +666,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	DH *dh = NULL;
+ 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+ 	isc_mem_t *mctx;
+-#define DST_RET(a) {ret = a; goto err;}
+ 
+ 	UNUSED(pub);
+ 	mctx = key->mctx;
+-- 
+2.23.0
+

backport-CVE-2022-38177.patch

@@ -0,0 +1,24 @@
+From 5b2282afff760b1ed3471f6666bdfe8e1d34e590 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:15:34 +1000
+Subject: [PATCH] Free eckey on siglen mismatch
+---
+ lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index e9ea5ea..6a34981 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.23.0
+

backport-CVE-2022-38178.patch

@@ -0,0 +1,26 @@
+From 1af23378ebb11da2eb0f412e4563d6c4165fbd3d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:28:13 +1000
+Subject: [PATCH] Free ctx on invalid siglen
+
+(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
+---
+ lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
+index 76c7737..747c7a4 100644
+--- a/lib/dns/openssleddsa_link.c
++++ b/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.23.0
+

bind.spec

@@ -19,7 +19,7 @@ Name:           bind
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPLv2.0
 Version:        9.11.21
-Release:        13
+Release:        14
 Epoch:          32
 Url:            http://www.isc.org/products/BIND/
 Source0:        https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
@@ -235,7 +235,11 @@ Patch6060: backport-0060-Update-init_count-atomically-to-silence-tsan-errors.pat
 Patch6061: backport-0061-Refactored-dns_message_t-for-using-attach-detach-sem.patch
 Patch6062: backport-0062-Fix-invalid-dns-message-state-in-resolver-s-logic.patch
 Patch6063: backport-0063-Properly-handling-dns_message_t-shared-references.patch
-
+Patch6064: backport-CVE-2022-2795.patch
+Patch6065: backport-CVE-2022-2881.patch
+Patch6066: backport-CVE-2022-2906.patch
+Patch6067: backport-CVE-2022-38177.patch
+Patch6068: backport-CVE-2022-38178.patch
 %description
 Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
 System (DNS) protocols and provides an openly redistributable reference
@@ -510,6 +514,11 @@ cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
 %patch6061 -p1
 %patch6062 -p1
 %patch6063 -p1
+%patch6064 -p1
+%patch6065 -p1
+%patch6066 -p1
+%patch6067 -p1
+%patch6068 -p1
 
 %patch199 -p1
 
@@ -1291,6 +1300,12 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Tue Oct 11 2022 huangyu <huangyu106@huawei.com> - 32:9.11.21-14
+- Type:CVE
+- ID:CVE-2022-2906 CVE-2022-38177 CVE-2022-38178 CVE-2022-2795 CVE-2022-2881
+- SUG:NA
+- DESC:FIX CVE-2022-2906CVE-2022-38177CVE-2022-38178CVE-2022-2795CVE-2022-2881
+
 * Sat Sep 03 2022 jiangheng <jiangheng12@huawei.com> - 32:9.11.21-13
 - Type:bugfix
 - ID:NA