packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix:CVE-2023-3341

Browse Source
This commit is contained in:
zhanghao 2023-09-26 10:45:58 +08:00 committed by yinbin
parent 477ce02583
commit a9e7ccccc5
2 changed files with 182 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
backport-CVE-2023-3341.patch Normal file
View File

@ -0,0 +1,172 @@
From 820b0cceef0b67b041973da4041ea53d5e276363 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 20 Jun 2023 15:21:36 +1000
Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
Named and rndc do not need a lot of recursion so the depth is
set to 10.
---
lib/isccc/cc.c | 41 +++++++++++++++++++++++---------
lib/isccc/include/isccc/result.h | 4 +++-
lib/isccc/result.c | 4 +++-
3 files changed, 36 insertions(+), 13 deletions(-)
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index c314d76..54ff3c6 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -54,6 +54,11 @@
#define MAX_TAGS 256
#define DUP_LIFETIME 900
+#ifndef ISCCC_MAXDEPTH
+#define ISCCC_MAXDEPTH \
+ 10 /* Big enough for rndc which just sends a string each way. */
+#endif
+
typedef isccc_sexpr_t *sexpr_ptr;
#ifndef PK11_MD5_DISABLE
@@ -573,19 +578,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp);
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp);
static isc_result_t
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+value_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **valuep) {
unsigned int msgtype;
uint32_t len;
isccc_sexpr_t *value;
isccc_region_t active;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
if (REGION_SIZE(*source) < 1 + 4)
return (ISC_R_UNEXPECTEDEND);
GET8(msgtype, source->rstart);
@@ -603,9 +614,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
} else
result = ISC_R_NOMEMORY;
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
- result = table_fromwire(&active, NULL, 0, valuep);
+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
- result = list_fromwire(&active, valuep);
+ result = list_fromwire(&active, depth + 1, valuep);
else
result = ISCCC_R_SYNTAX;
@@ -614,8 +625,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp)
-{
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) {
char key[256];
uint32_t len;
isc_result_t result;
@@ -625,6 +635,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
REQUIRE(alistp != NULL && *alistp == NULL);
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
checksum_rstart = NULL;
first_tag = true;
alist = isccc_alist_create();
@@ -640,7 +654,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
GET_MEM(key, len, source->rstart);
key[len] = '\0'; /* Ensure NUL termination. */
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS)
goto bad;
if (isccc_alist_define(alist, key, value) == NULL) {
@@ -673,14 +687,19 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
}
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp) {
isccc_sexpr_t *list, *value;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
list = NULL;
while (!REGION_EMPTY(*source)) {
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS) {
isccc_sexpr_free(&list);
return (result);
@@ -711,7 +730,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
if (version != 1)
return (ISCCC_R_UNKNOWNVERSION);
- return (table_fromwire(source, secret, algorithm, alistp));
+ return (table_fromwire(source, secret, algorithm, 0, alistp));
}
static isc_result_t
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
index 6ff81ad..ef2cfe0 100644
--- a/lib/isccc/include/isccc/result.h
+++ b/lib/isccc/include/isccc/result.h
@@ -47,8 +47,10 @@
#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
/*% Duplicate */
#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
+/*% Maximum recursion depth */
+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
-#define ISCCC_R_NRESULTS 6 /*%< Number of results */
+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
ISC_LANG_BEGINDECLS
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
index 75f5ade..7d88fbc 100644
--- a/lib/isccc/result.c
+++ b/lib/isccc/result.c
@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
"bad auth", /* 3 */
"expired", /* 4 */
"clock skew", /* 5 */
- "duplicate" /* 6 */
+ "duplicate", /* 6 */
+ "max depth" /* 7 */
};
static const char *ids[ISCCC_R_NRESULTS] = {
@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
"ISCCC_R_EXPIRED",
"ISCCC_R_CLOCKSKEW",
"ISCCC_R_DUPLICATE",
+ "ISCCC_R_MAXDEPTH"
};
#define ISCCC_RESULT_RESULTSET 2
--
2.27.0

11
bind.spec
View File

@ -19,7 +19,7 @@ Name: bind
Summary: Domain Name System (DNS) Server (named) Summary: Domain Name System (DNS) Server (named)
License: MPLv2.0 License: MPLv2.0
Version: 9.11.21 Version: 9.11.21
Release: 16 Release: 17
Epoch: 32 Epoch: 32
Url: http://www.isc.org/products/BIND/ Url: http://www.isc.org/products/BIND/
Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
@ -243,6 +243,8 @@ Patch6068: backport-CVE-2022-38178.patch
Patch6069: backport-CVE-2023-2828.patch Patch6069: backport-CVE-2023-2828.patch
Patch6070: backport-CVE-2023-3341.patch
%description %description
Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols and provides an openly redistributable reference System (DNS) protocols and provides an openly redistributable reference
@ -524,6 +526,7 @@ cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
%patch6068 -p1 %patch6068 -p1
%patch6069 -p1 %patch6069 -p1
%patch6070 -p1
%patch199 -p1 %patch199 -p1
@ -1305,6 +1308,12 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog %changelog
* Tue Sep 26 2023 zhanghao <zhanghao383@huawei.com> - 32:9.11.21-17
- Type:CVE
- ID:CVE-2023-3341
- SUG:NA
- DESC:FIX CVE-2023-3341
* Mon Jun 26 2023 zhanghao <zhanghao383@huawei.com> - 32:9.11.21-16 * Mon Jun 26 2023 zhanghao <zhanghao383@huawei.com> - 32:9.11.21-16
- Type:CVE - Type:CVE
- ID:CVE-2023-2828 - ID:CVE-2023-2828