OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 07-Sep-2006 08:32:30
Branch: OPENPKG_2_5_SOLID Handle: 2006090707322601
Added files: (Branch: OPENPKG_2_5_SOLID)
openpkg-src/bind bind.patch
Modified files: (Branch: OPENPKG_2_5_SOLID)
openpkg-src/bind bind.spec
Log:
MFC: apply vendor security fixes (CVE-2006-4095, CVE-2006-4096)
Summary:
Revision Changes Path
1.5.12.1 +150 -0 openpkg-src/bind/bind.patch
1.107.2.2 +3 -1 openpkg-src/bind/bind.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/bind/bind.patch
============================================================================
$ cvs diff -u -r0 -r1.5.12.1 bind.patch
--- /dev/null 2006-09-07 08:32:15 +0200
+++ bind.patch 2006-09-07 08:32:28 +0200
@@ -0,0 +1,150 @@
+Security Fixes (BIND 9.3.2-P1):
+- SIG Query Processing (CVE-2006-4095)
+- Excessive Recursive Queries INSIST failure (CVE-2006-4096)
+
+Index: bin/named/query.c
+--- bin/named/query.c.orig 2005-08-11 07:25:20 +0200
++++ bin/named/query.c 2006-09-07 08:14:50 +0200
+@@ -2393,7 +2393,7 @@
+ is_zone = ISC_FALSE;
+
+ qtype = event->qtype;
+- if (qtype == dns_rdatatype_rrsig)
++ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
+ type = dns_rdatatype_any;
+ else
+ type = qtype;
+@@ -2434,7 +2434,7 @@
+ /*
+ * If it's a SIG query, we'll iterate the node.
+ */
+- if (qtype == dns_rdatatype_rrsig)
++ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
+ type = dns_rdatatype_any;
+ else
+ type = qtype;
+Index: lib/dns/resolver.c
+--- lib/dns/resolver.c.orig 2005-10-14 03:38:48 +0200
++++ lib/dns/resolver.c 2006-09-07 08:14:50 +0200
+@@ -762,7 +762,8 @@
+ INSIST(result != ISC_R_SUCCESS ||
+ dns_rdataset_isassociated(event->rdataset) ||
+ fctx->type == dns_rdatatype_any ||
+- fctx->type == dns_rdatatype_rrsig);
++ fctx->type == dns_rdatatype_rrsig ||
++ fctx->type == dns_rdatatype_sig);
+
+ isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+ }
+@@ -3188,7 +3189,8 @@
+ if (hevent != NULL) {
+ if (!negative && !chaining &&
+ (fctx->type == dns_rdatatype_any ||
+- fctx->type == dns_rdatatype_rrsig)) {
++ fctx->type == dns_rdatatype_rrsig ||
++ fctx->type == dns_rdatatype_sig)) {
+ /*
+ * Don't bind rdatasets; the caller
+ * will iterate the node.
+@@ -3306,7 +3308,8 @@
+ if (!ISC_LIST_EMPTY(fctx->validators)) {
+ INSIST(!negative);
+ INSIST(fctx->type == dns_rdatatype_any ||
+- fctx->type == dns_rdatatype_rrsig);
++ fctx->type == dns_rdatatype_rrsig ||
++ fctx->type == dns_rdatatype_sig);
+ /*
+ * Don't send a response yet - we have
+ * more rdatasets that still need to
+@@ -3455,14 +3458,15 @@
+ return (result);
+ anodep = &event->node;
+ /*
+- * If this is an ANY or SIG query, we're not going
+- * to return any rdatasets, unless we encountered
++ * If this is an ANY, SIG or RRSIG query, we're not
++ * going to return any rdatasets, unless we encountered
+ * a CNAME or DNAME as "the answer". In this case,
+ * we're going to return DNS_R_CNAME or DNS_R_DNAME
+ * and we must set up the rdatasets.
+ */
+ if ((fctx->type != dns_rdatatype_any &&
+- fctx->type != dns_rdatatype_rrsig) ||
++ fctx->type != dns_rdatatype_rrsig &&
++ fctx->type != dns_rdatatype_sig) ||
+ (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
+ ardataset = event->rdataset;
+ asigrdataset = event->sigrdataset;
+@@ -3521,7 +3525,7 @@
+ */
+ if (secure_domain && rdataset->trust != dns_trust_glue) {
+ /*
+- * SIGs are validated as part of validating the
++ * RRSIGs are validated as part of validating the
+ * type they cover.
+ */
+ if (rdataset->type == dns_rdatatype_rrsig)
+@@ -3591,7 +3595,8 @@
+
+ if (ANSWER(rdataset) && need_validation) {
+ if (fctx->type != dns_rdatatype_any &&
+- fctx->type != dns_rdatatype_rrsig) {
++ fctx->type != dns_rdatatype_rrsig &&
++ fctx->type != dns_rdatatype_sig) {
+ /*
+ * This is The Answer. We will
+ * validate it, but first we cache
+@@ -3763,23 +3768,28 @@
+ isc_result_t *eresultp)
+ {
+ isc_result_t result;
++ dns_rdataset_t rdataset;
++
++ if (ardataset == NULL) {
++ dns_rdataset_init(&rdataset);
++ ardataset = &rdataset;
++ }
+ result = dns_ncache_add(message, cache, node, covers, now,
+ maxttl, ardataset);
+- if (result == DNS_R_UNCHANGED) {
++ if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
+ /*
+- * The data in the cache are better than the negative cache
+- * entry we're trying to add.
++ * If the cache now contains a negative entry and we
++ * care about whether it is DNS_R_NCACHENXDOMAIN or
++ * DNS_R_NCACHENXRRSET then extract it.
+ */
+- if (ardataset != NULL && ardataset->type == 0) {
++ if (ardataset->type == 0) {
+ /*
+- * The cache data is also a negative cache
+- * entry.
++ * The cache data is a negative cache entry.
+ */
+ if (NXDOMAIN(ardataset))
+ *eresultp = DNS_R_NCACHENXDOMAIN;
+ else
+ *eresultp = DNS_R_NCACHENXRRSET;
+- result = ISC_R_SUCCESS;
+ } else {
+ /*
+ * Either we don't care about the nature of the
+@@ -3791,14 +3801,11 @@
+ * XXXRTH There's a CNAME/DNAME problem here.
+ */
+ *eresultp = ISC_R_SUCCESS;
+- result = ISC_R_SUCCESS;
+ }
+- } else if (result == ISC_R_SUCCESS) {
+- if (NXDOMAIN(ardataset))
+- *eresultp = DNS_R_NCACHENXDOMAIN;
+- else
+- *eresultp = DNS_R_NCACHENXRRSET;
++ result = ISC_R_SUCCESS;
+ }
++ if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
++ dns_rdataset_disassociate(ardataset);
+
+ return (result);
+ }
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/bind/bind.spec
============================================================================
$ cvs diff -u -r1.107.2.1 -r1.107.2.2 bind.spec
--- openpkg-src/bind/bind.spec 11 Oct 2005 12:49:25 -0000
1.107.2.1
+++ openpkg-src/bind/bind.spec 7 Sep 2006 06:32:27 -0000
1.107.2.2
@@ -33,7 +33,7 @@
Group: DNS
License: ISC
Version: 9.3.1
-Release: 2.5.0
+Release: 2.5.1
# list of sources
Source0: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.gz
@@ -45,6 +45,7 @@
Source7: named.conf
Source8: rndc.conf
Source9: rc.bind
+Patch0: bind.patch
# build information
Prefix: %{l_prefix}
@@ -76,6 +77,7 @@
%prep
%setup -q
+ %patch -p0
%{l_shtool} subst \
-e '/LINENO: error: C[+]* preprocessor/{N;N;N;N;s/.*/:/;}' \
configure
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
