Hello community,
here is the log from the commit of package bind for openSUSE:Factory checked in
at 2016-11-03 11:11:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bind (Old)
and /work/SRC/openSUSE:Factory/.bind.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind"
Changes:
--------
--- /work/SRC/openSUSE:Factory/bind/bind.changes 2016-09-28
02:38:17.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.bind.new/bind.changes 2016-11-03
11:11:18.000000000 +0100
@@ -1,0 +2,5 @@
+Tue Nov 1 21:24:31 UTC 2016 - psim...@suse.com
+
+- Apply cve-2016-8864.patch to fix CVE-2016-8864 (bsc#1007829).
+
+-------------------------------------------------------------------
New:
----
cve-2016-8864.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bind.spec ++++++
--- /var/tmp/diff_new_pack.FUWHHb/_old 2016-11-03 11:11:20.000000000 +0100
+++ /var/tmp/diff_new_pack.FUWHHb/_new 2016-11-03 11:11:20.000000000 +0100
@@ -46,6 +46,7 @@
Patch101: runidn.diff
Patch102: idnkit-powerpc-ltconfig.patch
Patch103: cve-2016-2776.patch
+Patch104: cve-2016-8864.patch
BuildRequires: krb5-devel
BuildRequires: libcap-devel
BuildRequires: libmysqlclient-devel
@@ -378,6 +379,7 @@
%patch101 -p1
%patch102 -p1
%patch103 -p1
+%patch104 -p1
# use the year from source gzip header instead of current one to make
reproducible rpms
year=$(perl -e 'sysread(STDIN, $h, 8); print
(1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{S:0})
++++++ cve-2016-8864.patch ++++++
Index: bind-9.10.3-P4/lib/dns/resolver.c
===================================================================
--- bind-9.10.3-P4.orig/lib/dns/resolver.c 2016-11-01 22:26:50.371704363
+0100
+++ bind-9.10.3-P4/lib/dns/resolver.c 2016-11-01 22:26:54.311721418 +0100
@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddri
valarg->addrinfo = addrinfo;
if (!ISC_LIST_EMPTY(fctx->validators))
- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+ valoptions |= DNS_VALIDATOR_DEFER;
+ else
+ valoptions &= ~DNS_VALIDATOR_DEFER;
result = dns_validator_create(fctx->res->view, name, type, rdataset,
sigrdataset, fctx->rmessage,
@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t
rdataset,
sigrdataset,
valoptions, task);
- /*
- * Defer any further validations.
- * This prevents multiple validators
- * from manipulating fctx->rmessage
- * simultaneously.
- */
- valoptions |= DNS_VALIDATOR_DEFER;
}
} else if (CHAINING(rdataset)) {
if (rdataset->type == dns_rdatatype_cname)
@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t
eresult == DNS_R_NCACHENXRRSET);
}
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adb
fctx->attributes |= FCTX_ATTR_HAVEANSWER;
if (event != NULL) {
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -6718,13 +6723,15 @@ static isc_result_t
answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+ dns_name_t *cname = NULL;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, external, chaining, aa, found, want_chaining;
- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
+ isc_boolean_t wanted_chaining;
unsigned int aflag;
dns_rdatatype_t type;
- dns_fixedname_t fdname, fqname;
+ dns_fixedname_t fdname, fqname, fqdname;
dns_view_t *view;
FCTXTRACE("answer_response");
@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
done = ISC_FALSE;
found_cname = ISC_FALSE;
+ found_dname = ISC_FALSE;
found_type = ISC_FALSE;
chaining = ISC_FALSE;
have_answer = ISC_FALSE;
@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
aa = ISC_TRUE;
else
aa = ISC_FALSE;
- qname = &fctx->name;
+ dqname = qname = &fctx->name;
type = fctx->type;
view = fctx->res->view;
+ dns_fixedname_init(&fqdname);
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln;
+ dns_namereln_t namereln, dnamereln;
int order;
unsigned int nlabels;
@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+ dnamereln = dns_name_fullcompare(dqname, name, &order,
+ &nlabels);
if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6884,9 +6895,16 @@ answer_response(fetchctx_t *fctx) {
* a CNAME or DNAME).
*/
INSIST(!external);
- if (aflag ==
- DNS_RDATASETATTR_ANSWER) {
+ if ((rdataset->type !=
+ dns_rdatatype_cname) ||
+ !found_dname ||
+ (aflag ==
+ DNS_RDATASETATTR_ANSWER))
+ {
have_answer = ISC_TRUE;
+ if (rdataset->type ==
+ dns_rdatatype_cname)
+ cname = name;
name->attributes |=
DNS_NAMEATTR_ANSWER;
}
@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
return (DNS_R_FORMERR);
}
- if (namereln != dns_namereln_subdomain) {
+ if (dnamereln != dns_namereln_subdomain) {
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
- dns_name_format(qname, qbuf,
+ dns_name_format(dqname, qbuf,
sizeof(qbuf));
dns_name_format(name, obuf,
sizeof(obuf));
@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(rdataset, qname,
+ result = dname_target(rdataset, dqname,
nlabels, &fdname);
if (result == ISC_R_NOSPACE) {
/*
@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
dname = dns_fixedname_name(&fdname);
if (!is_answertarget_allowed(view,
- qname, rdataset->type,
- dname, &fctx->domain)) {
+ dqname, rdataset->type,
+ dname, &fctx->domain))
+ {
return (DNS_R_SERVFAIL);
}
+ dqname = dns_fixedname_name(&fqdname);
+ dns_name_copy(dname, dqname, NULL);
} else {
/*
* We've found a signature that
@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
INSIST(!external);
if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
+ found_dname = ISC_TRUE;
+ if (cname != NULL)
+ cname->attributes &=
+ ~DNS_NAMEATTR_ANSWER;
name->attributes |=
DNS_NAMEATTR_ANSWER;
}
