Control: tags 868952 + patch
Control: tags 868952 + pending
Dear maintainer,
I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.5) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru bind9-9.10.3.dfsg.P4/debian/changelog bind9-9.10.3.dfsg.P4/debian/changelog
--- bind9-9.10.3.dfsg.P4/debian/changelog 2017-07-16 22:13:21.0 +0200
+++ bind9-9.10.3.dfsg.P4/debian/changelog 2017-07-21 22:28:32.0 +0200
@@ -1,3 +1,13 @@
+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
+signed TCP message sequences where not all the messages contain TSIG
+records. These may be used in AXFR and IXFR responses.
+(Closes: #868952)
+
+ -- Salvatore Bonaccorso Fri, 21 Jul 2017 22:28:32 +0200
+
bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
* Non-maintainer upload.
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch
--- bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch 1970-01-01 01:00:00.0 +0100
+++ bind9-9.10.3.dfsg.P4/debian/patches/4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch 2017-07-21 22:28:32.0 +0200
@@ -0,0 +1,565 @@
+From e66fca127cd907e73ca7accd49e42d7a24503242 Mon Sep 17 00:00:00 2001
+From: Mark Andrews
+Date: Fri, 7 Jul 2017 23:19:05 +1000
+Subject: [PATCH] 4647. [bug] Change 4643 broke verification of
+ TSIG signed TCP message sequences where not all the
+ messages contain TSIG records. These may be used in
+ AXFR and IXFR responses. [RT #45509]
+
+---
+ lib/dns/tests/Makefile.in | 7 +
+ lib/dns/tests/tsig_test.c | 489 ++
+ lib/dns/tsig.c| 10 +-
+ 4 files changed, 509 insertions(+), 2 deletions(-)
+ create mode 100644 lib/dns/tests/tsig_test.c
+
+
+--- a/lib/dns/tests/Makefile.in
b/lib/dns/tests/Makefile.in
+@@ -57,6 +57,7 @@ SRCS = db_test.c \
+ rdataset_test.c \
+ rdatasetstats_test.c \
+ time_test.c \
++ tsig_test.c \
+ update_test.c \
+ zonemgr_test.c \
+ zt_test.c
+@@ -81,6 +82,7 @@ TARGETS = db_test@EXEEXT@ \
+ rdataset_test@EXEEXT@ \
+ rdatasetstats_test@EXEEXT@ \
+ time_test@EXEEXT@ \
++ tsig_test@EXEEXT@ \
+ update_test@EXEEXT@ \
+ zonemgr_test@EXEEXT@ \
+ zt_test@EXEEXT@
+@@ -206,6 +208,11 @@ dh_test@EXEEXT@: dh_test.@O@ dnstest.@O@
+ dh_test.@O@ dnstest.@O@ ${DNSLIBS} \
+ ${ISCLIBS} ${LIBS}
+
++tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
++ tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
++ ${ISCLIBS} ${LIBS}
++
+ unit::
+ sh ${top_srcdir}/unit/unittest.sh
+
+--- /dev/null
b/lib/dns/tests/tsig_test.c
+@@ -0,0 +1,489 @@
++/*
++ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ */
++
++/* ! \file */
++
++#include
++#include
++#include
++
++#include
++#include
++#include
++
++#include "dnstest.h"
++
++#ifdef HAVE_INTTYPES_H
++#include /* uintptr_t */
++#endif
++
++static int debug = 0;
++
++static isc_result_t
++add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
++ dns_rdata_any_tsig_t tsig;
++ dns_rdata_t rdata = DNS_RDATA_INIT;
++ isc_buffer_t databuf;
++ isc_region_t r;
++ isc_result_t result;
++ unsigned char tsigbuf[1024];
++
++ isc_buffer_usedregion(buf, &r);
++ dns_rdata_fromregion(&rdata, dns_rdataclass_any,
++ dns_rdatatype_tsig, &r);
++ isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
++ CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL));
++ isc_buffer_putuint16(&databuf, tsig.siglen);
++ isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen);
++ isc_buffer_usedregion(&databuf, &r);
++ result = dst_context_adddata(tsigctx, &r);
++ dns_rdata_freestruct(&tsig);
++ cleanup:
++ return (result);
++}
++
++static isc_result_t
++add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
++ dns_compress_t cctx;
++ dns_rdata_any_tsig_t tsig;
++ dns_rdata_t rdata = DNS_RDATA_INIT;
++ dns_rdatalist_t rdatalist;
++ dns_rdataset_t rdataset;
++ isc_buffer_t *dynbuf = NULL;
++ isc_buffer_t databuf;
++ isc_buffer_t sigbuf;
++ isc_region_t r;
++ isc_result_t result = ISC_R_SUCCESS;
++ isc_stdtime_t now;
++ unsigned char tsigbuf[1024];
++ unsigned int count;
++ unsigned int sigsize;
++ isc_boolean_t invalidate_ctx = ISC_FALSE;
++
++ CHECK(dns_compress_init(&cctx, -1, mctx));
++ invalidate_ctx = ISC_TRUE;
++
++ memset(&tsig, 0, size