Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Please unblock package bind9 (it builds udeb's so would need an ack from kibi as well). It fixes CVE-2019-6471, #930746 ("A race condition when discarding malformed packets can cause BIND to exit with an assertion failure"). I realize this is very short before the last date possible for unblock requests. unblock bind9/1:9.11.5.P4+dfsg-5.1 Regards, Salvatore
diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog bind9-9.11.5.P4+dfsg/debian/changelog --- bind9-9.11.5.P4+dfsg/debian/changelog 2019-05-03 19:44:57.000000000 +0200 +++ bind9-9.11.5.P4+dfsg/debian/changelog 2019-06-21 11:24:31.000000000 +0200 @@ -1,3 +1,11 @@ +bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high + + * Non-maintainer upload. + * move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471) + (Closes: #930746) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 21 Jun 2019 11:24:31 +0200 + bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ. diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch --- bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch 1970-01-01 01:00:00.000000000 +0100 +++ bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch 2019-06-21 11:24:31.000000000 +0200 @@ -0,0 +1,56 @@ +From: Mark Andrews <ma...@isc.org> +Date: Tue, 19 Mar 2019 14:14:21 +1100 +Subject: move item_out test inside lock in dns_dispatch_getnext() +Origin: https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb80d4a609b86427406d9dd783199920b5b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6471 +Bug-Debian: https://bugs.debian.org/930746 + +(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712) +--- + lib/dns/dispatch.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c +index 408beda3679d..3278db4a07c2 100644 +--- a/lib/dns/dispatch.c ++++ b/lib/dns/dispatch.c +@@ -134,7 +134,7 @@ struct dns_dispentry { + isc_task_t *task; + isc_taskaction_t action; + void *arg; +- bool item_out; ++ bool item_out; + dispsocket_t *dispsocket; + ISC_LIST(dns_dispatchevent_t) items; + ISC_LINK(dns_dispentry_t) link; +@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { + disp = resp->disp; + REQUIRE(VALID_DISPATCH(disp)); + +- REQUIRE(resp->item_out == true); +- resp->item_out = false; +- + ev = *sockevent; + *sockevent = NULL; + + LOCK(&disp->lock); ++ ++ REQUIRE(resp->item_out == true); ++ resp->item_out = false; ++ + if (ev->buffer.base != NULL) + free_buffer(disp, ev->buffer.base, ev->buffer.length); + free_devent(disp, ev); +@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, + isc_task_send(disp->task[0], &disp->ctlevent); + } + ++/* ++ * disp must be locked. ++ */ + static void + do_cancel(dns_dispatch_t *disp) { + dns_dispatchevent_t *ev; +-- +2.20.1 + diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/series bind9-9.11.5.P4+dfsg/debian/patches/series --- bind9-9.11.5.P4+dfsg/debian/patches/series 2019-05-03 19:44:57.000000000 +0200 +++ bind9-9.11.5.P4+dfsg/debian/patches/series 2019-06-21 11:24:31.000000000 +0200 @@ -12,3 +12,4 @@ 0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch 0014-Disable-broken-Ed448-support.patch +0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch