[PATCH] bind: patch for CVE-2018-5740

[PATCH] bind: patch for CVE-2018-5740

[changqing.li]

From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../bind/bind/CVE-2018-5740.patch                  | 72 ++++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.11.4.bb      |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
new file mode 100644
index 0000000..9d0945e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
@@ -0,0 +1,72 @@
+Upstream-Status: backport[https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
+
+CVE: CVE-2018-5740
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+diff --git a/CHANGES b/CHANGES
+index 750b600..3d8d655 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,9 @@
++	--- 9.11.4-P1 released ---
++
++4997.	[security]	named could crash during recursive processing
++			of DNAME records when "deny-answer-aliases" was
++			in use. (CVE-2018-5740) [GL #387]
++
+ 	--- 9.11.4 released ---
+ 
+ 	--- 9.11.4rc2 released ---
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8f674a2..41d1385 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ 	unsigned int nlabels;
+ 	dns_fixedname_t fixed;
+ 	dns_name_t prefix;
++	int order;
+ 
+ 	REQUIRE(rdataset != NULL);
+ 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
+@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ 		tname = &cname.cname;
+ 		break;
+ 	case dns_rdatatype_dname:
++		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
++		    dns_namereln_subdomain)
++		{
++			return (ISC_TRUE);
++		}
+ 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+ 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ 		dns_name_init(&prefix, NULL);
+ 		tname = dns_fixedname_initname(&fixed);
+-		nlabels = dns_name_countlabels(qname) -
+-			  dns_name_countlabels(rname);
++		nlabels = dns_name_countlabels(rname);
+ 		dns_name_split(qname, nlabels, &prefix, NULL);
+ 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
+ 					      NULL);
+-		if (result == DNS_R_NAMETOOLONG)
++		if (result == DNS_R_NAMETOOLONG) {
++			if (chainingp != NULL) {
++				*chainingp = ISC_TRUE;
++			}
+ 			return (ISC_TRUE);
++		}
+ 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ 		break;
+ 	default:
+@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
+ 		}
+ 		if ((ardataset->type == dns_rdatatype_cname ||
+ 		     ardataset->type == dns_rdatatype_dname) &&
+-		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
++		    type != ardataset->type &&
++		    type != dns_rdatatype_any &&
++		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+ 					      NULL))
+ 		{
+ 			return (DNS_R_SERVFAIL);
diff --git a/meta/recipes-connectivity/bind/bind_9.11.4.bb b/meta/recipes-connectivity/bind/bind_9.11.4.bb
index d27068c..23c3aad 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.4.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-lib-dns-gen.c-fix-too-long-error.patch \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
+           file://CVE-2018-5740.patch \
 "
 
 SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"
-- 
2.7.4

✗ patchtest: failure for bind: patch for CVE-2018-5740

[Patchwork]

== Series Details ==

Series: bind: patch for CVE-2018-5740
Revision: 1
URL   : https://patchwork.openembedded.org/series/13987/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Upstream-Status is in incorrect format [test_upstream_status_presence_format] 
  Suggested fix    Fix Upstream-Status format in CVE-2018-5740.patch
  Current          Upstream-Status: backport[https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe