* [PATCH] bind: fix CVE-2020-8625
@ 2021-03-01 7:51 Minjae Kim
0 siblings, 0 replies; only message in thread
From: Minjae Kim @ 2021-03-01 7:51 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
BIND Operational Notification: Zone journal (.jnl) file incompatibility
Upstream-Status: Acepted [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch]
CVE: CVE-2020-8625
Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
.../bind/bind/CVE-2020-8625.patch | 41 +++++++++++++++++++
.../recipes-connectivity/bind/bind_9.11.22.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
new file mode 100644
index 0000000000..9e438e319f
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8625.patch
@@ -0,0 +1,41 @@
+Date: Sat, 20 Feb 2021 02:42:38 +0000
+From: ISC Security Officer <security-officer@....org>
+To: oss-security@...ts.openwall.com
+Cc: ISC Security Officer <security-officer@....org>
+Subject: BIND Operational Notification: Zone journal (.jnl) file
+ incompatibility,after upgrading to BIND 9.16.12 and 9.17
+
+To the packagers and redistributors of BIND --
+
+To our great embarrassment and sincere regret, another serious problem
+has been found affecting servers upgrading to BIND 9.16.12.
+
+If you have not already distributed packages based on 9.16.12 but
+planned to do so, we recommend that you change your plans and instead
+issue an updated package based on 9.16.11 plus the CVE-2020-8625 patch
+found at
+https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch.
+
+If you already HAVE distributed packages based on BIND 9.16.12 -- we are
+really sorry, and here is what you will need to know.
+
+Cathy Almond
+(for ISC Security Officer)
+
+Upstream-Status: Acepted [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch]
+CVE: CVE-2020-8625
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+
+diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
+index e61d1c600f2..753dc8049fa 100644
+--- a/lib/dns/spnego.c
++++ b/lib/dns/spnego.c
+@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+ return (ASN1_OVERRUN);
+ }
+
+- data->components = malloc(len * sizeof(*data->components));
++ data->components = malloc((len + 1) * sizeof(*data->components));
+ if (data->components == NULL) {
+ return (ENOMEM);
+ }
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.22.bb
index 3b4a299b36..e3b9cacc15 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.22.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.22.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
file://0001-avoid-start-failure-with-bind-user.patch \
+ file://CVE-2020-8625.patch \
"
SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9"
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-03-01 7:51 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-01 7:51 [PATCH] bind: fix CVE-2020-8625 Minjae Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox