diff options
author | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
---|---|---|
committer | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
commit | 5b80bfd7bffd4c20d80b7c70a7130529e9a755dd (patch) | |
tree | b4bb18dcd1487dbf1ea8127e5671b7bb2eded033 /external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch | |
parent | 706ad73eb02caf8532deaf5d38995bd258725cb8 (diff) |
agl-basesystem
Diffstat (limited to 'external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch')
-rw-r--r-- | external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch new file mode 100644 index 00000000..7a2ba7ea --- /dev/null +++ b/external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch @@ -0,0 +1,72 @@ +Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740] + +CVE: CVE-2018-5740 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +diff --git a/CHANGES b/CHANGES +index 750b600..3d8d655 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,9 @@ ++ --- 9.11.4-P1 released --- ++ ++4997. [security] named could crash during recursive processing ++ of DNAME records when "deny-answer-aliases" was ++ in use. (CVE-2018-5740) [GL #387] ++ + --- 9.11.4 released --- + + --- 9.11.4rc2 released --- +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8f674a2..41d1385 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + unsigned int nlabels; + dns_fixedname_t fixed; + dns_name_t prefix; ++ int order; + + REQUIRE(rdataset != NULL); + REQUIRE(rdataset->type == dns_rdatatype_cname || +@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + tname = &cname.cname; + break; + case dns_rdatatype_dname: ++ if (dns_name_fullcompare(qname, rname, &order, &nlabels) != ++ dns_namereln_subdomain) ++ { ++ return (ISC_TRUE); ++ } + result = dns_rdata_tostruct(&rdata, &dname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_name_init(&prefix, NULL); + tname = dns_fixedname_initname(&fixed); +- nlabels = dns_name_countlabels(qname) - +- dns_name_countlabels(rname); ++ nlabels = dns_name_countlabels(rname); + dns_name_split(qname, nlabels, &prefix, NULL); + result = dns_name_concatenate(&prefix, &dname.dname, tname, + NULL); +- if (result == DNS_R_NAMETOOLONG) ++ if (result == DNS_R_NAMETOOLONG) { ++ if (chainingp != NULL) { ++ *chainingp = ISC_TRUE; ++ } + return (ISC_TRUE); ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: +@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) { + } + if ((ardataset->type == dns_rdatatype_cname || + ardataset->type == dns_rdatatype_dname) && +- !is_answertarget_allowed(fctx, qname, aname, ardataset, ++ type != ardataset->type && ++ type != dns_rdatatype_any && ++ !is_answertarget_allowed(fctx, qname, aname, ardataset, + NULL)) + { + return (DNS_R_SERVFAIL); |