import bind-9.16.23-24.el9_5.3

3 days ago · 6ed2d866e8
parent e574c3621d
commit 6ed2d866e8
3 changed files with 276 additions and 57 deletions
--- a/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
+++ b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
@ -0,0 +1,61 @@
 From cc01143082bc688a371a7378ef284c898eedc9df Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 7 Jan 2025 15:22:40 +0100
 Subject: [PATCH] Isolate using the -T noaa flag only for part of the resolver
 test
 Instead of running the whole resolver/ns4 server with -T noaa flag,
 use it only for the part where it is actually needed.  The -T noaa
 could interfere with other parts of the test because the answers don't
 have the authoritative-answer bit set, and we could have false
 positives (or false negatives) in the test because the authoritative
 server doesn't follow the DNS protocol for all the tests in the resolver
 system test.
 (cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
 ---
 bin/tests/system/resolver/ns4/named.noaa | 5 -----
 bin/tests/system/resolver/tests.sh       | 8 ++++++++
 2 files changed, 8 insertions(+), 5 deletions(-)
 delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
 diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
 deleted file mode 100644
 index 3b121ad..0000000
 --- a/bin/tests/system/resolver/ns4/named.noaa
 +++ /dev/null
@@ -1,5 +0,0 @@
 -Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 -
 -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 -
 -Add -T noaa.
 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
 index 711ee05..2eae16f 100755
 --- a/bin/tests/system/resolver/tests.sh
 +++ b/bin/tests/system/resolver/tests.sh
@@ -289,6 +289,10 @@ done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 +stop_server resolver ns4
 +touch ns4/named.noaa
 +start_server --noclean --restart --port ${PORT} resolver ns4 || ret=1
 +
 n=`expr $n + 1`
 echo_i "RT21594 regression test check setup ($n)"
 ret=0
@@ -325,6 +329,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 +stop_server resolver ns4
 +rm ns4/named.noaa
 +start_server --noclean --restart --port ${PORT} resolver ns4 || ret=1
 +
 n=`expr $n + 1`
 echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
 ret=0
 -- 
 2.48.1
--- a/SOURCES/bind-9.18-CVE-2024-11187.patch
+++ b/SOURCES/bind-9.18-CVE-2024-11187.patch
@ -0,0 +1,172 @@
 From b095854ee885dd5960cb54e7fbefb962498e9fdb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Thu, 14 Nov 2024 10:37:29 +0100
 Subject: [PATCH] Limit the additional processing for large RDATA sets
 When answering queries, don't add data to the additional section if
 the answer has more than 13 names in the RDATA.  This limits the
 number of lookups into the database(s) during a single client query,
 reducing query processing load.
 Also, don't append any additional data to type=ANY queries. The
 answer to ANY is already big enough.
 (cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
 PatchNumber: 47
 ---
 bin/tests/system/additional/tests.sh |  2 +-
 lib/dns/include/dns/rdataset.h       | 12 ++++++++++++
 lib/dns/rbtdb.c                      |  2 +-
 lib/dns/rdataset.c                   | 11 +++++++++++
 lib/ns/query.c                       | 15 ++++++++++-----
 5 files changed, 35 insertions(+), 7 deletions(-)
 diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
 index 025f11f..846c800 100644
 --- a/bin/tests/system/additional/tests.sh
 +++ b/bin/tests/system/additional/tests.sh
@@ -260,7 +260,7 @@ n=`expr $n + 1`
 echo_i "testing with 'minimal-any no;' ($n)"
 ret=0
 $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
 -grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
 +grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
     echo_i "failed"; status=$((status+1))
 fi
 diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
 index f2585ef..54ad7b2 100644
 --- a/lib/dns/include/dns/rdataset.h
 +++ b/lib/dns/include/dns/rdataset.h
@@ -53,6 +53,8 @@
 #include <dns/rdatastruct.h>
 #include <dns/types.h>
 +#define DNS_RDATASET_MAXADDITIONAL 13
 +
 ISC_LANG_BEGINDECLS
 typedef enum {
@@ -458,13 +460,23 @@ dns_rdataset_additionaldata(dns_rdataset_t	   *rdataset,
  *\li	If a call to dns_rdata_additionaldata() is not successful, the
  *	result returned will be the result of dns_rdataset_additionaldata().
  *
 + *\li	If 'limit' is non-zero and the number of the rdatasets is larger
 + *	than 'limit', no additional data will be processed.
 + *
  * Returns:
  *
  *\li	#ISC_R_SUCCESS
  *
 + *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
 + *
  *\li	Any error that dns_rdata_additionaldata() can return.
  */
 +isc_result_t
 +dns_rdataset_additionaldata2(dns_rdataset_t	   *rdataset,
 +			     dns_additionaldatafunc_t add, void *arg,
 +			     size_t limit);
 +
 isc_result_t
 dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
 			dns_rdataset_t *neg, dns_rdataset_t *negsig);
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index ed5015c..7586e2a 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -10626,7 +10626,7 @@ no_glue:
 	maybe_rehash_gluetable(rbtversion);
 	idx = hash_32(hash, rbtversion->glue_table_bits);
 -	(void)dns_rdataset_additionaldata(rdataset, glue_nsdname_cb, &ctx);
 +	(void)dns_rdataset_additionaldata2(rdataset, glue_nsdname_cb, &ctx, 0);
 	cur = isc_mem_get(rbtdb->common.mctx, sizeof(*cur));
 diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
 index bf9e7af..ffe6163 100644
 --- a/lib/dns/rdataset.c
 +++ b/lib/dns/rdataset.c
@@ -27,6 +27,7 @@
 #include <dns/ncache.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 +#include <dns/result.h>
 static const char *trustnames[] = {
 	"none",		  "pending-additional",
@@ -577,6 +578,12 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 isc_result_t
 dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 			    dns_additionaldatafunc_t add, void *arg) {
 +	return dns_rdataset_additionaldata2(rdataset, add, arg, 0);
 +}
 +
 +isc_result_t
 +dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
 +			    dns_additionaldatafunc_t add, void *arg, size_t limit) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
@@ -588,6 +595,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
 +	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
 +		return DNS_R_TOOMANYRECORDS;
 +	}
 +
 	result = dns_rdataset_first(rdataset);
 	if (result != ISC_R_SUCCESS) {
 		return (result);
 diff --git a/lib/ns/query.c b/lib/ns/query.c
 index f7b3f78..5bc2908 100644
 --- a/lib/ns/query.c
 +++ b/lib/ns/query.c
@@ -2030,8 +2030,9 @@ addname:
 	 * This cannot go more than MAX_RESTARTS levels deep.
 	 */
 	if (trdataset != NULL && dns_rdatatype_followadditional(type)) {
 -		eresult = dns_rdataset_additionaldata(
 -			trdataset, query_additional_cb, qctx);
 +		eresult = dns_rdataset_additionaldata2(
 +			trdataset, query_additional_cb, qctx,
 +			DNS_RDATASET_MAXADDITIONAL);
 	}
 cleanup:
@@ -2122,7 +2123,8 @@ regular:
 	 * Add other additional data if needed.
 	 * We don't care if dns_rdataset_additionaldata() fails.
 	 */
 -	(void)dns_rdataset_additionaldata(rdataset, query_additional_cb, qctx);
 +	(void)dns_rdataset_additionaldata2(rdataset, query_additional_cb,
 +					   qctx, DNS_RDATASET_MAXADDITIONAL);
 	CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
 }
@@ -2148,7 +2150,8 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
 	 * To the current response for 'client', add the answer RRset
 	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
 	 * owner name '*namep', to section 'section', unless they are
 -	 * already there.  Also add any pertinent additional data.
 +	 * already there.  Also add any pertinent additional data, unless
 +	 * the query was for type ANY.
 	 *
 	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
 	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
@@ -2203,7 +2206,9 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
 	 */
 	query_addtoname(mname, rdataset);
 	query_setorder(qctx, mname, rdataset);
 -	query_additional(qctx, rdataset);
 +	if (qctx->qtype != dns_rdatatype_any) {
 +		query_additional(qctx, rdataset);
 +	}
 	/*
 	 * Note: we only add SIGs if we've added the type they cover, so
 -- 
 2.48.1
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@ -6,6 +6,8 @@
 # bcond_without is built by default, unless --without X is passed
 # bcond_with is built only when --with X is passed to build
 %bcond_with    SYSTEMTEST
 # enable RSA1 during SYSTEMTEST
 %bcond_with    CRYPTO_POLICY_RSA1
 %bcond_without GSSTSIG
 # it is not possible to build the package without PKCS11 sub-package
 # due to extensive changes to Makefiles
@ -54,7 +56,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  24%{?dist}
+Release:  24%{?dist}.3
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -174,6 +176,9 @@ Patch212: bind-9.16-CVE-2024-1737-types.patch
 Patch213: bind-9.16-CVE-2024-1737-types-test.patch
 # backport issue fix
 Patch214: bind-9.16-CVE-2024-1737-records-test2.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
 Patch215: bind-9.18-CVE-2024-11187-pre-test.patch
 Patch216: bind-9.18-CVE-2024-11187.patch
 %{?systemd_ordering}
 Requires:       coreutils
@ -216,6 +221,7 @@ BuildRequires:  softhsm
 %if %{with SYSTEMTEST}
 # bin/tests/system dependencies
 BuildRequires:  perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long)
 BuildRequires:  perl(English)
 BuildRequires:  python-dns
 # manual configuration requires this tool
 BuildRequires:  iproute
@ -465,69 +471,21 @@ in HTML and PDF format.
 # RHEL does not yet support this verification
 %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}'
 %endif
-%setup -q
+%autosetup -N
 # Common patches
-%patch10 -p1 -b .PIE
+%autopatch -p1 -m 1 -M 134
-%patch16 -p1 -b .redhat_doc
+# PKCS11 patches 135 136 and 149 are applied later.
-%patch72 -p1 -b .64bit
+%autopatch -p1 -m 150
 %patch106 -p1 -b .rh490837
 %patch112 -p1 -b .rh645544
 %patch130 -p1 -b .libdb
 %patch157 -p1 -b .fips-tests
 %patch164 -p1 -b .rh1666814
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
 %patch172 -p1 -b .CVE-2022-0396
 %patch173 -p1 -b .CVE-2021-25220
 %patch174 -p1 -b .CVE-2021-25220-test
 %patch175 -p1 -b .CVE-2022-3080
 %patch176 -p1 -b .CVE-2022-38177
 %patch177 -p1 -b .CVE-2022-38178
 %patch178 -p1 -b .CVE-2022-2795
 %patch179 -p1 -b .rh2101712
 %patch181 -p1 -b .rh2133889
 %patch182 -p1 -b .CVE-2022-3094
 %patch183 -p1 -b .CVE-2022-3094
 %patch184 -p1 -b .CVE-2022-3094
 %patch185 -p1 -b .CVE-2022-3094-test
 %patch186 -p1 -b .CVE-2022-3736
 %patch187 -p1 -b .CVE-2022-3924
 %patch188 -p1 -b .CVE-2023-2828
 %patch189 -p1 -b .CVE-2023-2911-1
 %patch190 -p1 -b .CVE-2023-2911-2
 %patch191 -p1 -b .CVE-2023-2911-3
 %patch192 -p1 -b .CVE-2023-3341
 %patch193 -p1 -b .b.root-servers.net
 %patch194 -p1 -b .CVE-2023-4408
 %patch195 -p1 -b .CVE-2023-5517
 %patch196 -p1 -b .CVE-2023-5679
 %patch197 -p1 -b .CVE-2023-6516
 %patch198 -p1 -b .CVE-2023-50387
 %patch199 -p1
 %patch200 -p1
 %patch201 -p1 -b .test-variant-def
 %patch202 -p1 -b .mempool-attach
 %patch203 -p1 -b .isc_hp-CVE-2023-50387
 %patch204 -p1 -b .CVE-2023-6516-test
 %patch205 -p1 -b .RHEL-39131
 %patch206 -p1 -b .CVE-2024-1975
 %patch207 -p1 -b .CVE-2024-1737
 %patch208 -p1 -b .CVE-2024-4076
 %patch210 -p1 -b .CVE-2024-1737-records
 %patch211 -p1 -b .CVE-2024-1737-records-test
 %patch212 -p1 -b .CVE-2024-1737-types
 %patch213 -p1 -b .CVE-2024-1737-types-test
 %patch214 -p1 -b .CVE-2024-1737-records-test2
 %if %{with PKCS11}
-%patch135 -p1 -b .config-pkcs11
+%autopatch -p1 135
 cp -r bin/named{,-pkcs11}
 cp -r bin/dnssec{,-pkcs11}
 cp -r lib/dns{,-pkcs11}
 cp -r lib/ns{,-pkcs11}
-%patch136 -p1 -b .dist_pkcs11
+%autopatch -p1 136
-%patch149 -p1 -b .kyua-pkcs11
+%autopatch -p1 149
 %endif
 # Sparc and s390 arches need to use -fPIE
@ -538,6 +496,10 @@ done
 %endif
 sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh
 # allow running as root from mock or test machines
 sed -e 's, "enable-developer",& \&\& systemctl is-system-running \&>/dev/null \&\& ! [ -e /mnt/tests ],' \
    -i bin/tests/system/run.sh
 :;
@ -712,15 +674,29 @@ else
  sh bin/tests/system/ifconfig.sh up
  perl bin/tests/system/testsock.pl && CONFIGURED=build
 fi
 if [ -n "$CONFIGURED" ]
 then
  set -e
  %if %{with CRYPTO_POLICY_RSA1}
    # Override crypto-policy to allow RSASHA1 key operations
    OPENSSL_CONF="$(mktemp openssl-XXXXXX.cnf)"
    cat > "$OPENSSL_CONF" << 'EOF'
 .include = /etc/ssl/openssl.cnf
 [evp_properties]
 rh-allow-sha1-signatures = yes
 EOF
    export OPENSSL_CONF
  %endif
  pushd build/bin/tests
  chown -R ${USER} . # Can be unknown user
-  %make_build test 2>&1 | tee test.log
+  %make_build test
  e=$?
  popd
  [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down
  %if %{with CRYPTO_POLICY_RSA1}
    export -b OPENSSL_CONF
  %endif
  if [ "$e" -ne 0 ]; then
    echo "ERROR: this build of BIND failed 'make test'. Aborting."
    exit $e;
@ -1247,6 +1223,16 @@ fi;
 %endif
 %changelog
 * Sat Feb 15 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24.3
 - Fix test backport changes
 * Wed Feb 05 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24.2
 - Limit additional section records CPU processing (CVE-2024-11187)
 * Wed Feb 05 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24.1
 - Switch to autopatch changes applying
 * Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24
 - Minor fix of reclimit test backport (CVE-2024-1737)