From e57c7fedfc5a9daa122d51f247fb4624acb0301f Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Thu, 20 Feb 2025 03:20:10 +0300
Subject: [PATCH] import bind-9.16.23-24.el9_5.3

---
 .../bind-9.18-CVE-2024-11187-pre-test.patch   |  61 +++++++
 SOURCES/bind-9.18-CVE-2024-11187.patch        | 172 ++++++++++++++++++
 SPECS/bind.spec                               | 100 +++++-----
 3 files changed, 276 insertions(+), 57 deletions(-)
 create mode 100644 SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
 create mode 100644 SOURCES/bind-9.18-CVE-2024-11187.patch

diff --git a/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
new file mode 100644
index 0000000..1010d1c
--- /dev/null
+++ b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
@@ -0,0 +1,61 @@
+From cc01143082bc688a371a7378ef284c898eedc9df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 7 Jan 2025 15:22:40 +0100
+Subject: [PATCH] Isolate using the -T noaa flag only for part of the resolver
+ test
+
+Instead of running the whole resolver/ns4 server with -T noaa flag,
+use it only for the part where it is actually needed.  The -T noaa
+could interfere with other parts of the test because the answers don't
+have the authoritative-answer bit set, and we could have false
+positives (or false negatives) in the test because the authoritative
+server doesn't follow the DNS protocol for all the tests in the resolver
+system test.
+
+(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
+---
+ bin/tests/system/resolver/ns4/named.noaa | 5 -----
+ bin/tests/system/resolver/tests.sh       | 8 ++++++++
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+ delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
+
+diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
+deleted file mode 100644
+index 3b121ad..0000000
+--- a/bin/tests/system/resolver/ns4/named.noaa
++++ /dev/null
+@@ -1,5 +0,0 @@
+-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+-
+-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+-
+-Add -T noaa.
+diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
+index 711ee05..2eae16f 100755
+--- a/bin/tests/system/resolver/tests.sh
++++ b/bin/tests/system/resolver/tests.sh
+@@ -289,6 +289,10 @@ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server resolver ns4
++touch ns4/named.noaa
++start_server --noclean --restart --port ${PORT} resolver ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+@@ -325,6 +329,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server resolver ns4
++rm ns4/named.noaa
++start_server --noclean --restart --port ${PORT} resolver ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
+ ret=0
+-- 
+2.48.1
+
diff --git a/SOURCES/bind-9.18-CVE-2024-11187.patch b/SOURCES/bind-9.18-CVE-2024-11187.patch
new file mode 100644
index 0000000..2b74038
--- /dev/null
+++ b/SOURCES/bind-9.18-CVE-2024-11187.patch
@@ -0,0 +1,172 @@
+From b095854ee885dd5960cb54e7fbefb962498e9fdb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 14 Nov 2024 10:37:29 +0100
+Subject: [PATCH] Limit the additional processing for large RDATA sets
+
+When answering queries, don't add data to the additional section if
+the answer has more than 13 names in the RDATA.  This limits the
+number of lookups into the database(s) during a single client query,
+reducing query processing load.
+
+Also, don't append any additional data to type=ANY queries. The
+answer to ANY is already big enough.
+
+(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
+PatchNumber: 47
+---
+ bin/tests/system/additional/tests.sh |  2 +-
+ lib/dns/include/dns/rdataset.h       | 12 ++++++++++++
+ lib/dns/rbtdb.c                      |  2 +-
+ lib/dns/rdataset.c                   | 11 +++++++++++
+ lib/ns/query.c                       | 15 ++++++++++-----
+ 5 files changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
+index 025f11f..846c800 100644
+--- a/bin/tests/system/additional/tests.sh
++++ b/bin/tests/system/additional/tests.sh
+@@ -260,7 +260,7 @@ n=`expr $n + 1`
+ echo_i "testing with 'minimal-any no;' ($n)"
+ ret=0
+ $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+-grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
++grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+     echo_i "failed"; status=$((status+1))
+ fi
+diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
+index f2585ef..54ad7b2 100644
+--- a/lib/dns/include/dns/rdataset.h
++++ b/lib/dns/include/dns/rdataset.h
+@@ -53,6 +53,8 @@
+ #include <dns/rdatastruct.h>
+ #include <dns/types.h>
+ 
++#define DNS_RDATASET_MAXADDITIONAL 13
++
+ ISC_LANG_BEGINDECLS
+ 
+ typedef enum {
+@@ -458,13 +460,23 @@ dns_rdataset_additionaldata(dns_rdataset_t	   *rdataset,
+  *\li	If a call to dns_rdata_additionaldata() is not successful, the
+  *	result returned will be the result of dns_rdataset_additionaldata().
+  *
++ *\li	If 'limit' is non-zero and the number of the rdatasets is larger
++ *	than 'limit', no additional data will be processed.
++ *
+  * Returns:
+  *
+  *\li	#ISC_R_SUCCESS
+  *
++ *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
++ *
+  *\li	Any error that dns_rdata_additionaldata() can return.
+  */
+ 
++isc_result_t
++dns_rdataset_additionaldata2(dns_rdataset_t	   *rdataset,
++			     dns_additionaldatafunc_t add, void *arg,
++			     size_t limit);
++
+ isc_result_t
+ dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+ 			dns_rdataset_t *neg, dns_rdataset_t *negsig);
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index ed5015c..7586e2a 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -10626,7 +10626,7 @@ no_glue:
+ 	maybe_rehash_gluetable(rbtversion);
+ 	idx = hash_32(hash, rbtversion->glue_table_bits);
+ 
+-	(void)dns_rdataset_additionaldata(rdataset, glue_nsdname_cb, &ctx);
++	(void)dns_rdataset_additionaldata2(rdataset, glue_nsdname_cb, &ctx, 0);
+ 
+ 	cur = isc_mem_get(rbtdb->common.mctx, sizeof(*cur));
+ 
+diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
+index bf9e7af..ffe6163 100644
+--- a/lib/dns/rdataset.c
++++ b/lib/dns/rdataset.c
+@@ -27,6 +27,7 @@
+ #include <dns/ncache.h>
+ #include <dns/rdata.h>
+ #include <dns/rdataset.h>
++#include <dns/result.h>
+ 
+ static const char *trustnames[] = {
+ 	"none",		  "pending-additional",
+@@ -577,6 +578,12 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 			    dns_additionaldatafunc_t add, void *arg) {
++	return dns_rdataset_additionaldata2(rdataset, add, arg, 0);
++}
++
++isc_result_t
++dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
++			    dns_additionaldatafunc_t add, void *arg, size_t limit) {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
+ 
+@@ -588,6 +595,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
++	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
++		return DNS_R_TOOMANYRECORDS;
++	}
++
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS) {
+ 		return (result);
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index f7b3f78..5bc2908 100644
+--- a/lib/ns/query.c
++++ b/lib/ns/query.c
+@@ -2030,8 +2030,9 @@ addname:
+ 	 * This cannot go more than MAX_RESTARTS levels deep.
+ 	 */
+ 	if (trdataset != NULL && dns_rdatatype_followadditional(type)) {
+-		eresult = dns_rdataset_additionaldata(
+-			trdataset, query_additional_cb, qctx);
++		eresult = dns_rdataset_additionaldata2(
++			trdataset, query_additional_cb, qctx,
++			DNS_RDATASET_MAXADDITIONAL);
+ 	}
+ 
+ cleanup:
+@@ -2122,7 +2123,8 @@ regular:
+ 	 * Add other additional data if needed.
+ 	 * We don't care if dns_rdataset_additionaldata() fails.
+ 	 */
+-	(void)dns_rdataset_additionaldata(rdataset, query_additional_cb, qctx);
++	(void)dns_rdataset_additionaldata2(rdataset, query_additional_cb,
++					   qctx, DNS_RDATASET_MAXADDITIONAL);
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
+ }
+ 
+@@ -2148,7 +2150,8 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 	 * To the current response for 'client', add the answer RRset
+ 	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
+ 	 * owner name '*namep', to section 'section', unless they are
+-	 * already there.  Also add any pertinent additional data.
++	 * already there.  Also add any pertinent additional data, unless
++	 * the query was for type ANY.
+ 	 *
+ 	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
+ 	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
+@@ -2203,7 +2206,9 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 	 */
+ 	query_addtoname(mname, rdataset);
+ 	query_setorder(qctx, mname, rdataset);
+-	query_additional(qctx, rdataset);
++	if (qctx->qtype != dns_rdatatype_any) {
++		query_additional(qctx, rdataset);
++	}
+ 
+ 	/*
+ 	 * Note: we only add SIGs if we've added the type they cover, so
+-- 
+2.48.1
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 20a162a..36101e6 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -6,6 +6,8 @@
 # bcond_without is built by default, unless --without X is passed
 # bcond_with is built only when --with X is passed to build
 %bcond_with    SYSTEMTEST
+# enable RSA1 during SYSTEMTEST
+%bcond_with    CRYPTO_POLICY_RSA1
 %bcond_without GSSTSIG
 # it is not possible to build the package without PKCS11 sub-package
 # due to extensive changes to Makefiles
@@ -54,7 +56,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  24%{?dist}
+Release:  24%{?dist}.3
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -174,6 +176,9 @@ Patch212: bind-9.16-CVE-2024-1737-types.patch
 Patch213: bind-9.16-CVE-2024-1737-types-test.patch
 # backport issue fix
 Patch214: bind-9.16-CVE-2024-1737-records-test2.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
+Patch215: bind-9.18-CVE-2024-11187-pre-test.patch
+Patch216: bind-9.18-CVE-2024-11187.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -216,6 +221,7 @@ BuildRequires:  softhsm
 %if %{with SYSTEMTEST}
 # bin/tests/system dependencies
 BuildRequires:  perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long)
+BuildRequires:  perl(English)
 BuildRequires:  python-dns
 # manual configuration requires this tool
 BuildRequires:  iproute
@@ -465,69 +471,21 @@ in HTML and PDF format.
 # RHEL does not yet support this verification
 %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}'
 %endif
-%setup -q
+%autosetup -N
 
 # Common patches
-%patch10 -p1 -b .PIE
-%patch16 -p1 -b .redhat_doc
-%patch72 -p1 -b .64bit
-%patch106 -p1 -b .rh490837
-%patch112 -p1 -b .rh645544
-%patch130 -p1 -b .libdb
-%patch157 -p1 -b .fips-tests
-%patch164 -p1 -b .rh1666814
-%patch170 -p1 -b .featuretest-named
-%patch171 -p1 -b .test-variant
-%patch172 -p1 -b .CVE-2022-0396
-%patch173 -p1 -b .CVE-2021-25220
-%patch174 -p1 -b .CVE-2021-25220-test
-%patch175 -p1 -b .CVE-2022-3080
-%patch176 -p1 -b .CVE-2022-38177
-%patch177 -p1 -b .CVE-2022-38178
-%patch178 -p1 -b .CVE-2022-2795
-%patch179 -p1 -b .rh2101712
-%patch181 -p1 -b .rh2133889
-%patch182 -p1 -b .CVE-2022-3094
-%patch183 -p1 -b .CVE-2022-3094
-%patch184 -p1 -b .CVE-2022-3094
-%patch185 -p1 -b .CVE-2022-3094-test
-%patch186 -p1 -b .CVE-2022-3736
-%patch187 -p1 -b .CVE-2022-3924
-%patch188 -p1 -b .CVE-2023-2828
-%patch189 -p1 -b .CVE-2023-2911-1
-%patch190 -p1 -b .CVE-2023-2911-2
-%patch191 -p1 -b .CVE-2023-2911-3
-%patch192 -p1 -b .CVE-2023-3341
-%patch193 -p1 -b .b.root-servers.net
-%patch194 -p1 -b .CVE-2023-4408
-%patch195 -p1 -b .CVE-2023-5517
-%patch196 -p1 -b .CVE-2023-5679
-%patch197 -p1 -b .CVE-2023-6516
-%patch198 -p1 -b .CVE-2023-50387
-%patch199 -p1
-%patch200 -p1
-%patch201 -p1 -b .test-variant-def
-%patch202 -p1 -b .mempool-attach
-%patch203 -p1 -b .isc_hp-CVE-2023-50387
-%patch204 -p1 -b .CVE-2023-6516-test
-%patch205 -p1 -b .RHEL-39131
-%patch206 -p1 -b .CVE-2024-1975
-%patch207 -p1 -b .CVE-2024-1737
-%patch208 -p1 -b .CVE-2024-4076
-%patch210 -p1 -b .CVE-2024-1737-records
-%patch211 -p1 -b .CVE-2024-1737-records-test
-%patch212 -p1 -b .CVE-2024-1737-types
-%patch213 -p1 -b .CVE-2024-1737-types-test
-%patch214 -p1 -b .CVE-2024-1737-records-test2
+%autopatch -p1 -m 1 -M 134
+# PKCS11 patches 135 136 and 149 are applied later.
+%autopatch -p1 -m 150
 
 %if %{with PKCS11}
-%patch135 -p1 -b .config-pkcs11
+%autopatch -p1 135
 cp -r bin/named{,-pkcs11}
 cp -r bin/dnssec{,-pkcs11}
 cp -r lib/dns{,-pkcs11}
 cp -r lib/ns{,-pkcs11}
-%patch136 -p1 -b .dist_pkcs11
-%patch149 -p1 -b .kyua-pkcs11
+%autopatch -p1 136
+%autopatch -p1 149
 %endif
 
 # Sparc and s390 arches need to use -fPIE
@@ -538,6 +496,10 @@ done
 %endif
 
 sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh
+# allow running as root from mock or test machines
+sed -e 's, "enable-developer",& \&\& systemctl is-system-running \&>/dev/null \&\& ! [ -e /mnt/tests ],' \
+    -i bin/tests/system/run.sh
+
 :;
 
 
@@ -712,15 +674,29 @@ else
   sh bin/tests/system/ifconfig.sh up
   perl bin/tests/system/testsock.pl && CONFIGURED=build
 fi
+
 if [ -n "$CONFIGURED" ]
 then
   set -e
+  %if %{with CRYPTO_POLICY_RSA1}
+    # Override crypto-policy to allow RSASHA1 key operations
+    OPENSSL_CONF="$(mktemp openssl-XXXXXX.cnf)"
+    cat > "$OPENSSL_CONF" << 'EOF'
+.include = /etc/ssl/openssl.cnf
+[evp_properties]
+rh-allow-sha1-signatures = yes
+EOF
+    export OPENSSL_CONF
+  %endif
   pushd build/bin/tests
   chown -R ${USER} . # Can be unknown user
-  %make_build test 2>&1 | tee test.log
+  %make_build test
   e=$?
   popd
   [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down
+  %if %{with CRYPTO_POLICY_RSA1}
+    export -b OPENSSL_CONF
+  %endif
   if [ "$e" -ne 0 ]; then
     echo "ERROR: this build of BIND failed 'make test'. Aborting."
     exit $e;
@@ -1247,6 +1223,16 @@ fi;
 %endif
 
 %changelog
+* Sat Feb 15 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24.3
+- Fix test backport changes
+
+* Wed Feb 05 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24.2
+
+- Limit additional section records CPU processing (CVE-2024-11187)
+
+* Wed Feb 05 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24.1
+- Switch to autopatch changes applying
+
 * Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24
 - Minor fix of reclimit test backport (CVE-2024-1737)