Merging debian version 1:9.11.5.P4+dfsg-5.1+deb10u8.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 118 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 8a70876..c38c5ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+bind9 (1:9.11.5.P4+dfsg-5.1+deb10u8) buster-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2022-2795: degraded performance when processing large delegations.
+  * CVE-2022-38177: memory leak in ECDSA verification.
+  * CVE-2022-38178: memory leak in EdDSA verification.
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Wed, 05 Oct 2022 11:07:30 +0200
+
 bind9 (1:9.11.5.P4+dfsg-5.1+deb10u7progress5u1) engywuck; urgency=high
 
   * Initial reupload to engywuck.
diff --git a/debian/patches/0036-CVE-2022-2795.patch b/debian/patches/0036-CVE-2022-2795.patch
new file mode 100644
index 0000000..c978c73
--- /dev/null
+++ b/debian/patches/0036-CVE-2022-2795.patch
@@ -0,0 +1,60 @@
+From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH] Bound the amount of work performed for delegations
+
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index d2cf14bbc8b..73a0ee9f779 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -195,6 +195,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3902,6 +3909,11 @@ normal_nses:
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);
+-- 
+GitLab
+
diff --git a/debian/patches/0037-CVE-2022-38177.patch b/debian/patches/0037-CVE-2022-38177.patch
new file mode 100644
index 0000000..109a6b8
--- /dev/null
+++ b/debian/patches/0037-CVE-2022-38177.patch
@@ -0,0 +1,25 @@
+From 5b2282afff760b1ed3471f6666bdfe8e1d34e590 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:15:34 +1000
+Subject: [PATCH] Free eckey on siglen mismatch
+
+---
+ lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 1f16ca70738..5ee4342b387 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -230,7 +230,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+GitLab
+
diff --git a/debian/patches/0038-CVE-2022-38178.patch b/debian/patches/0038-CVE-2022-38178.patch
new file mode 100644
index 0000000..582104f
--- /dev/null
+++ b/debian/patches/0038-CVE-2022-38178.patch
@@ -0,0 +1,21 @@
+From 1af23378ebb11da2eb0f412e4563d6c4165fbd3d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:28:13 +1000
+Subject: [PATCH] Free ctx on invalid siglen
+
+(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
+---
+ lib/dns/openssleddsa_link.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/dns/openssleddsa_link.c
++++ b/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx,
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index bce493a..ee6bb91 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,6 @@
 0033-Disable-lame-ttl-cache.patch
 0034-Enable-lame-response-detection-even-with-disabled-la.patch
 0035-CVE-2021-25220.patch
+0036-CVE-2022-2795.patch
+0037-CVE-2022-38177.patch
+0038-CVE-2022-38178.patch