diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-07 05:00:11 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-07 05:00:11 +0000 |
commit | 007c860a3c3bf977997c5ef4d622f983ff9c9919 (patch) | |
tree | bc3e230e59c77617f5da0f0f79ab00a40e9bf8dc /debian/patches | |
parent | Adding debian version 1:9.11.5.P4+dfsg-5.1+deb10u9. (diff) | |
download | bind9-007c860a3c3bf977997c5ef4d622f983ff9c9919.tar.xz bind9-007c860a3c3bf977997c5ef4d622f983ff9c9919.zip |
Adding debian version 1:9.11.5.P4+dfsg-5.1+deb10u10.debian/1%9.11.5.P4+dfsg-5.1+deb10u10
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | debian/patches/0040-CVE-2023-3341.patch | 183 | ||||
-rw-r--r-- | debian/patches/series | 2 |
2 files changed, 185 insertions, 0 deletions
diff --git a/debian/patches/0040-CVE-2023-3341.patch b/debian/patches/0040-CVE-2023-3341.patch new file mode 100644 index 0000000..3120bd3 --- /dev/null +++ b/debian/patches/0040-CVE-2023-3341.patch @@ -0,0 +1,183 @@ +Backport of: + +--- + +From 639e5b671c0422ec52df91236db8a110c034aefa Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Tue, 20 Jun 2023 15:21:36 +1000 +Subject: [PATCH] Limit isccc_cc_fromwire recursion depth + +Named and rndc do not need a lot of recursion so the depth is +set to 10. + +(cherry picked from commit 820b0cceef0b67b041973da4041ea53d5e276363) + +--- + + lib/isccc/cc.c | 60 ++++++++++++++++++++++---------- + lib/isccc/include/isccc/result.h | 4 ++- + lib/isccc/result.c | 4 ++- + 3 files changed, 47 insertions(+), 21 deletions(-) + +Index: bind9-9.11.5.P4+dfsg/lib/isccc/cc.c +=================================================================== +--- bind9-9.11.5.P4+dfsg.orig/lib/isccc/cc.c 2024-01-14 14:04:30.405992161 +0100 ++++ bind9-9.11.5.P4+dfsg/lib/isccc/cc.c 2024-01-14 14:13:09.633428358 +0100 +@@ -51,8 +51,12 @@ + #include <isccc/symtype.h> + #include <isccc/util.h> + +-#define MAX_TAGS 256 +-#define DUP_LIFETIME 900 ++#define MAX_TAGS 256 ++#define DUP_LIFETIME 900 ++#ifndef ISCCC_MAXDEPTH ++#define ISCCC_MAXDEPTH \ ++ 10 /* Big enough for rndc which just sends a string each way. */ ++#endif + + typedef isccc_sexpr_t *sexpr_ptr; + +@@ -561,19 +565,25 @@ + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp); ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); ++list_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **listp); + + static isc_result_t +-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { ++value_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **valuep) { + unsigned int msgtype; + uint32_t len; + isccc_sexpr_t *value; + isccc_region_t active; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + if (REGION_SIZE(*source) < 1 + 4) + return (ISC_R_UNEXPECTEDEND); + GET8(msgtype, source->rstart); +@@ -591,9 +601,9 @@ + } else + result = ISC_R_NOMEMORY; + } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) +- result = table_fromwire(&active, NULL, 0, valuep); ++ result = table_fromwire(&active, NULL, 0, depth + 1, valuep); + else if (msgtype == ISCCC_CCMSGTYPE_LIST) +- result = list_fromwire(&active, valuep); ++ result = list_fromwire(&active, depth + 1, valuep); + else + result = ISCCC_R_SYNTAX; + +@@ -602,7 +612,7 @@ + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp) ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) + { + char key[256]; + uint32_t len; +@@ -613,6 +623,10 @@ + + REQUIRE(alistp != NULL && *alistp == NULL); + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + checksum_rstart = NULL; + first_tag = true; + alist = isccc_alist_create(); +@@ -628,9 +642,10 @@ + GET_MEM(key, len, source->rstart); + key[len] = '\0'; /* Ensure NUL termination. */ + value = NULL; +- result = value_fromwire(source, &value); +- if (result != ISC_R_SUCCESS) ++ result = value_fromwire(source, depth + 1, &value); ++ if (result != ISC_R_SUCCESS) { + goto bad; ++ } + if (isccc_alist_define(alist, key, value) == NULL) { + result = ISC_R_NOMEMORY; + goto bad; +@@ -661,14 +676,19 @@ + } + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { ++list_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **listp) { + isccc_sexpr_t *list, *value; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + list = NULL; + while (!REGION_EMPTY(*source)) { + value = NULL; +- result = value_fromwire(source, &value); ++ result = value_fromwire(source, depth + 1, &value); + if (result != ISC_R_SUCCESS) { + isccc_sexpr_free(&list); + return (result); +@@ -699,7 +719,7 @@ + if (version != 1) + return (ISCCC_R_UNKNOWNVERSION); + +- return (table_fromwire(source, secret, algorithm, alistp)); ++ return (table_fromwire(source, secret, algorithm, 0, alistp)); + } + + static isc_result_t +Index: bind9-9.11.5.P4+dfsg/lib/isccc/include/isccc/result.h +=================================================================== +--- bind9-9.11.5.P4+dfsg.orig/lib/isccc/include/isccc/result.h 2024-01-14 14:04:30.405992161 +0100 ++++ bind9-9.11.5.P4+dfsg/lib/isccc/include/isccc/result.h 2024-01-14 14:04:30.405992161 +0100 +@@ -47,8 +47,10 @@ + #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4) + /*% Duplicate */ + #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5) ++/*% Maximum recursion depth */ ++#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6) + +-#define ISCCC_R_NRESULTS 6 /*%< Number of results */ ++#define ISCCC_R_NRESULTS 7 /*%< Number of results */ + + ISC_LANG_BEGINDECLS + +Index: bind9-9.11.5.P4+dfsg/lib/isccc/result.c +=================================================================== +--- bind9-9.11.5.P4+dfsg.orig/lib/isccc/result.c 2024-01-14 14:04:30.405992161 +0100 ++++ bind9-9.11.5.P4+dfsg/lib/isccc/result.c 2024-01-14 14:04:30.405992161 +0100 +@@ -40,7 +40,8 @@ + "bad auth", /* 3 */ + "expired", /* 4 */ + "clock skew", /* 5 */ +- "duplicate" /* 6 */ ++ "duplicate", /* 6 */ ++ "max depth" /* 7 */ + }; + + static const char *ids[ISCCC_R_NRESULTS] = { +@@ -50,6 +51,7 @@ + "ISCCC_R_EXPIRED", + "ISCCC_R_CLOCKSKEW", + "ISCCC_R_DUPLICATE", ++ "ISCCC_R_MAXDEPTH", + }; + + #define ISCCC_RESULT_RESULTSET 2 diff --git a/debian/patches/series b/debian/patches/series index 238f7b9..f3c30fc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -37,3 +37,5 @@ 0037-CVE-2022-38177.patch 0038-CVE-2022-38178.patch 0039-CVE-2023-2828.patch + +0040-CVE-2023-3341.patch |