diff options
-rw-r--r-- | debian/changelog | 9 | ||||
-rw-r--r-- | debian/patches/0036-CVE-2022-2795.patch | 60 | ||||
-rw-r--r-- | debian/patches/0037-CVE-2022-38177.patch | 25 | ||||
-rw-r--r-- | debian/patches/0038-CVE-2022-38178.patch | 21 | ||||
-rw-r--r-- | debian/patches/series | 3 |
5 files changed, 118 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 4a0cfd0..5859a09 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +bind9 (1:9.11.5.P4+dfsg-5.1+deb10u8) buster-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2022-2795: degraded performance when processing large delegations. + * CVE-2022-38177: memory leak in ECDSA verification. + * CVE-2022-38178: memory leak in EdDSA verification. + + -- Emilio Pozuelo Monfort <pochu@debian.org> Wed, 05 Oct 2022 11:07:30 +0200 + bind9 (1:9.11.5.P4+dfsg-5.1+deb10u7) buster-security; urgency=high * CVE-2021-25220: The rules for acceptance of records into the cache diff --git a/debian/patches/0036-CVE-2022-2795.patch b/debian/patches/0036-CVE-2022-2795.patch new file mode 100644 index 0000000..c978c73 --- /dev/null +++ b/debian/patches/0036-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8b..73a0ee9f779 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +GitLab + diff --git a/debian/patches/0037-CVE-2022-38177.patch b/debian/patches/0037-CVE-2022-38177.patch new file mode 100644 index 0000000..109a6b8 --- /dev/null +++ b/debian/patches/0037-CVE-2022-38177.patch @@ -0,0 +1,25 @@ +From 5b2282afff760b1ed3471f6666bdfe8e1d34e590 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Thu, 11 Aug 2022 15:15:34 +1000 +Subject: [PATCH] Free eckey on siglen mismatch + +--- + lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 1f16ca70738..5ee4342b387 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -230,7 +230,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ECDSA384SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) + DST_RET (dst__openssl_toresult3(dctx->category, +-- +GitLab + diff --git a/debian/patches/0038-CVE-2022-38178.patch b/debian/patches/0038-CVE-2022-38178.patch new file mode 100644 index 0000000..582104f --- /dev/null +++ b/debian/patches/0038-CVE-2022-38178.patch @@ -0,0 +1,21 @@ +From 1af23378ebb11da2eb0f412e4563d6c4165fbd3d Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Thu, 11 Aug 2022 15:28:13 +1000 +Subject: [PATCH] Free ctx on invalid siglen + +(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) +--- + lib/dns/openssleddsa_link.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, + siglen = DNS_SIG_ED448SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + isc_buffer_usedregion(buf, &tbsreg); + diff --git a/debian/patches/series b/debian/patches/series index bce493a..ee6bb91 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -33,3 +33,6 @@ 0033-Disable-lame-ttl-cache.patch 0034-Enable-lame-response-detection-even-with-disabled-la.patch 0035-CVE-2021-25220.patch +0036-CVE-2022-2795.patch +0037-CVE-2022-38177.patch +0038-CVE-2022-38178.patch |