5 files changed, 203 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index ff6db70..c3b5d6a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+bind9 (1:9.11.5.P4+dfsg-5.1+deb10u10) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-3341
+    A stack exhaustion flaw was discovered in the control channel code
+    which may result in denial of service (named daemon crash).
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Mon, 29 Jan 2024 22:03:02 +0100
+
 bind9 (1:9.11.5.P4+dfsg-5.1+deb10u9progress5u1) engywuck-security; urgency=high
 
   * Uploading to engywuck-security, remaining changes:
diff --git a/debian/control b/debian/control
index 8909179..c9f6f05 100644
--- a/debian/control
+++ b/debian/control
@@ -32,7 +32,8 @@ Build-Depends: bison,
                protobuf-c-compiler,
                python3,
                python3-distutils,
-               python3-ply
+               python3-ply,
+		libcmocka-dev
 Standards-Version: 4.1.2
 Vcs-Browser: https://git.progress-linux.org/packages/engywuck/bind9
 Vcs-Git: https://git.progress-linux.org/packages/engywuck/bind9
diff --git a/debian/patches/0040-CVE-2023-3341.patch b/debian/patches/0040-CVE-2023-3341.patch
new file mode 100644
index 0000000..3120bd3
--- /dev/null
+++ b/debian/patches/0040-CVE-2023-3341.patch
@@ -0,0 +1,183 @@
+Backport of:
+
+---
+
+From 639e5b671c0422ec52df91236db8a110c034aefa Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 20 Jun 2023 15:21:36 +1000
+Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
+
+Named and rndc do not need a lot of recursion so the depth is
+set to 10.
+
+(cherry picked from commit 820b0cceef0b67b041973da4041ea53d5e276363)
+
+---
+
+ lib/isccc/cc.c                   | 60 ++++++++++++++++++++++----------
+ lib/isccc/include/isccc/result.h |  4 ++-
+ lib/isccc/result.c               |  4 ++-
+ 3 files changed, 47 insertions(+), 21 deletions(-)
+
+Index: bind9-9.11.5.P4+dfsg/lib/isccc/cc.c
+===================================================================
+--- bind9-9.11.5.P4+dfsg.orig/lib/isccc/cc.c	2024-01-14 14:04:30.405992161 +0100
++++ bind9-9.11.5.P4+dfsg/lib/isccc/cc.c	2024-01-14 14:13:09.633428358 +0100
+@@ -51,8 +51,12 @@
+ #include <isccc/symtype.h>
+ #include <isccc/util.h>
+ 
+-#define MAX_TAGS		256
+-#define DUP_LIFETIME		900
++#define MAX_TAGS     256
++#define DUP_LIFETIME 900
++#ifndef ISCCC_MAXDEPTH
++#define ISCCC_MAXDEPTH \
++	10 /* Big enough for rndc which just sends a string each way. */
++#endif
+ 
+ typedef isccc_sexpr_t *sexpr_ptr;
+ 
+@@ -561,19 +565,25 @@
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-	       uint32_t algorithm, isccc_sexpr_t **alistp);
++	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
++list_fromwire(isccc_region_t *source, unsigned int depth,
++              isccc_sexpr_t **listp);
+ 
+ static isc_result_t
+-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
++value_fromwire(isccc_region_t *source, unsigned int depth,
++               isccc_sexpr_t **valuep) {
+ 	unsigned int msgtype;
+ 	uint32_t len;
+ 	isccc_sexpr_t *value;
+ 	isccc_region_t active;
+ 	isc_result_t result;
+ 
++        if (depth > ISCCC_MAXDEPTH) {
++                return (ISCCC_R_MAXDEPTH);
++        }
++
+ 	if (REGION_SIZE(*source) < 1 + 4)
+ 		return (ISC_R_UNEXPECTEDEND);
+ 	GET8(msgtype, source->rstart);
+@@ -591,9 +601,9 @@
+ 		} else
+ 			result = ISC_R_NOMEMORY;
+ 	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+-		result = table_fromwire(&active, NULL, 0, valuep);
++		result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
+ 	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+-		result = list_fromwire(&active, valuep);
++		result = list_fromwire(&active, depth + 1, valuep);
+ 	else
+ 		result = ISCCC_R_SYNTAX;
+ 
+@@ -602,7 +612,7 @@
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-	       uint32_t algorithm, isccc_sexpr_t **alistp)
++	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
+ {
+ 	char key[256];
+ 	uint32_t len;
+@@ -613,6 +623,10 @@
+ 
+ 	REQUIRE(alistp != NULL && *alistp == NULL);
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	checksum_rstart = NULL;
+ 	first_tag = true;
+ 	alist = isccc_alist_create();
+@@ -628,9 +642,10 @@
+ 		GET_MEM(key, len, source->rstart);
+ 		key[len] = '\0';	/* Ensure NUL termination. */
+ 		value = NULL;
+-		result = value_fromwire(source, &value);
+-		if (result != ISC_R_SUCCESS)
++		result = value_fromwire(source, depth + 1, &value);
++		if (result != ISC_R_SUCCESS) {
+ 			goto bad;
++		}
+ 		if (isccc_alist_define(alist, key, value) == NULL) {
+ 			result = ISC_R_NOMEMORY;
+ 			goto bad;
+@@ -661,14 +676,19 @@
+ }
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
++list_fromwire(isccc_region_t *source, unsigned int depth,
++	      isccc_sexpr_t **listp) {
+ 	isccc_sexpr_t *list, *value;
+ 	isc_result_t result;
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	list = NULL;
+ 	while (!REGION_EMPTY(*source)) {
+ 		value = NULL;
+-		result = value_fromwire(source, &value);
++		result = value_fromwire(source, depth + 1, &value);
+ 		if (result != ISC_R_SUCCESS) {
+ 			isccc_sexpr_free(&list);
+ 			return (result);
+@@ -699,7 +719,7 @@
+ 	if (version != 1)
+ 		return (ISCCC_R_UNKNOWNVERSION);
+ 
+-	return (table_fromwire(source, secret, algorithm, alistp));
++	return (table_fromwire(source, secret, algorithm, 0, alistp));
+ }
+ 
+ static isc_result_t
+Index: bind9-9.11.5.P4+dfsg/lib/isccc/include/isccc/result.h
+===================================================================
+--- bind9-9.11.5.P4+dfsg.orig/lib/isccc/include/isccc/result.h	2024-01-14 14:04:30.405992161 +0100
++++ bind9-9.11.5.P4+dfsg/lib/isccc/include/isccc/result.h	2024-01-14 14:04:30.405992161 +0100
+@@ -47,8 +47,10 @@
+ #define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
+ /*% Duplicate */
+ #define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
++/*% Maximum recursion depth */
++#define ISCCC_R_MAXDEPTH		(ISC_RESULTCLASS_ISCCC + 6)
+ 
+-#define ISCCC_R_NRESULTS 		6	/*%< Number of results */
++#define ISCCC_R_NRESULTS 		7	/*%< Number of results */
+ 
+ ISC_LANG_BEGINDECLS
+ 
+Index: bind9-9.11.5.P4+dfsg/lib/isccc/result.c
+===================================================================
+--- bind9-9.11.5.P4+dfsg.orig/lib/isccc/result.c	2024-01-14 14:04:30.405992161 +0100
++++ bind9-9.11.5.P4+dfsg/lib/isccc/result.c	2024-01-14 14:04:30.405992161 +0100
+@@ -40,7 +40,8 @@
+ 	"bad auth",				/* 3 */
+ 	"expired",				/* 4 */
+ 	"clock skew",				/* 5 */
+-	"duplicate"				/* 6 */
++	"duplicate",				/* 6 */
++	"max depth"				/* 7 */
+ };
+ 
+ static const char *ids[ISCCC_R_NRESULTS] = {
+@@ -50,6 +51,7 @@
+ 	"ISCCC_R_EXPIRED",
+ 	"ISCCC_R_CLOCKSKEW",
+ 	"ISCCC_R_DUPLICATE",
++	"ISCCC_R_MAXDEPTH",
+ };
+ 
+ #define ISCCC_RESULT_RESULTSET			2
diff --git a/debian/patches/series b/debian/patches/series
index 238f7b9..f3c30fc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,5 @@
 0037-CVE-2022-38177.patch
 0038-CVE-2022-38178.patch
 0039-CVE-2023-2828.patch
+
+0040-CVE-2023-3341.patch
diff --git a/debian/rules b/debian/rules
index 8302d8b..d755bb1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -71,6 +71,12 @@ prepare_version:
 clean_version:
 	if [ -f version.bak ]; then cp version.bak version; fi
 
+override_dh_auto_test:
+	dh_auto_test
+	-make check
+	-make test
+	-make unit
+
 override_dh_autoreconf: prepare_native_pkcs11 prepare_version
 	dh_autoreconf
 
@@ -103,6 +109,7 @@ override_dh_auto_configure:
 		--with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
 		--with-randomdev=/dev/urandom \
 		--enable-dnstap \
+		--with-cmocka
 		$(EXTRA_FEATURES)
 	dh_auto_configure -B build-udeb -- \
 		--sysconfdir=/etc/bind \