summaryrefslogtreecommitdiffstats
path: root/debian/patches/0019-CVE-2020-8617.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/0019-CVE-2020-8617.patch33
1 files changed, 33 insertions, 0 deletions
diff --git a/debian/patches/0019-CVE-2020-8617.patch b/debian/patches/0019-CVE-2020-8617.patch
new file mode 100644
index 0000000..63e84d3
--- /dev/null
+++ b/debian/patches/0019-CVE-2020-8617.patch
@@ -0,0 +1,33 @@
+From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@debian.org>
+Date: Thu, 14 May 2020 12:24:23 +0200
+Subject: CVE-2020-8617
+
+---
+ lib/dns/tsig.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index a94ec69..ff40b99 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -1422,8 +1422,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ goto cleanup_context;
+ }
+ msg->verified_sig = 1;
+- } else if (tsig.error != dns_tsigerror_badsig &&
+- tsig.error != dns_tsigerror_badkey) {
++ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
++ tsig.error != dns_tsigerror_badkey))
++ {
+ tsig_log(msg->tsigkey, 2, "signature was empty");
+ return (DNS_R_TSIGVERIFYFAILURE);
+ }
+@@ -1489,7 +1490,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ }
+ }
+
+- if (tsig.error != dns_rcode_noerror) {
++ if (response && tsig.error != dns_rcode_noerror) {
+ msg->tsigstatus = tsig.error;
+ if (tsig.error == dns_tsigerror_badtime)
+ ret = DNS_R_CLOCKSKEW;