bind/CVE-2018-5745.patch

Description: fix assertion failure when a trust anchor rolls over to an
 unsupported key algorithm when using managed-keys
Origin: provided by ISC

Index: bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/dns/include/dst/dst.h	2019-02-20 09:01:27.450680701 +0100
+++ bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h	2019-02-20 09:01:27.446680698 +0100
@@ -67,8 +67,7 @@ typedef struct dst_context 	dst_context_
 #define DST_ALG_HMACSHA512	165	/* XXXMPA */
 #define DST_ALG_INDIRECT	252
 #define DST_ALG_PRIVATE		254
-#define DST_ALG_EXPAND		255
-#define DST_MAX_ALGS		255
+#define DST_MAX_ALGS		256
 
 /*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE		1280
Index: bind9-9.11.4+dfsg/lib/dns/zone.c
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/dns/zone.c	2019-02-20 09:01:27.450680701 +0100
+++ bind9-9.11.4+dfsg/lib/dns/zone.c	2019-02-20 09:01:27.450680701 +0100
@@ -3873,9 +3873,10 @@ compute_tag(dns_name_t *name, dns_rdata_
 			     dns_rdatatype_dnskey, dnskey, &buffer);
 
 	result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		*tag = dst_key_id(dstkey);
-	dst_key_free(&dstkey);
+		dst_key_free(&dstkey);
+	}
 
 	return (result);
 }
@@ -9315,6 +9316,17 @@ keyfetch_done(isc_task_t *task, isc_even
 
 		dns_keydata_todnskey(&keydata, &dnskey, NULL);
 		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				"Cannot compute tag for key in zone %s: %s "
+				"(skipping)",
+				namebuf, dns_result_totext(result));
+			continue;
+		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		/*
@@ -9426,6 +9438,17 @@ keyfetch_done(isc_task_t *task, isc_even
 			continue;
 
 		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				"Cannot compute tag for key in zone %s: %s "
+				"(skipping)",
+				namebuf, dns_result_totext(result));
+			continue;
+		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
init 2019-12-28 09:41:34 +08:00			`Description: fix assertion failure when a trust anchor rolls over to an`
			`unsupported key algorithm when using managed-keys`
			`Origin: provided by ISC`

			`Index: bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h`
			`===================================================================`
			`--- bind9-9.11.4+dfsg.orig/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.450680701 +0100`
			`+++ bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.446680698 +0100`
			`@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_`
			`#define DST_ALG_HMACSHA512 165 /* XXXMPA */`
			`#define DST_ALG_INDIRECT 252`
			`#define DST_ALG_PRIVATE 254`
			`-#define DST_ALG_EXPAND 255`
			`-#define DST_MAX_ALGS 255`
			`+#define DST_MAX_ALGS 256`

			`/% A buffer of this size is large enough to hold any key /`
			`#define DST_KEY_MAXSIZE 1280`
			`Index: bind9-9.11.4+dfsg/lib/dns/zone.c`
			`===================================================================`
			`--- bind9-9.11.4+dfsg.orig/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100`
			`+++ bind9-9.11.4+dfsg/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100`
			`@@ -3873,9 +3873,10 @@ compute_tag(dns_name_t *name, dns_rdata_`
			`dns_rdatatype_dnskey, dnskey, &buffer);`

			`result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);`
			`- if (result == ISC_R_SUCCESS)`
			`+ if (result == ISC_R_SUCCESS) {`
			`*tag = dst_key_id(dstkey);`
			`- dst_key_free(&dstkey);`
			`+ dst_key_free(&dstkey);`
			`+ }`

			`return (result);`
			`}`
			`@@ -9315,6 +9316,17 @@ keyfetch_done(isc_task_t *task, isc_even`

			`dns_keydata_todnskey(&keydata, &dnskey, NULL);`
			`result = compute_tag(keyname, &dnskey, mctx, &keytag);`
			`+ if (result != ISC_R_SUCCESS) {`
			`+ /*`
			`+ * Skip if we cannot compute the key tag.`
			`+ * This may happen if the algorithm is unsupported`
			`+ */`
			`+ dns_zone_log(zone, ISC_LOG_ERROR,`
			`+ "Cannot compute tag for key in zone %s: %s "`
			`+ "(skipping)",`
			`+ namebuf, dns_result_totext(result));`
			`+ continue;`
			`+ }`
			`RUNTIME_CHECK(result == ISC_R_SUCCESS);`

			`/*`
			`@@ -9426,6 +9438,17 @@ keyfetch_done(isc_task_t *task, isc_even`
			`continue;`

			`result = compute_tag(keyname, &dnskey, mctx, &keytag);`
			`+ if (result != ISC_R_SUCCESS) {`
			`+ /*`
			`+ * Skip if we cannot compute the key tag.`
			`+ * This may happen if the algorithm is unsupported`
			`+ */`
			`+ dns_zone_log(zone, ISC_LOG_ERROR,`
			`+ "Cannot compute tag for key in zone %s: %s "`
			`+ "(skipping)",`
			`+ namebuf, dns_result_totext(result));`
			`+ continue;`
			`+ }`
			`RUNTIME_CHECK(result == ISC_R_SUCCESS);`

			`revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);`