fix CVE-2021-25220

2022-03-30 16:47:27 +08:00 · 2022-03-30 16:47:27 +08:00 · 561cbdf00a
commit 561cbdf00a
parent e94219e77c
2 changed files with 217 additions and 1 deletions
--- a/CVE-2021-25220.patch
+++ b/CVE-2021-25220.patch
@ -0,0 +1,208 @@
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/f1bc36f19362f9f2173bf9511e85781058f19c64
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index dd82f273a4d5a2d34edd1cbcba8c9daf78a71b34..677384b1081d060ccc0acc92e476eb7664577806 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -65,6 +65,8 @@
+ #include <dns/stats.h>
+ #include <dns/tsig.h>
+ #include <dns/validator.h>
+#include <dns/zone.h>
+
+ #ifdef WANT_QUERYTRACE
+ #define RTRACE(m)                                                             \
+ 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                     \
+@@ -339,6 +341,8 @@ struct fetchctx {
+ 	dns_fetch_t *qminfetch;
+ 	dns_rdataset_t qminrrset;
+ 	dns_name_t qmindcname;
+	dns_fixedname_t fwdfname;
+	dns_name_t *fwdname;
+ 
+ 	/*%
+ 	 * The number of events we're waiting for.
+@@ -3766,6 +3770,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 		if (result == ISC_R_SUCCESS) {
+ 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+ 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copynf(domain, fctx->fwdname);
+ 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
+ 			    isstrictsubdomain(domain, &fctx->domain))
+ 			{
+@@ -5155,6 +5160,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
+ 	fctx->restarts = 0;
+ 	fctx->querysent = 0;
+ 	fctx->referrals = 0;
+
+	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
+
+ 	TIME_NOW(&fctx->start);
+ 	fctx->timeouts = 0;
+ 	fctx->lamecount = 0;
+@@ -5217,6 +5225,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
+ 					   fname, &forwarders);
+ 		if (result == ISC_R_SUCCESS) {
+ 			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copynf(fname, fctx->fwdname);
+ 		}
+ 
+ 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+@@ -7120,6 +7129,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
+ 	}
+ }
+ 
+/*
+ * Returns true if 'name' is external to the namespace for which
+ * the server being queried can answer, either because it's not a
+ * subdomain or because it's below a forward declaration or a
+ * locally served zone.
+ */
+static inline bool
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_forwarders_t *forwarders = NULL;
+	dns_fixedname_t fixed, zfixed;
+	dns_name_t *fname = dns_fixedname_initname(&fixed);
+	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
+	dns_name_t *apex = NULL;
+	dns_name_t suffix;
+	dns_zone_t *zone = NULL;
+	unsigned int labels;
+	dns_namereln_t rel;
+
+	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
+
+	/*
+	 * The name is outside the queried namespace.
+	 */
+	rel = dns_name_fullcompare(name, apex, &(int){ 0 },
+				   &(unsigned int){ 0U });
+	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
+		return (true);
+	}
+
+	/*
+	 * If the record lives in the parent zone, adjust the name so we
+	 * look for the correct zone or forward clause.
+	 */
+	labels = dns_name_countlabels(name);
+	if (dns_rdatatype_atparent(type) && labels > 1U) {
+		dns_name_init(&suffix, NULL);
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+		name = &suffix;
+	} else if (rel == dns_namereln_equal) {
+		/* If 'name' is 'apex', no further checking is needed. */
+		return (false);
+	}
+
+	/*
+	 * If there is a locally served zone between 'apex' and 'name'
+	 * then don't cache.
+	 */
+	LOCK(&fctx->res->view->lock);
+	if (fctx->res->view->zonetable != NULL) {
+		unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
+		result = dns_zt_find(fctx->res->view->zonetable, name, options,
+				     zfname, &zone);
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+			if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
+						 &(unsigned int){ 0U }) ==
+			    dns_namereln_subdomain)
+			{
+				UNLOCK(&fctx->res->view->lock);
+				return (true);
+			}
+		}
+	}
+	UNLOCK(&fctx->res->view->lock);
+
+	/*
+	 * Look for a forward declaration below 'name'.
+	 */
+	result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+				   &forwarders);
+
+	if (ISFORWARDER(fctx->addrinfo)) {
+		/*
+		 * See if the forwarder declaration is better.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			return (!dns_name_equal(fname, fctx->fwdname));
+		}
+
+		/*
+		 * If the lookup failed, the configuration must have
+		 * changed: play it safe and don't cache.
+		 */
+		return (true);
+	} else if (result == ISC_R_SUCCESS &&
+		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
+		   !ISC_LIST_EMPTY(forwarders->fwdrs))
+	{
+		/*
+		 * If 'name' is covered by a 'forward only' clause then we
+		 * can't cache this repsonse.
+		 */
+		return (true);
+	}
+
+	return (false);
+}
+
+ static isc_result_t
+ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
+ 	      dns_section_t section) {
+@@ -7146,7 +7256,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
+ 	result = dns_message_findname(rctx->query->rmessage, section, addname,
+ 				      dns_rdatatype_any, 0, &name, NULL);
+ 	if (result == ISC_R_SUCCESS) {
+-		external = !dns_name_issubdomain(name, &fctx->domain);
+		external = name_external(name, type, fctx);
+ 		if (type == dns_rdatatype_a) {
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+ 			     rdataset != NULL;
+@@ -8770,6 +8880,13 @@ rctx_answer_scan(respctx_t *rctx) {
+ 			break;
+ 
+ 		case dns_namereln_subdomain:
+			/*
+			 * Don't accept DNAME from parent namespace.
+			 */
+			if (name_external(name, dns_rdatatype_dname, fctx)) {
+				continue;
+			}
+
+ 			/*
+ 			 * In-scope DNAME records must have at least
+ 			 * as many labels as the domain being queried.
+@@ -9083,13 +9200,11 @@ rctx_authority_positive(respctx_t *rctx) {
+ 				       DNS_SECTION_AUTHORITY);
+ 	while (!done && result == ISC_R_SUCCESS) {
+ 		dns_name_t *name = NULL;
+-		bool external;
+ 
+ 		dns_message_currentname(rctx->query->rmessage,
+ 					DNS_SECTION_AUTHORITY, &name);
+-		external = !dns_name_issubdomain(name, &fctx->domain);
+ 
+-		if (!external) {
+		if (!name_external(name, dns_rdatatype_ns, fctx)) {
+ 			dns_rdataset_t *rdataset = NULL;
+ 
+ 			/*
+@@ -9476,7 +9591,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
+ 		}
+ 
+ 		if (!dns_name_issubdomain(name, &fctx->domain)) {
+-			/* Invalid name found; preserve it for logging later */
+			/*
+			 * Invalid name found; preserve it for logging
+			 * later.
+			 */
+ 			rctx->found_name = name;
+ 			rctx->found_type = ISC_LIST_HEAD(name->list)->type;
+ 			continue;
--- a/bind.spec
+++ b/bind.spec
@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  2
+Release:  3
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -80,6 +80,7 @@ Patch157:bind-9.11-fips-tests.patch
 Patch164:bind-9.11-rh1666814.patch

 Patch6000: CVE-2022-0396.patch
+Patch6001: CVE-2021-25220.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -372,6 +373,7 @@ in HTML and PDF format.
 %patch164 -p1 -b .rh1666814

 %patch6000 -p1
+%patch6001 -p1

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1094,6 +1096,12 @@ fi;
 %endif

 %changelog
+* Wed Mar 30 2022 jiangheng<jiangheng12@huawei.com> - 9.16.23-3
+- Type:CVE
+- CVE:CVE-2021-25220
+- SUG:NA
+- DESC:fix CVE-2021-25220
+
 * Wed Mar 30 2022 jiangheng<jiangheng12@huawei.com> - 9.16.23-2
 - Type:CVE
 - CVE:CVE-2022-0396