packages/dhcp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-3341 CVE-2024-11187

Browse Source 
(cherry picked from commit 176ba23e8bc3044c9d8f9be90db6e8a7551f52e8)
This commit is contained in:
zhangpan 2025-03-20 11:47:56 +00:00 committed by openeuler-sync-bot
parent dd7c063dc1
commit 3ea9317885
3 changed files with 429 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
backport-0028-CVE-2023-3341.patch Normal file
View File

@ -0,0 +1,176 @@
From 820b0cceef0b67b041973da4041ea53d5e276363 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 20 Jun 2023 15:21:36 +1000
Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
Named and rndc do not need a lot of recursion so the depth is
set to 10.
Conflict: NA
Reference: https://downloads.isc.org/isc/bind9/9.16.44/patches/0001-CVE-2023-3341.patch
---
bind/bind-9.11.36/lib/isccc/cc.c | 40 ++++++++++++++-----
.../lib/isccc/include/isccc/result.h | 4 +-
bind/bind-9.11.36/lib/isccc/result.c | 5 ++-
3 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/bind/bind-9.11.36/lib/isccc/cc.c b/bind/bind-9.11.36/lib/isccc/cc.c
index e012685..e830054 100644
--- a/bind/bind-9.11.36/lib/isccc/cc.c
+++ b/bind/bind-9.11.36/lib/isccc/cc.c
@@ -53,6 +53,10 @@
#define MAX_TAGS 256
#define DUP_LIFETIME 900
+#ifndef ISCCC_MAXDEPTH
+#define ISCCC_MAXDEPTH \
+ 10 /* Big enough for rndc which just sends a string each way. */
+#endif
typedef isccc_sexpr_t *sexpr_ptr;
@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp);
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp);
static isc_result_t
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+value_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **valuep) {
unsigned int msgtype;
uint32_t len;
isccc_sexpr_t *value;
isccc_region_t active;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
if (REGION_SIZE(*source) < 1 + 4)
return (ISC_R_UNEXPECTEDEND);
GET8(msgtype, source->rstart);
@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
} else
result = ISC_R_NOMEMORY;
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
- result = table_fromwire(&active, NULL, 0, valuep);
+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
- result = list_fromwire(&active, valuep);
+ result = list_fromwire(&active, depth + 1, valuep);
else
result = ISCCC_R_SYNTAX;
@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp)
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
{
char key[256];
uint32_t len;
@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
REQUIRE(alistp != NULL && *alistp == NULL);
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
checksum_rstart = NULL;
first_tag = true;
alist = isccc_alist_create();
@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
GET_MEM(key, len, source->rstart);
key[len] = '\0'; /* Ensure NUL termination. */
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS)
goto bad;
if (isccc_alist_define(alist, key, value) == NULL) {
@@ -661,14 +675,20 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
}
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp)
+{
isccc_sexpr_t *list, *value;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
list = NULL;
while (!REGION_EMPTY(*source)) {
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS) {
isccc_sexpr_free(&list);
return (result);
@@ -699,7 +719,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
if (version != 1)
return (ISCCC_R_UNKNOWNVERSION);
- return (table_fromwire(source, secret, algorithm, alistp));
+ return (table_fromwire(source, secret, algorithm, 0, alistp));
}
static isc_result_t
diff --git a/bind/bind-9.11.36/lib/isccc/include/isccc/result.h b/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
index 6c79dd7..9e4fd7c 100644
--- a/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
+++ b/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
@@ -47,8 +47,10 @@
#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
/*% Duplicate */
#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
+/*% Maximum recursion depth */
+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
-#define ISCCC_R_NRESULTS 6 /*%< Number of results */
+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
ISC_LANG_BEGINDECLS
diff --git a/bind/bind-9.11.36/lib/isccc/result.c b/bind/bind-9.11.36/lib/isccc/result.c
index 8419bbb..60d76b5 100644
--- a/bind/bind-9.11.36/lib/isccc/result.c
+++ b/bind/bind-9.11.36/lib/isccc/result.c
@@ -40,7 +40,9 @@ static const char *text[ISCCC_R_NRESULTS] = {
"bad auth", /* 3 */
"expired", /* 4 */
"clock skew", /* 5 */
- "duplicate" /* 6 */
+ "duplicate", /* 6 */
+ "max depth" /* 7 */
+
};
static const char *ids[ISCCC_R_NRESULTS] = {
@@ -50,6 +52,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
"ISCCC_R_EXPIRED",
"ISCCC_R_CLOCKSKEW",
"ISCCC_R_DUPLICATE",
+ "ISCCC_R_MAXDEPTH"
};
#define ISCCC_RESULT_RESULTSET 2
--
2.43.0

244
backport-0029-CVE-2024-11187.patch Normal file
View File

@ -0,0 +1,244 @@
From fa7b7973e36056440dd688c7f312c89600d4f8cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 14 Nov 2024 10:37:29 +0100
Subject: [PATCH] Limit the additional processing for large RDATA sets
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.
Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.
(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
Conflict:Context adaptation
Reference:https://downloads.isc.org/isc/bind9/9.18.33/patches/0001-CVE-2024-11187.patch
---
bind/bind-9.11.36/bin/named/query.c | 7 ++++---
.../bin/tests/system/additional/tests.sh | 2 +-
.../bin/tests/system/resolver/ns4/named.noaa | 5 -----
bind/bind-9.11.36/bin/tests/system/resolver/tests.sh | 8 ++++++++
bind/bind-9.11.36/lib/dns/include/dns/rdataset.h | 10 +++++++++-
bind/bind-9.11.36/lib/dns/rdataset.c | 8 +++++++-
bind/bind-9.11.36/lib/dns/resolver.c | 12 ++++++------
7 files changed, 35 insertions(+), 17 deletions(-)
delete mode 100644 bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
diff --git a/bind/bind-9.11.36/bin/named/query.c b/bind/bind-9.11.36/bin/named/query.c
index f109805..965d104 100644
--- a/bind/bind-9.11.36/bin/named/query.c
+++ b/bind/bind-9.11.36/bin/named/query.c
@@ -1827,7 +1827,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
*/
eresult = dns_rdataset_additionaldata(trdataset,
query_addadditional,
- client);
+ client, DNS_RDATASET_MAXADDITIONAL);
}
cleanup:
@@ -2433,7 +2433,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
additionalctx.client = client;
additionalctx.rdataset = rdataset;
(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
- &additionalctx);
+ &additionalctx, DNS_RDATASET_MAXADDITIONAL);
CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
}
@@ -2770,7 +2770,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
* To the current response for 'client', add the answer RRset
* '*rdatasetp' and an optional signature set '*sigrdatasetp', with
* owner name '*namep', to section 'section', unless they are
- * already there. Also add any pertinent additional data.
+ * already there. Also add any pertinent additional data, unless
+ * the query was for type ANY.
*
* If 'dbuf' is not NULL, then '*namep' is the name whose data is
* stored in 'dbuf'. In this case, query_addrrset() guarantees that
diff --git a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
index 6400723..c82f85d 100644
--- a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
@@ -261,7 +261,7 @@ n=`expr $n + 1`
echo_i "testing with 'minimal-any no;' ($n)"
ret=0
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
+grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=`expr status + 1`
fi
diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa b/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
deleted file mode 100644
index 3b121ad..0000000
--- a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
+++ /dev/null
@@ -1,5 +0,0 @@
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
-
-Add -T noaa.
diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
index 6eb52fe..bf37467 100755
--- a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
@@ -281,6 +281,10 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+touch ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+rm ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
ret=0
diff --git a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
index ed9119a..a446673 100644
--- a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
+++ b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
@@ -53,6 +53,8 @@
#include <dns/types.h>
#include <dns/rdatastruct.h>
+#define DNS_RDATASET_MAXADDITIONAL 13
+
ISC_LANG_BEGINDECLS
typedef enum {
@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
- dns_additionaldatafunc_t add, void *arg);
+ dns_additionaldatafunc_t add, void *arg,
+ size_t limit);
/*%<
* For each rdata in rdataset, call 'add' for each name and type in the
* rdata which is subject to additional section processing.
@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
*\li If a call to dns_rdata_additionaldata() is not successful, the
* result returned will be the result of dns_rdataset_additionaldata().
*
+ *\li If 'limit' is non-zero and the number of the rdatasets is larger
+ * than 'limit', no additional data will be processed.
+ *
* Returns:
*
*\li #ISC_R_SUCCESS
*
+ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
+ *
*\li Any error that dns_rdata_additionaldata() can return.
*/
diff --git a/bind/bind-9.11.36/lib/dns/rdataset.c b/bind/bind-9.11.36/lib/dns/rdataset.c
index b42dea5..370ff09 100644
--- a/bind/bind-9.11.36/lib/dns/rdataset.c
+++ b/bind/bind-9.11.36/lib/dns/rdataset.c
@@ -28,6 +28,7 @@
#include <dns/ncache.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
+#include <dns/result.h>
static const char *trustnames[] = {
"none",
@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
- dns_additionaldatafunc_t add, void *arg)
+ dns_additionaldatafunc_t add, void *arg,
+ size_t limit)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+ return DNS_R_TOOMANYRECORDS;
+ }
+
result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS)
return (result);
diff --git a/bind/bind-9.11.36/lib/dns/resolver.c b/bind/bind-9.11.36/lib/dns/resolver.c
index 4afd2af..d58cddb 100644
--- a/bind/bind-9.11.36/lib/dns/resolver.c
+++ b/bind/bind-9.11.36/lib/dns/resolver.c
@@ -6462,7 +6462,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
(void)dns_rdataset_additionaldata(rdataset,
check_related,
- &chkarg);
+ &chkarg, 0);
rescan = true;
}
}
@@ -7097,7 +7097,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
chkarg.fctx = fctx;
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
- &chkarg);
+ &chkarg, 0);
#if CHECK_FOR_GLUE_IN_ANSWER
/*
* Look in the answer section for "glue" that is incorrectly
@@ -7113,7 +7113,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
chkarg.fcx = fctx;
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(ns_rdataset,
- check_answer, &chkarg);
+ check_answer, &chkarg, 0);
}
#endif
FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
@@ -7355,7 +7355,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(rdataset,
check_related,
- &chkarg);
+ &chkarg, 0);
}
} else if (aname != NULL) {
dns_chkarg_t chkarg;
@@ -7383,7 +7383,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
chkarg.fctx = fctx;
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(ardataset, check_related,
- &chkarg);
+ &chkarg, 0);
for (sigrdataset = ISC_LIST_HEAD(aname->list);
sigrdataset != NULL;
sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
@@ -7546,7 +7546,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
(void)dns_rdataset_additionaldata(
rdataset,
check_related,
- &chkarg);
+ &chkarg, 0);
done = true;
}
}
--
2.43.0

10
dhcp.spec
View File

@ -3,7 +3,7 @@
Name: dhcp
Version: 4.4.3
Release: 9
Release: 10
Summary: Dynamic host configuration protocol software
#Please don't change the epoch on this package
Epoch: 12
@ -69,6 +69,8 @@ Patch50: backport-0001-CVE-2024-1737.patch
Patch51: backport-0002-CVE-2024-1737.patch
Patch52: backport-0003-CVE-2024-1737.patch
Patch53: backport-0004-CVE-2024-1737.patch
Patch54: backport-0028-CVE-2023-3341.patch
Patch55: backport-0029-CVE-2024-11187.patch
BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
BuildRequires: systemd systemd-devel
@ -317,6 +319,12 @@ exit 0
%{_mandir}/man3/omapi.3.gz
%changelog
* Thu Mar 20 2025 zhangpan <zhangpan103@h-partners.com> - 12:4.4.3-10
- Type:CVE
- ID:NA
- SUG:restart
- DESC:fix CVE-2023-3341 CVE-2024-11187
* Mon Nov 11 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-9
- Type:CVE
- ID:NA