fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178

backport-CVE-2022-2795.patch

@@ -0,0 +1,39 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0001-CVE-2022-2795.patch
+
+diff --git a/bind/bind-9.11.36/lib/dns/resolver.c b/bind/bind-9.11.36/lib/dns/resolver.c
+index d2cf14bbc8b..73a0ee9f779 100644
+--- a/bind/bind-9.11.36/lib/dns/resolver.c
++++ b/bind/bind-9.11.36/lib/dns/resolver.c
+@@ -195,6 +195,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3902,6 +3909,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);

backport-CVE-2022-38177.patch

@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0003-CVE-2022-38177.patch
+---
+ bind/bind-9.11.36/lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+index 83b5b51..7576e04 100644
+--- a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
++++ b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.33.0
+

backport-CVE-2022-38178.patch

@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0004-CVE-2022-38178.patch
+---
+ bind/bind-9.11.36/lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.36/lib/dns/openssleddsa_link.c b/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
+index 8b115ec..4f3c2a8 100644
+--- a/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
++++ b/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.33.0
+

dhcp.spec

@@ -3,7 +3,7 @@
 
 Name:      dhcp
 Version:   4.4.3
-Release:   2
+Release:   3
 Summary:   Dynamic host configuration protocol software
 #Please don't change the epoch on this package
 Epoch:     12
@@ -59,6 +59,9 @@ Patch38: backport-Fix-CVE-2021-25220.patch
 Patch39: backport-Fix-CVE-2022-2928.patch
 Patch40: backport-Fix-CVE-2022-2929.patch
 Patch41: Revert-correcting-the-logic-in-dhclient.patch
+Patch42: backport-CVE-2022-2795.patch
+Patch43: backport-CVE-2022-38177.patch
+Patch44: backport-CVE-2022-38178.patch
 
 BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
 BuildRequires: systemd systemd-devel
@@ -307,6 +310,12 @@ exit 0
 %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Thu Jan 4 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-3
+- Type:CVE
+- ID:CVE-2022-2795,CVE-2022-38177,CVE-2022-38178
+- SUG:restart
+- DESC:fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178
+
 * Thu Jun 29 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-2
 - Type:bugfix
 - ID: