!127 [sync] PR-123: [Backport] fix CVE-2024-1975 CVE-2024-1737

From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-0001-CVE-2024-1737.patch

@@ -0,0 +1,94 @@
+From fdabf4b9570a60688f9f7d1e88d885f7a3718bca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Fri, 1 Mar 2024 08:26:07 +0100
+Subject: [PATCH 1/3] Add a limit to the number of RRs in RRSets
+ 
+Previously, the number of RRs in the RRSets were internally unlimited.
+As the data structure that holds the RRs is just a linked list, and
+there are places where we just walk through all of the RRs, adding an
+RRSet with huge number of RRs inside would slow down processing of said
+RRSets.
+ 
+The fix for end-of-life branches make the limit compile-time only for
+simplicity and the limit can be changed at the compile time by adding
+following define to CFLAGS:
+ 
+    -DDNS_RDATASET_MAX_RECORDS=<limit>
+ 
+(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
+ 
+---
+ bind/bind-9.11.36/configure           |  2 +-
+ bind/bind-9.11.36/configure.ac        |  2 +-
+ bind/bind-9.11.36/lib/dns/rdataslab.c | 12 ++++++++++++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
+index 368112f..736ff49 100755
+--- a/bind/bind-9.11.36/configure
++++ b/bind/bind-9.11.36/configure
+@@ -12185,7 +12185,7 @@ fi
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
+index 030c4d7..cc36b6c 100644
+--- a/bind/bind-9.11.36/configure.ac
++++ b/bind/bind-9.11.36/configure.ac
+@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/lib/dns/rdataslab.c b/bind/bind-9.11.36/lib/dns/rdataslab.c
+index b0f77b1..347b7d2 100644
+--- a/bind/bind-9.11.36/lib/dns/rdataslab.c
++++ b/bind/bind-9.11.36/lib/dns/rdataslab.c
+@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+ }
+ #endif
+ 
++#ifndef DNS_RDATASET_MAX_RECORDS
++#define DNS_RDATASET_MAX_RECORDS 100
++#endif /* DNS_RDATASET_MAX_RECORDS */
++
+ isc_result_t
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 			   isc_region_t *region, unsigned int reservelen)
+@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
++	if (nitems > DNS_RDATASET_MAX_RECORDS) {
++		return (DNS_R_TOOMANYRECORDS);
++	}
++
+ 	if (nitems > 0xffff)
+ 		return (ISC_R_NOSPACE);
+ 
+@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+ #endif
+ 	INSIST(ocount > 0 && ncount > 0);
+ 
++	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
++		return (DNS_R_TOOMANYRECORDS);
++	}
++
+ #if DNS_RDATASET_FIXED
+ 	oncount = ncount;
+ #endif
+-- 
+2.33.0
+

backport-0002-CVE-2024-1737.patch

@@ -0,0 +1,125 @@
+From dfcadc2085c8844b5836aff2b5ea51fb60c34868 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Wed, 29 May 2024 08:43:39 +0200
+Subject: [PATCH 2/3] Add a limit to the number of RR types for single name
+ 
+Previously, the number of RR types for a single owner name was limited
+only by the maximum number of the types (64k).  As the data structure
+that holds the RR types for the database node is just a linked list, and
+there are places where we just walk through the whole list (again and
+again), adding a large number of RR types for a single owner named with
+would slow down processing of such name (database node).
+ 
+Add a hard-coded limit (100) to cap the number of the RR types for a single
+owner.  The limit can be changed at the compile time by adding following
+define to CFLAGS:
+ 
+    -DDNS_RBTDB_MAX_RTYPES=<limit>
+ 
+Conflict:Context Adaptation
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
+ 
+---
+ bind/bind-9.11.36/configure       |  2 +-
+ bind/bind-9.11.36/configure.ac    |  2 +-
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
+index 736ff49..8e881e3 100755
+--- a/bind/bind-9.11.36/configure
++++ b/bind/bind-9.11.36/configure
+@@ -12185,7 +12185,7 @@ fi
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
+index cc36b6c..0eab441 100644
+--- a/bind/bind-9.11.36/configure.ac
++++ b/bind/bind-9.11.36/configure.ac
+@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 3d76ca1..0cfef36 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -6190,6 +6190,10 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+ 	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+ }
+ 
++#ifndef DNS_RBTDB_MAX_RTYPES
++#define DNS_RBTDB_MAX_RTYPES 100
++#endif /* DNS_RBTDB_MAX_RTYPES */
++
+ /*
+  * write lock on rbtnode must be held.
+  */
+@@ -6210,6 +6214,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	rbtdb_rdatatype_t negtype, sigtype;
+ 	dns_trust_t trust;
+ 	int idx;
++	uint32_t ntypes;
+ 
+ 	/*
+ 	 * Add an rdatasetheader_t to a node.
+@@ -6272,6 +6277,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 					set_ttl(rbtdb, topheader, 0);
+ 					mark_stale_header(rbtdb, topheader);
+ 				}
++				ntypes = 0;
+ 				goto find_header;
+ 			}
+ 			/*
+@@ -6293,9 +6299,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			 * check for an extant non-stale NODATA ncache
+ 			 * entry which covers the same type as the RRSIG.
+ 			 */
++			ntypes = 0;
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next) {
++				ntypes++;
+ 				if ((topheader->type ==
+ 					RBTDB_RDATATYPE_NCACHEANY) ||
+ 					(newheader->type == sigtype &&
+@@ -6339,9 +6347,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 		}
+ 	}
+ 
++	ntypes = 0;
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
++		ntypes++;
+ 		if (prio_type(topheader->type)) {
+ 			prioheader = topheader;
+ 		}
+@@ -6700,6 +6710,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
++
++			if (ntypes > DNS_RBTDB_MAX_RTYPES) {
++				free_rdataset(rbtdb, rbtdb->common.mctx,
++					      newheader);
++				return (ISC_R_QUOTA);
++			}
++
+ 			newheader->down = NULL;
+ 
+ 			if (prio_type(newheader->type)) {
+-- 
+2.33.0
+

backport-0003-CVE-2024-1737.patch

@@ -0,0 +1,52 @@
+From b27c6bcce894786a8e082eafd59eccbf6f2731cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Mon, 17 Jun 2024 11:40:40 +0200
+Subject: [PATCH] Expand the list of the priority types and move it to db_p.h
+ 
+Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
+the priority types that are put at the beginning of the slabheader list
+for faster access and to avoid eviction when there are more types than
+the max-types-per-name limit.
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/b27c6bcce894786a8e082eafd59eccbf6f2731cb
+ 
+---
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+ 
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 0cfef36..0aed13c 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -1171,6 +1171,8 @@ prio_type(rbtdb_rdatatype_t type) {
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
+ 	case dns_rdatatype_a:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
++	case dns_rdatatype_mx:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
+ 	case dns_rdatatype_aaaa:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
+ 	case dns_rdatatype_nsec:
+@@ -1183,6 +1185,18 @@ prio_type(rbtdb_rdatatype_t type) {
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
+ 	case dns_rdatatype_cname:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
++	case dns_rdatatype_dname:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
++	case dns_rdatatype_dnskey:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
++	case dns_rdatatype_srv:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
++	case dns_rdatatype_txt:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
++	case dns_rdatatype_ptr:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
++	case dns_rdatatype_naptr:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
+ 		return (true);
+ 	}
+ 	return (false);
+-- 
+2.33.0
+

backport-0004-CVE-2024-1737.patch

@@ -0,0 +1,185 @@
+From 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120 Mon Sep 17 00:00:00 2001
+From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
+Date: Mon, 17 Jun 2024 11:40:40 +0200
+Subject: Be smarter about refusing to add many RR types to the database
+ 
+Instead of outright refusing to add new RR types to the cache, be a bit
+smarter:
+ 
+1. If the new header type is in our priority list, we always add either
+   positive or negative entry at the beginning of the list.
+ 
+2. If the new header type is negative entry, and we are over the limit,
+   we mark it as ancient immediately, so it gets evicted from the cache
+   as soon as possible.
+ 
+3. Otherwise add the new header after the priority headers (or at the
+   head of the list).
+ 
+4. If we are over the limit, evict the last entry on the normal header
+   list.
+ 
+(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/57cd34441a1b4ecc9874a4a106c2c95b8d7a3120
+ 
+---
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 71 +++++++++++++++++++++++++------
+ 1 file changed, 59 insertions(+), 12 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 0aed13c..d2c4097 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -6208,6 +6208,26 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+ #define DNS_RBTDB_MAX_RTYPES 100
+ #endif /* DNS_RBTDB_MAX_RTYPES */
+ 
++static bool
++overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
++	UNUSED(rbtdb);
++
++	if (DNS_RBTDB_MAX_RTYPES == 0) {
++		return (false);
++	}
++
++	return (ntypes >= DNS_RBTDB_MAX_RTYPES);
++}
++
++static bool
++prio_header(rdatasetheader_t *header) {
++	if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
++		return (true);
++	}
++
++	return (prio_type(header->type));
++}
++
+ /*
+  * write lock on rbtnode must be held.
+  */
+@@ -6218,7 +6238,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ {
+ 	rbtdb_changed_t *changed = NULL;
+ 	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
+-	rdatasetheader_t *prioheader = NULL;
++	rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
+ 	unsigned char *merged;
+ 	isc_result_t result;
+ 	bool header_nx;
+@@ -6228,7 +6248,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	rbtdb_rdatatype_t negtype, sigtype;
+ 	dns_trust_t trust;
+ 	int idx;
+-	uint32_t ntypes;
++	uint32_t ntypes = 0;
+ 
+ 	/*
+ 	 * Add an rdatasetheader_t to a node.
+@@ -6291,7 +6311,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 					set_ttl(rbtdb, topheader, 0);
+ 					mark_stale_header(rbtdb, topheader);
+ 				}
+-				ntypes = 0;
+ 				goto find_header;
+ 			}
+ 			/*
+@@ -6301,8 +6320,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next)
+-				if (topheader->type == sigtype)
++				if (topheader->type == sigtype) {
+ 					sigheader = topheader;
++					break;
++				}
+ 			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+ 		} else {
+ 			/*
+@@ -6313,11 +6334,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			 * check for an extant non-stale NODATA ncache
+ 			 * entry which covers the same type as the RRSIG.
+ 			 */
+-			ntypes = 0;
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next) {
+-				ntypes++;
+ 				if ((topheader->type ==
+ 					RBTDB_RDATATYPE_NCACHEANY) ||
+ 					(newheader->type == sigtype &&
+@@ -6361,12 +6380,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 		}
+ 	}
+ 
+-	ntypes = 0;
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
+-		ntypes++;
+-		if (prio_type(topheader->type)) {
++		if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
++			++ntypes;
++			expireheader = topheader;
++		} else if (!IS_CACHE(rbtdb)) {
++			++ntypes;
++		}
++		if (prio_header(topheader)) {
+ 			prioheader = topheader;
+ 		}
+ 		if (topheader->type == newheader->type ||
+@@ -6724,8 +6747,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
+-
+-			if (ntypes > DNS_RBTDB_MAX_RTYPES) {
++			if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ 				free_rdataset(rbtdb, rbtdb->common.mctx,
+ 					      newheader);
+ 				return (ISC_R_QUOTA);
+@@ -6733,7 +6755,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 
+ 			newheader->down = NULL;
+ 
+-			if (prio_type(newheader->type)) {
++			if (prio_header(newheader)) {
+ 				/* This is a priority type, prepend it */
+ 				newheader->next = rbtnode->data;
+ 				rbtnode->data = newheader;
+@@ -6746,6 +6768,31 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 				newheader->next = rbtnode->data;
+ 				rbtnode->data = newheader;
+ 			}
++
++			if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
++				if (expireheader == NULL) {
++					expireheader = newheader;
++				}
++				if (NEGATIVE(newheader) &&
++				    !prio_header(newheader))
++				{
++					/*
++					 * Add the new non-priority negative
++					 * header to the database only
++					 * temporarily.
++					 */
++					expireheader = newheader;
++				}
++
++				set_ttl(rbtdb, expireheader, 0);
++				mark_stale_header(rbtdb, expireheader);
++				/*
++				 * FIXME: In theory, we should mark the RRSIG
++				 * and the header at the same time, but there is
++				 * no direct link between those two header, so
++				 * we would have to check the whole list again.
++				 */
++			}
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+

backport-CVE-2024-1975.patch

@@ -0,0 +1,240 @@
+From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Thu, 16 May 2024 12:10:41 +0200
+Subject: [PATCH] Remove support for SIG(0) message verification
+ 
+Conflict:Case adaptation and some documents are not incorporated.
+Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0003-CVE-2024-1975.patch
+ 
+---
+ bind/bind-9.11.36/bin/named/client.c          |  7 ++
+ .../bin/tests/system/tsiggss/authsock.pl      |  5 +
+ .../bin/tests/system/tsiggss/tests.sh         | 12 ++-
+ .../bin/tests/system/upforwd/tests.sh         |  9 +-
+ bind/bind-9.11.36/lib/dns/message.c           | 92 ++-----------------
+ 5 files changed, 32 insertions(+), 93 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/bin/named/client.c b/bind/bind-9.11.36/bin/named/client.c
+index 15fcfcd..95bf8e6 100644
+--- a/bind/bind-9.11.36/bin/named/client.c
++++ b/bind/bind-9.11.36/bin/named/client.c
+@@ -3012,6 +3012,13 @@ client_request(isc_task_t *task, isc_event_t *event) {
+ 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ 			      "request is signed by a nonauthoritative key");
++	} else if (result == DNS_R_NOTVERIFIEDYET &&
++		   client->message->sig0 != NULL)
++	{
++		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
++			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
++			      "request has a SIG(0) signature but its support "
++			      "was removed (CVE-2024-1975)");
+ 	} else {
+ 		char tsigrcode[64];
+ 		isc_buffer_t b;
+diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
+index ab3833d..0b231ee 100644
+--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
++++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
+@@ -31,6 +31,10 @@ if (!defined($path)) {
+ 	exit(1);
+ }
+ 
++# Enable output autoflush so that it's not lost when the parent sends TERM.
++select STDOUT;
++$| = 1;
++
+ unlink($path);
+ my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
+     die "unable to create socket $path";
+@@ -53,6 +57,7 @@ if ($timeout != 0) {
+ }
+ 
+ while (my $client = $server->accept()) {
++	printf("accept()\n");
+ 	$client->recv(my $buf, 8, 0);
+ 	my ($version, $req_len) = unpack('N N', $buf);
+ 
+diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
+index 456ce61..fcd3b1f 100644
+--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
+@@ -116,7 +116,7 @@ status=$((status+ret))
+ 
+ echo_i "testing external update policy (CNAME) with auth sock ($n)"
+ ret=0
+-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
++$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > authsock.log 2>&1 &
+ sleep 1
+ test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
+ n=$((n+1))
+@@ -130,17 +130,19 @@ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ 
+-echo_i "testing external policy with SIG(0) key ($n)"
++echo_i "testing external policy with unsupported SIG(0) key ($n)"
+ ret=0
+-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
++$NSUPDATE -R $RANDFILE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
++debug
+ server 10.53.0.1 ${PORT}
+ zone example.nil
+ update add fred.example.nil 120 cname foo.bar.
+ send
+ END
+ output=`$DIG $DIGOPTS +short cname fred.example.nil.`
+-[ -n "$output" ] || ret=1
+-[ $ret -eq 0 ] || echo_i "failed"
++# update must have failed - SIG(0) signer is not supported
++[ -n "$output" ] && ret=1
++grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
+ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+diff --git a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
+index 1cf8d3b..19563a1 100644
+--- a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
+@@ -177,18 +177,21 @@ n=`expr $n + 1`
+ 
+ if test -f keyname
+ then
+-	echo_i "checking update forwarding to with sig0 ($n)"
++	echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
+ 	ret=0
+ 	keyname=`cat keyname`
+-	$NSUPDATE -k $keyname.private -- - <<EOF
++        # SIG(0) is removed, update is expected to fail.
++        {
++        $NSUPDATE -k $keyname.private -- - <<EOF
+ 	server 10.53.0.3 ${PORT}
+ 	zone example2
+ 	update add unsigned.example2. 600 A 10.10.10.1
+ 	update add unsigned.example2. 600 TXT Foo
+ 	send
+ EOF
++        } >nsupdate.out.$n 2>&1 && ret=1
+ 	$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
+-	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
++	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
+ 	if [ $ret != 0 ] ; then echo_i "failed"; fi
+ 	status=`expr $status + $ret`
+ 	n=`expr $n + 1`
+diff --git a/bind/bind-9.11.36/lib/dns/message.c b/bind/bind-9.11.36/lib/dns/message.c
+index 2812ab5..0c71f79 100644
+--- a/bind/bind-9.11.36/lib/dns/message.c
++++ b/bind/bind-9.11.36/lib/dns/message.c
+@@ -3214,102 +3214,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+ 
+ isc_result_t
+ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+-	isc_buffer_t b, msgb;
++	isc_buffer_t msgb;
+ 
+ 	REQUIRE(DNS_MESSAGE_VALID(msg));
+ 
+-	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
++	if (msg->tsigkey == NULL && msg->tsig == NULL) {
+ 		return (ISC_R_SUCCESS);
++	}
+ 
+ 	INSIST(msg->saved.base != NULL);
+ 	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
+ 	isc_buffer_add(&msgb, msg->saved.length);
+-	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+ #ifdef SKAN_MSG_DEBUG
+-		dns_message_dumpsig(msg, "dns_message_checksig#1");
++	dns_message_dumpsig(msg, "dns_message_checksig#1");
+ #endif
+-		if (view != NULL)
+-			return (dns_view_checksig(view, &msgb, msg));
+-		else
+-			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
++	if (view != NULL) {
++		return (dns_view_checksig(view, &msgb, msg));
+ 	} else {
+-		dns_rdata_t rdata = DNS_RDATA_INIT;
+-		dns_rdata_sig_t sig;
+-		dns_rdataset_t keyset;
+-		isc_result_t result;
+-
+-		result = dns_rdataset_first(msg->sig0);
+-		INSIST(result == ISC_R_SUCCESS);
+-		dns_rdataset_current(msg->sig0, &rdata);
+-
+-		/*
+-		 * This can occur when the message is a dynamic update, since
+-		 * the rdata length checking is relaxed.  This should not
+-		 * happen in a well-formed message, since the SIG(0) is only
+-		 * looked for in the additional section, and the dynamic update
+-		 * meta-records are in the prerequisite and update sections.
+-		 */
+-		if (rdata.length == 0)
+-			return (ISC_R_UNEXPECTEDEND);
+-
+-		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
+-		if (result != ISC_R_SUCCESS)
+-			return (result);
+-
+-		dns_rdataset_init(&keyset);
+-		if (view == NULL)
+-			return (DNS_R_KEYUNAUTHORIZED);
+-		result = dns_view_simplefind(view, &sig.signer,
+-					     dns_rdatatype_key /* SIG(0) */,
+-					     0, 0, false, &keyset, NULL);
+-
+-		if (result != ISC_R_SUCCESS) {
+-			/* XXXBEW Should possibly create a fetch here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		} else if (keyset.trust < dns_trust_secure) {
+-			/* XXXBEW Should call a validator here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		}
+-		result = dns_rdataset_first(&keyset);
+-		INSIST(result == ISC_R_SUCCESS);
+-		for (;
+-		     result == ISC_R_SUCCESS;
+-		     result = dns_rdataset_next(&keyset))
+-		{
+-			dst_key_t *key = NULL;
+-
+-			dns_rdata_reset(&rdata);
+-			dns_rdataset_current(&keyset, &rdata);
+-			isc_buffer_init(&b, rdata.data, rdata.length);
+-			isc_buffer_add(&b, rdata.length);
+-
+-			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
+-						 &b, view->mctx, &key);
+-			if (result != ISC_R_SUCCESS)
+-				continue;
+-			if (dst_key_alg(key) != sig.algorithm ||
+-			    dst_key_id(key) != sig.keyid ||
+-			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+-			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+-			{
+-				dst_key_free(&key);
+-				continue;
+-			}
+-			result = dns_dnssec_verifymessage(&msgb, msg, key);
+-			dst_key_free(&key);
+-			if (result == ISC_R_SUCCESS)
+-				break;
+-		}
+-		if (result == ISC_R_NOMORE)
+-			result = DNS_R_KEYUNAUTHORIZED;
+-
+- freesig:
+-		if (dns_rdataset_isassociated(&keyset))
+-			dns_rdataset_disassociate(&keyset);
+-		dns_rdata_freestruct(&sig);
+-		return (result);
++		return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+ 	}
+ }
+ 
+-- 
+2.33.0
+

backport-optimize-the-slabheader-placement-for-certain-RRtype.patch

@@ -0,0 +1,98 @@
+From 8ef414a7f38a04cfc11df44adaedaf3126fa3878 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Mon, 29 Jan 2024 16:36:30 +0100
+Subject: [PATCH] Optimize the slabheader placement for certain RRTypes
+ 
+Mark the infrastructure RRTypes as "priority" types and place them at
+the beginning of the rdataslab header data graph.  The non-priority
+types either go right after the priority types (if any).
+ 
+(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
+ 
+---
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 44 +++++++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 3ee1876..3d76ca1 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -1164,6 +1164,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
+ 		isc_heap_decreased(heap, header->heap_index);
+ }
+ 
++static bool
++prio_type(rbtdb_rdatatype_t type) {
++	switch (type) {
++	case dns_rdatatype_soa:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
++	case dns_rdatatype_a:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
++	case dns_rdatatype_aaaa:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
++	case dns_rdatatype_nsec:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
++	case dns_rdatatype_nsec3:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
++	case dns_rdatatype_ns:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
++	case dns_rdatatype_ds:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
++	case dns_rdatatype_cname:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
++		return (true);
++	}
++	return (false);
++}
++
+ /*%
+  * These functions allow the heap code to rank the priority of each
+  * element.  It returns true if v1 happens "sooner" than v2.
+@@ -6176,6 +6200,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ {
+ 	rbtdb_changed_t *changed = NULL;
+ 	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
++	rdatasetheader_t *prioheader = NULL;
+ 	unsigned char *merged;
+ 	isc_result_t result;
+ 	bool header_nx;
+@@ -6317,6 +6342,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
++		if (prio_type(topheader->type)) {
++			prioheader = topheader;
++		}
+ 		if (topheader->type == newheader->type ||
+ 		    topheader->type == negtype)
+ 			break;
+@@ -6672,9 +6700,21 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
+-			newheader->next = rbtnode->data;
+ 			newheader->down = NULL;
+-			rbtnode->data = newheader;
++
++			if (prio_type(newheader->type)) {
++				/* This is a priority type, prepend it */
++				newheader->next = rbtnode->data;
++				rbtnode->data = newheader;
++			} else if (prioheader != NULL) {
++				/* Append after the priority headers */
++				newheader->next = prioheader->next;
++				prioheader->next = newheader;
++			} else {
++				/* There were no priority headers */
++				newheader->next = rbtnode->data;
++				rbtnode->data = newheader;
++			}
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+ 

dhcp.spec

@@ -3,7 +3,7 @@
 
 Name:      dhcp
 Version:   4.4.3
-Release:   8
+Release:   9
 Summary:   Dynamic host configuration protocol software
 #Please don't change the epoch on this package
 Epoch:     12
@@ -63,6 +63,12 @@ Patch44: backport-CVE-2022-38178.patch
 Patch45: IAID-is-output-has-hexe-if-it-contains-or.patch
 Patch46: support-for-building-with-clang.patch
 Patch47: bugfix-cancel-rebind6-timer-after-ipv6-expire.patch
+Patch48: backport-CVE-2024-1975.patch
+Patch49: backport-optimize-the-slabheader-placement-for-certain-RRtype.patch
+Patch50: backport-0001-CVE-2024-1737.patch
+Patch51: backport-0002-CVE-2024-1737.patch
+Patch52: backport-0003-CVE-2024-1737.patch
+Patch53: backport-0004-CVE-2024-1737.patch
 
 BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
 BuildRequires: systemd systemd-devel
@@ -311,6 +317,12 @@ exit 0
 %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Mon Nov 11 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-9
+- Type:CVE
+- ID:NA
+- SUG:restart
+- DESC:fix CVE-2024-1975,CVE-2024-1737
+
 * Tue Nov 05 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-8
 - Type:bugfix
 - ID:NA