fix CVE-2024-43167 CVE-2024-43168

backport-CVE-2024-43167.patch

@@ -0,0 +1,45 @@
+From 8e43e2574c4e02f79c562a061581cdcefe136912 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 21 May 2024 08:40:16 +0000
+Subject: [PATCH] fix null pointer dereference issue in function ub_ctx_set_fwd
+ of file libunbound/libunbound.c
+
+---
+ libunbound/libunbound.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
+index 17057ec6..3c895514 100644
+--- a/libunbound/libunbound.c
++++ b/libunbound/libunbound.c
+@@ -981,7 +981,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	if(!addr) {
+ 		/* disable fwd mode - the root stub should be first. */
+ 		if(ctx->env->cfg->forwards &&
+-			strcmp(ctx->env->cfg->forwards->name, ".") == 0) {
++			(ctx->env->cfg->forwards->name &&
++			strcmp(ctx->env->cfg->forwards->name, ".") == 0)) {
+ 			s = ctx->env->cfg->forwards;
+ 			ctx->env->cfg->forwards = s->next;
+ 			s->next = NULL;
+@@ -1001,7 +1002,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	/* it parses, add root stub in front of list */
+ 	lock_basic_lock(&ctx->cfglock);
+ 	if(!ctx->env->cfg->forwards ||
+-		strcmp(ctx->env->cfg->forwards->name, ".") != 0) {
++		(ctx->env->cfg->forwards->name &&
++		strcmp(ctx->env->cfg->forwards->name, ".") != 0)) {
+ 		s = calloc(1, sizeof(*s));
+ 		if(!s) {
+ 			lock_basic_unlock(&ctx->cfglock);
+@@ -1019,6 +1021,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 		ctx->env->cfg->forwards = s;
+ 	} else {
+ 		log_assert(ctx->env->cfg->forwards);
++		log_assert(ctx->env->cfg->forwards->name);
+ 		s = ctx->env->cfg->forwards;
+ 	}
+ 	dupl = strdup(addr);
+-- 
+2.33.0
+

backport-CVE-2024-43168.patch

@@ -0,0 +1,28 @@
+From 193401e7543a1e561dd634a3eaae932fa462a2b9 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Wed, 3 Apr 2024 15:40:58 +0800
+Subject: [PATCH] fix heap-buffer-overflow issue in function cfg_mark_ports of
+ file util/config_file.c
+
+---
+ util/config_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 26185da0..e7b2f195 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1761,6 +1761,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ #endif
+ 	if(!mid) {
+ 		int port = atoi(str);
++		if(port < 0) {
++			log_err("Prevent out-of-bounds access to array avail");
++			return 0;
++		}
+ 		if(port == 0 && strcmp(str, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", str);
+ 			return 0;
+-- 
+2.33.0
+

unbound.spec

@@ -2,7 +2,7 @@
 
 Name:          unbound
 Version:       1.17.1
-Release:       6
+Release:       7
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD-3-Clause
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@@ -28,6 +28,8 @@ Patch4:        backport-pre-CVE-2024-33655-Downstream-DNS-Cookies-a-la-RFC7873-a
 Patch5:        backport-pre-CVE-2024-33655-Fix-possibly-unaligned-memory-access-in-parse_edns_options_from_query.patch
 Patch6:        backport-pre-CVE-2024-33655-Fix-out-of-bounds-read-in-parse_edns_options_from_query.patch
 Patch7:        backport-CVE-2024-33655.patch
+Patch8:        backport-CVE-2024-43167.patch
+Patch9:        backport-CVE-2024-43168.patch
 
 BuildRequires: make flex swig pkgconfig systemd
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
@@ -265,6 +267,12 @@ popd
 %{_sbindir}/unbound-streamtcp
 
 %changelog
+* Mon Aug 19 2024 gaihuiying <eaglegai@163.com> - 1.17.1-7
+- Type:cves
+- CVE:CVE-2024-43167 CVE-2024-43168
+- SUG:NA
+- DESC:fix CVE-2024-43167 CVE-2024-43168
+
 * Mon Jun 24 2024 wangziliang <wangziliang@kylinos.cn> - 1.17.1-6
 - Type:bugfix
 - ID:NA