| Message ID | 20221003112812.866-1-mbriand@witekio.com |
|---|---|
| State | Accepted, archived |
| Commit | 9632481dc14868c0f92572472834a2a0c4f46e2e |
| Headers | show |
| Series | [dunfell] bind: Fix CVEs 2022-2795, 2022-38177, 2022-38178 | expand |
Hi, This PR intend to fix 3 CVEs: - https://nvd.nist.gov/vuln/detail/CVE-2022-2795 - https://nvd.nist.gov/vuln/detail/CVE-2022-38177 - https://nvd.nist.gov/vuln/detail/CVE-2022-38178 All fix patches were cherry-picked from bind v9_16_33. The first patch can be merged without conflict and the second one with a minor (curly braces) conflict. The third one (CVE-2022-38178) is a bit trickier as one of the code section corrected by the patch does not exist in bind 9.11.37: - https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_11_37/lib/dns/openssleddsa_link.c#L327 - https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d Basically, on 9.11.37 `siglen` is not verified to be different of 0, because the value is always set, so I believe this is OK. However, as I did modify the patch, I'm not sure if there is some best practice or extra documentation that I need to apply here. Best regards, Mathieu
On Mon, Oct 3, 2022 at 1:29 AM Mathieu Dubois-Briand <mathieu.dubois-briand@hyprua.org> wrote: > > Hi, > > This PR intend to fix 3 CVEs: > > - https://nvd.nist.gov/vuln/detail/CVE-2022-2795 > - https://nvd.nist.gov/vuln/detail/CVE-2022-38177 > - https://nvd.nist.gov/vuln/detail/CVE-2022-38178 > > All fix patches were cherry-picked from bind v9_16_33. The first patch can be > merged without conflict and the second one with a minor (curly braces) conflict. > > The third one (CVE-2022-38178) is a bit trickier as one of the code section > corrected by the patch does not exist in bind 9.11.37: > - https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_11_37/lib/dns/openssleddsa_link.c#L327 > - https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d > > Basically, on 9.11.37 `siglen` is not verified to be different of 0, because the > value is always set, so I believe this is OK. However, as I did modify the > patch, I'm not sure if there is some best practice or extra documentation that I > need to apply here. This seems ok to me too. Copying Armin since he is listed as the bind maintainer, just in case he would like to comment on this. Steve
On Mon, Oct 3, 2022 at 1:28 AM Mathieu Dubois-Briand <mathieu.dubois-briand@hyprua.org> wrote: Patch is missing your Signed-off-by: > > --- > .../bind/bind/CVE-2022-2795.patch | 60 +++++++++++++++++++ > .../bind/bind/CVE-2022-38177.patch | 25 ++++++++ > .../bind/bind/CVE-2022-38178.patch | 26 ++++++++ All three patch files are missing Upstream-Status: CVE: and Signed-off-by: tags See "Patch name convention and commit message" section at: https://wiki.yoctoproject.org/wiki/Security Thanks for helping with CVEs! Steve > .../recipes-connectivity/bind/bind_9.11.37.bb | 3 + > 4 files changed, 114 insertions(+) > create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch > create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch > create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch > > diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch > new file mode 100644 > index 000000000000..10d8e6140bb3 > --- /dev/null > +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch > @@ -0,0 +1,60 @@ > +From cd73ad5f5380304627e3c14bc8ff5d8e8794607c Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> > +Date: Thu, 8 Sep 2022 11:11:30 +0200 > +Subject: [PATCH 1/3] Bound the amount of work performed for delegations > + > +Limit the amount of database lookups that can be triggered in > +fctx_getaddresses() (i.e. when determining the name server addresses to > +query next) by setting a hard limit on the number of NS RRs processed > +for any delegation encountered. Without any limit in place, named can > +be forced to perform large amounts of database lookups per each query > +received, which severely impacts resolver performance. > + > +The limit used (20) is an arbitrary value that is considered to be big > +enough for any sane DNS delegation. > + > +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) > +--- > + lib/dns/resolver.c | 12 ++++++++++++ > + 1 file changed, 12 insertions(+) > + > +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c > +index 8ae9a993bbd7..ac9a9ef5d009 100644 > +--- a/lib/dns/resolver.c > ++++ b/lib/dns/resolver.c > +@@ -180,6 +180,12 @@ > + */ > + #define NS_FAIL_LIMIT 4 > + #define NS_RR_LIMIT 5 > ++/* > ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in > ++ * any NS RRset encountered, to avoid excessive resource use while processing > ++ * large delegations. > ++ */ > ++#define NS_PROCESSING_LIMIT 20 > + > + /* Number of hash buckets for zone counters */ > + #ifndef RES_DOMAIN_BUCKETS > +@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { > + bool need_alternate = false; > + bool all_spilled = true; > + unsigned int no_addresses = 0; > ++ unsigned int ns_processed = 0; > + > + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); > + > +@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { > + > + dns_rdata_reset(&rdata); > + dns_rdata_freestruct(&ns); > ++ > ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { > ++ result = ISC_R_NOMORE; > ++ break; > ++ } > + } > + if (result != ISC_R_NOMORE) { > + return (result); > +-- > +2.34.1 > + > diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch > new file mode 100644 > index 000000000000..7a76048b4da9 > --- /dev/null > +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch > @@ -0,0 +1,25 @@ > +From 2275d217a8ceb6f970749b364a075651052c04f5 Mon Sep 17 00:00:00 2001 > +From: Mark Andrews <marka@isc.org> > +Date: Thu, 11 Aug 2022 15:15:34 +1000 > +Subject: [PATCH 2/3] Free eckey on siglen mismatch > + > +--- > + lib/dns/opensslecdsa_link.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c > +index 83b5b51cd78c..7576e04ac635 100644 > +--- a/lib/dns/opensslecdsa_link.c > ++++ b/lib/dns/opensslecdsa_link.c > +@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { > + siglen = DNS_SIG_ECDSA384SIZE; > + > + if (sig->length != siglen) > +- return (DST_R_VERIFYFAILURE); > ++ DST_RET(DST_R_VERIFYFAILURE); > + > + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) > + DST_RET (dst__openssl_toresult3(dctx->category, > +-- > +2.34.1 > + > diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch > new file mode 100644 > index 000000000000..4e98ca4ef96e > --- /dev/null > +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch > @@ -0,0 +1,26 @@ > +From 87d51359fd84b8d61ff427c69105524344e1da9c Mon Sep 17 00:00:00 2001 > +From: Mark Andrews <marka@isc.org> > +Date: Thu, 11 Aug 2022 15:28:13 +1000 > +Subject: [PATCH 3/3] Free ctx on invalid siglen > + > +(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) > +--- > + lib/dns/openssleddsa_link.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c > +index 8b115ec283f0..b4fcd607c131 100644 > +--- a/lib/dns/openssleddsa_link.c > ++++ b/lib/dns/openssleddsa_link.c > +@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { > + siglen = DNS_SIG_ED448SIZE; > + > + if (sig->length != siglen) > +- return (DST_R_VERIFYFAILURE); > ++ DST_RET(ISC_R_NOTIMPLEMENTED); > + > + isc_buffer_usedregion(buf, &tbsreg); > + > +-- > +2.34.1 > + > diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb > index afc8cf0b3b0c..2fca28e684a1 100644 > --- a/meta/recipes-connectivity/bind/bind_9.11.37.bb > +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb > @@ -19,6 +19,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ > file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ > file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ > file://0001-avoid-start-failure-with-bind-user.patch \ > + file://CVE-2022-2795.patch \ > + file://CVE-2022-38177.patch \ > + file://CVE-2022-38178.patch \ > " > > SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff" > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#171360): https://lists.openembedded.org/g/openembedded-core/message/171360 > Mute This Topic: https://lists.openembedded.org/mt/94088047/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch new file mode 100644 index 000000000000..10d8e6140bb3 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From cd73ad5f5380304627e3c14bc8ff5d8e8794607c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH 1/3] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8ae9a993bbd7..ac9a9ef5d009 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -180,6 +180,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.34.1 + diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch new file mode 100644 index 000000000000..7a76048b4da9 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch @@ -0,0 +1,25 @@ +From 2275d217a8ceb6f970749b364a075651052c04f5 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Thu, 11 Aug 2022 15:15:34 +1000 +Subject: [PATCH 2/3] Free eckey on siglen mismatch + +--- + lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 83b5b51cd78c..7576e04ac635 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ECDSA384SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) + DST_RET (dst__openssl_toresult3(dctx->category, +-- +2.34.1 + diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch new file mode 100644 index 000000000000..4e98ca4ef96e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch @@ -0,0 +1,26 @@ +From 87d51359fd84b8d61ff427c69105524344e1da9c Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Thu, 11 Aug 2022 15:28:13 +1000 +Subject: [PATCH 3/3] Free ctx on invalid siglen + +(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) +--- + lib/dns/openssleddsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c +index 8b115ec283f0..b4fcd607c131 100644 +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ED448SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(ISC_R_NOTIMPLEMENTED); + + isc_buffer_usedregion(buf, &tbsreg); + +-- +2.34.1 + diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index afc8cf0b3b0c..2fca28e684a1 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.37.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb @@ -19,6 +19,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2022-2795.patch \ + file://CVE-2022-38177.patch \ + file://CVE-2022-38178.patch \ " SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"