Revert "main/bind: fix for CVE-2017-3142 and CVE-2017-3143. Fixes #7496"

This reverts commit 724d3ef9cc4c309dc09e750d37ca4cb86b32df85.
author: Francesco Colista <fcolista@alpinelinux.org> 2017-08-07 14:37:03 +0000
committer: Francesco Colista <fcolista@alpinelinux.org> 2017-08-07 14:37:03 +0000
commit: 01deed0941cabc3a38f07a6a44495140dae59809 (patch)
tree: d7aa0cd9fbacb661bab189dc58532220808e3d4f /main/bind
parent: 724d3ef9cc4c309dc09e750d37ca4cb86b32df85 (diff)
download: aports-01deed0941cabc3a38f07a6a44495140dae59809.tar.bz2
aports-01deed0941cabc3a38f07a6a44495140dae59809.tar.xz
2 files changed, 2 insertions, 291 deletions
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 90017aead3..525ce1492b 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -7,7 +7,7 @@ pkgver=9.11.1_p2
 _ver=${pkgver%_p*}
 _p=${pkgver#*_p}
 [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
-pkgrel=1
+pkgrel=0
 pkgdesc="The ISC DNS server"
 url="http://www.isc.org"
 arch="all"
@@ -27,13 +27,9 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
 	127.zone
 	localhost.zone
 	named.ca
-	CVE-2017-3142-3143.patch
 	"
 
 # secfixes:
-#   9.11.1_p2-r1:
-#     - CVE-2017-3142
-#     - CVE-2017-3143
 #   9.11.0_p5-r0:
 #     - CVE-2017-3136
 #     - CVE-2017-3137
@@ -148,5 +144,4 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793
 3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe  named.conf.recursive
 eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c  127.zone
 340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b  localhost.zone
-badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192  named.ca
-cee41dbbd3681317c6e6cfedb9f258cd8a2ad5308d6e20495593924abeb343f8c9942b561eb411da283d0630104c7c50e404dc73d234a6d6922fb80db712dfd2  CVE-2017-3142-3143.patch"
+badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192  named.ca"
diff --git a/main/bind/CVE-2017-3142-3143.patch b/main/bind/CVE-2017-3142-3143.patch
deleted file mode 100644
index e16e7d94b7..0000000000
--- a/main/bind/CVE-2017-3142-3143.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-From: Evan Hunt <each@isc.org>
-Date: Tue, 27 Jun 2017 18:35:52 +0000 (-0700)
-Subject: [master] address TSIG bypass/forgery vulnerabilities
-X-Git-Url: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff_plain;h=581c1526ab0f74a177980da9ff0514f795ed8669
-
-[master] address TSIG bypass/forgery vulnerabilities
-
-4643.	[security]	An error in TSIG handling could permit unauthorized
-			zone transfers or zone updates. (CVE-2017-3142)
-			(CVE-2017-3143) [RT #45383]
----
-
-diff --git a/CHANGES b/CHANGES
-index 703484e..a7ecdd3 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,7 @@
-+4643.	[security]	An error in TSIG handling could permit unauthorized
-+			zone transfers or zone updates. (CVE-2017-3142)
-+			(CVE-2017-3143) [RT #45383]
-+
- 4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
- 			status of managed keys: newly observed keys,
- 			deletion of revoked keys, etc. [RT #45354]
-diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index ea87d05..eae0053 100644
---- a/doc/arm/notes.xml
-+++ b/doc/arm/notes.xml
-@@ -69,6 +69,13 @@
-     <itemizedlist>
-       <listitem>
- 	<para>
-+	  An error in TSIG handling could permit unauthorized zone
-+	  transfers or zone updates. These flaws are disclosed in
-+	  CVE-2017-3142 and CVE-2017-3143. [RT #45383]
-+	</para>
-+      </listitem>
-+      <listitem>
-+	<para>
- 	  The BIND installer on Windows used an unquoted service path,
- 	  which can enable privilege escalation. This flaw is disclosed
- 	  in CVE-2017-3141. [RT #45229]
-diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
-index fb64f77..1a497fc 100644
---- a/lib/dns/dnssec.c
-+++ b/lib/dns/dnssec.c
-@@ -1070,6 +1070,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
- 	mctx = msg->mctx;
- 
- 	msg->verify_attempted = 1;
-+	msg->verified_sig = 0;
-+	msg->sig0status = dns_tsigerror_badsig;
- 
- 	if (is_response(msg)) {
- 		if (msg->query.base == NULL)
-@@ -1165,6 +1167,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
- 	}
- 
- 	msg->verified_sig = 1;
-+	msg->sig0status = dns_rcode_noerror;
- 
- 	dst_context_destroy(&ctx);
- 	dns_rdata_freestruct(&sig);
-diff --git a/lib/dns/message.c b/lib/dns/message.c
-index ca8d77d..a167c3a 100644
---- a/lib/dns/message.c
-+++ b/lib/dns/message.c
-@@ -3115,12 +3115,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
- 
- 		result = dns_rdata_tostruct(&rdata, &tsig, NULL);
- 		INSIST(result == ISC_R_SUCCESS);
--		if (msg->tsigstatus != dns_rcode_noerror)
-+		if (msg->verified_sig &&
-+		    msg->tsigstatus == dns_rcode_noerror &&
-+		    tsig.error == dns_rcode_noerror)
-+		{
-+			result = ISC_R_SUCCESS;
-+		} else if ((!msg->verified_sig) ||
-+			   (msg->tsigstatus != dns_rcode_noerror))
-+		{
- 			result = DNS_R_TSIGVERIFYFAILURE;
--		else if (tsig.error != dns_rcode_noerror)
-+		} else {
-+			INSIST(tsig.error != dns_rcode_noerror);
- 			result = DNS_R_TSIGERRORSET;
--		else
--			result = ISC_R_SUCCESS;
-+		}
- 		dns_rdata_freestruct(&tsig);
- 
- 		if (msg->tsigkey == NULL) {
-diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index 400efe9..4e183e6 100644
---- a/lib/dns/tsig.c
-+++ b/lib/dns/tsig.c
-@@ -977,9 +977,10 @@ dns_tsig_sign(dns_message_t *msg) {
- 			return (ret);
- 
- 		/*
--		 * If this is a response, digest the query signature.
-+		 * If this is a response and the query's signature
-+		 * validated, digest the query signature.
- 		 */
--		if (response) {
-+		if (response && (tsig.error == dns_rcode_noerror)) {
- 			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
- 
- 			ret = dns_rdataset_first(msg->querytsig);
-@@ -1216,6 +1217,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- 	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
- 
- 	msg->verify_attempted = 1;
-+	msg->verified_sig = 0;
-+	msg->tsigstatus = dns_tsigerror_badsig;
- 
- 	if (msg->tcp_continuation) {
- 		if (tsigkey == NULL || msg->querytsig == NULL)
-@@ -1339,27 +1342,31 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- #endif
- 	    alg == DST_ALG_HMACSHA1 ||
- 	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
--	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
-+	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
-+	{
- 		isc_uint16_t digestbits = dst_key_getbits(key);
- 		if (tsig.siglen > siglen) {
- 			tsig_log(msg->tsigkey, 2, "signature length too big");
- 			return (DNS_R_FORMERR);
- 		}
- 		if (tsig.siglen > 0 &&
--		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
-+		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
-+		{
- 			tsig_log(msg->tsigkey, 2,
- 				 "signature length below minimum");
- 			return (DNS_R_FORMERR);
- 		}
- 		if (tsig.siglen > 0 && digestbits != 0 &&
--		    tsig.siglen < ((digestbits + 1) / 8)) {
-+		    tsig.siglen < ((digestbits + 1) / 8))
-+		{
- 			msg->tsigstatus = dns_tsigerror_badtrunc;
- 			tsig_log(msg->tsigkey, 2,
- 				 "truncated signature length too small");
- 			return (DNS_R_TSIGVERIFYFAILURE);
- 		}
- 		if (tsig.siglen > 0 && digestbits == 0 &&
--		    tsig.siglen < siglen) {
-+		    tsig.siglen < siglen)
-+		{
- 			msg->tsigstatus = dns_tsigerror_badtrunc;
- 			tsig_log(msg->tsigkey, 2, "signature length too small");
- 			return (DNS_R_TSIGVERIFYFAILURE);
-@@ -1378,7 +1385,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- 		if (ret != ISC_R_SUCCESS)
- 			return (ret);
- 
--		if (response) {
-+		if (response && (tsig.error == dns_rcode_noerror)) {
- 			isc_buffer_init(&databuf, data, sizeof(data));
- 			isc_buffer_putuint16(&databuf, querytsig.siglen);
- 			isc_buffer_usedregion(&databuf, &r);
-@@ -1483,10 +1490,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- 			tsig_log(msg->tsigkey, 2,
- 				 "signature failed to verify(1)");
- 			goto cleanup_context;
--		} else if (ret != ISC_R_SUCCESS)
-+		} else if (ret != ISC_R_SUCCESS) {
- 			goto cleanup_context;
--
--		dst_context_destroy(&ctx);
-+		}
- 	} else if (tsig.error != dns_tsigerror_badsig &&
- 		   tsig.error != dns_tsigerror_badkey) {
- 		msg->tsigstatus = dns_tsigerror_badsig;
-@@ -1494,18 +1500,18 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- 		return (DNS_R_TSIGVERIFYFAILURE);
- 	}
- 
--	msg->tsigstatus = dns_rcode_noerror;
--
- 	if (tsig.error != dns_rcode_noerror) {
-+		msg->tsigstatus = tsig.error;
- 		if (tsig.error == dns_tsigerror_badtime)
--			return (DNS_R_CLOCKSKEW);
-+			ret = DNS_R_CLOCKSKEW;
- 		else
--			return (DNS_R_TSIGERRORSET);
-+			ret = DNS_R_TSIGERRORSET;
-+		goto cleanup_context;
- 	}
- 
-+	msg->tsigstatus = dns_rcode_noerror;
- 	msg->verified_sig = 1;
--
--	return (ISC_R_SUCCESS);
-+	ret = ISC_R_SUCCESS;
- 
- cleanup_context:
- 	if (ctx != NULL)
-@@ -1537,6 +1543,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
- 	REQUIRE(msg->tcp_continuation == 1);
- 	REQUIRE(msg->querytsig != NULL);
- 
-+	msg->verified_sig = 0;
-+	msg->tsigstatus = dns_tsigerror_badsig;
-+
- 	if (!is_response(msg))
- 		return (DNS_R_EXPECTEDRESPONSE);
- 
-@@ -1575,7 +1584,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
- 		 * Do the key name and algorithm match that of the query?
- 		 */
- 		if (!dns_name_equal(keyname, &tsigkey->name) ||
--		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
-+		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
-+		{
- 			msg->tsigstatus = dns_tsigerror_badkey;
- 			ret = DNS_R_TSIGVERIFYFAILURE;
- 			tsig_log(msg->tsigkey, 2,
-@@ -1594,7 +1604,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
- 			ret = DNS_R_CLOCKSKEW;
- 			goto cleanup_querystruct;
- 		} else if (now + msg->timeadjust <
--			   tsig.timesigned - tsig.fudge) {
-+			   tsig.timesigned - tsig.fudge)
-+		{
- 			msg->tsigstatus = dns_tsigerror_badtime;
- 			tsig_log(msg->tsigkey, 2,
- 				 "signature is in the future");
-@@ -1700,10 +1711,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
- 		sig_r.length = tsig.siglen;
- 		if (tsig.siglen == 0) {
- 			if (tsig.error != dns_rcode_noerror) {
--				if (tsig.error == dns_tsigerror_badtime)
-+				msg->tsigstatus = tsig.error;
-+				if (tsig.error == dns_tsigerror_badtime) {
- 					ret = DNS_R_CLOCKSKEW;
--				else
-+				} else {
- 					ret = DNS_R_TSIGERRORSET;
-+				}
- 			} else {
- 				tsig_log(msg->tsigkey, 2,
- 					 "signature is empty");
-@@ -1719,24 +1732,32 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
- 				 "signature failed to verify(2)");
- 			ret = DNS_R_TSIGVERIFYFAILURE;
- 			goto cleanup_context;
--		}
--		else if (ret != ISC_R_SUCCESS)
-+		} else if (ret != ISC_R_SUCCESS) {
- 			goto cleanup_context;
-+		}
- 
--		dst_context_destroy(&msg->tsigctx);
-+		if (tsig.error != dns_rcode_noerror) {
-+			msg->tsigstatus = tsig.error;
-+			if (tsig.error == dns_tsigerror_badtime)
-+				ret = DNS_R_CLOCKSKEW;
-+			else
-+				ret = DNS_R_TSIGERRORSET;
-+			goto cleanup_context;
-+		}
- 	}
- 
- 	msg->tsigstatus = dns_rcode_noerror;
--	return (ISC_R_SUCCESS);
-+	msg->verified_sig = 1;
-+	ret = ISC_R_SUCCESS;
- 
-  cleanup_context:
--	dst_context_destroy(&msg->tsigctx);
-+	if (msg->tsigctx != NULL)
-+		dst_context_destroy(&msg->tsigctx);
- 
-  cleanup_querystruct:
- 	dns_rdata_freestruct(&querytsig);
- 
- 	return (ret);
--
- }
- 
- isc_result_t
author	Francesco Colista <fcolista@alpinelinux.org>	2017-08-07 14:37:03 +0000
committer	Francesco Colista <fcolista@alpinelinux.org>	2017-08-07 14:37:03 +0000
commit	01deed0941cabc3a38f07a6a44495140dae59809 (patch)
tree	d7aa0cd9fbacb661bab189dc58532220808e3d4f /main/bind
parent	724d3ef9cc4c309dc09e750d37ca4cb86b32df85 (diff)
download	aports-01deed0941cabc3a38f07a6a44495140dae59809.tar.bz2 aports-01deed0941cabc3a38f07a6a44495140dae59809.tar.xz