main/bind: fix for CVE-2017-3142 and CVE-2017-3143. Fixes #7496

author: Francesco Colista <fcolista@alpinelinux.org> 2017-08-07 14:35:48 +0000
committer: Francesco Colista <fcolista@alpinelinux.org> 2017-08-07 14:35:48 +0000
commit: 724d3ef9cc4c309dc09e750d37ca4cb86b32df85 (patch)
tree: c929489832696d04f356908a94365ccd955f1bf3 /main/bind
parent: 855276e81a96aec5f8f4a85a74793284e800d637 (diff)
download: aports-724d3ef9cc4c309dc09e750d37ca4cb86b32df85.tar.bz2
aports-724d3ef9cc4c309dc09e750d37ca4cb86b32df85.tar.xz
2 files changed, 291 insertions, 2 deletions
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 525ce1492b..90017aead3 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -7,7 +7,7 @@ pkgver=9.11.1_p2
 _ver=${pkgver%_p*}
 _p=${pkgver#*_p}
 [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
-pkgrel=0
+pkgrel=1
 pkgdesc="The ISC DNS server"
 url="http://www.isc.org"
 arch="all"
@@ -27,9 +27,13 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
 	127.zone
 	localhost.zone
 	named.ca
+	CVE-2017-3142-3143.patch
 	"
 
 # secfixes:
+#   9.11.1_p2-r1:
+#     - CVE-2017-3142
+#     - CVE-2017-3143
 #   9.11.0_p5-r0:
 #     - CVE-2017-3136
 #     - CVE-2017-3137
@@ -144,4 +148,5 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793
 3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe  named.conf.recursive
 eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c  127.zone
 340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b  localhost.zone
-badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192  named.ca"
+badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192  named.ca
+cee41dbbd3681317c6e6cfedb9f258cd8a2ad5308d6e20495593924abeb343f8c9942b561eb411da283d0630104c7c50e404dc73d234a6d6922fb80db712dfd2  CVE-2017-3142-3143.patch"
diff --git a/main/bind/CVE-2017-3142-3143.patch b/main/bind/CVE-2017-3142-3143.patch
new file mode 100644
index 0000000000..e16e7d94b7
--- /dev/null
+++ b/main/bind/CVE-2017-3142-3143.patch
@@ -0,0 +1,284 @@
+From: Evan Hunt <each@isc.org>
+Date: Tue, 27 Jun 2017 18:35:52 +0000 (-0700)
+Subject: [master] address TSIG bypass/forgery vulnerabilities
+X-Git-Url: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff_plain;h=581c1526ab0f74a177980da9ff0514f795ed8669
+
+[master] address TSIG bypass/forgery vulnerabilities
+
+4643.	[security]	An error in TSIG handling could permit unauthorized
+			zone transfers or zone updates. (CVE-2017-3142)
+			(CVE-2017-3143) [RT #45383]
+---
+
+diff --git a/CHANGES b/CHANGES
+index 703484e..a7ecdd3 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,7 @@
++4643.	[security]	An error in TSIG handling could permit unauthorized
++			zone transfers or zone updates. (CVE-2017-3142)
++			(CVE-2017-3143) [RT #45383]
++
+ 4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
+ 			status of managed keys: newly observed keys,
+ 			deletion of revoked keys, etc. [RT #45354]
+diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
+index ea87d05..eae0053 100644
+--- a/doc/arm/notes.xml
++++ b/doc/arm/notes.xml
+@@ -69,6 +69,13 @@
+     <itemizedlist>
+       <listitem>
+ 	<para>
++	  An error in TSIG handling could permit unauthorized zone
++	  transfers or zone updates. These flaws are disclosed in
++	  CVE-2017-3142 and CVE-2017-3143. [RT #45383]
++	</para>
++      </listitem>
++      <listitem>
++	<para>
+ 	  The BIND installer on Windows used an unquoted service path,
+ 	  which can enable privilege escalation. This flaw is disclosed
+ 	  in CVE-2017-3141. [RT #45229]
+diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
+index fb64f77..1a497fc 100644
+--- a/lib/dns/dnssec.c
++++ b/lib/dns/dnssec.c
+@@ -1070,6 +1070,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+ 	mctx = msg->mctx;
+ 
+ 	msg->verify_attempted = 1;
++	msg->verified_sig = 0;
++	msg->sig0status = dns_tsigerror_badsig;
+ 
+ 	if (is_response(msg)) {
+ 		if (msg->query.base == NULL)
+@@ -1165,6 +1167,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+ 	}
+ 
+ 	msg->verified_sig = 1;
++	msg->sig0status = dns_rcode_noerror;
+ 
+ 	dst_context_destroy(&ctx);
+ 	dns_rdata_freestruct(&sig);
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index ca8d77d..a167c3a 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -3115,12 +3115,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
+ 
+ 		result = dns_rdata_tostruct(&rdata, &tsig, NULL);
+ 		INSIST(result == ISC_R_SUCCESS);
+-		if (msg->tsigstatus != dns_rcode_noerror)
++		if (msg->verified_sig &&
++		    msg->tsigstatus == dns_rcode_noerror &&
++		    tsig.error == dns_rcode_noerror)
++		{
++			result = ISC_R_SUCCESS;
++		} else if ((!msg->verified_sig) ||
++			   (msg->tsigstatus != dns_rcode_noerror))
++		{
+ 			result = DNS_R_TSIGVERIFYFAILURE;
+-		else if (tsig.error != dns_rcode_noerror)
++		} else {
++			INSIST(tsig.error != dns_rcode_noerror);
+ 			result = DNS_R_TSIGERRORSET;
+-		else
+-			result = ISC_R_SUCCESS;
++		}
+ 		dns_rdata_freestruct(&tsig);
+ 
+ 		if (msg->tsigkey == NULL) {
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index 400efe9..4e183e6 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -977,9 +977,10 @@ dns_tsig_sign(dns_message_t *msg) {
+ 			return (ret);
+ 
+ 		/*
+-		 * If this is a response, digest the query signature.
++		 * If this is a response and the query's signature
++		 * validated, digest the query signature.
+ 		 */
+-		if (response) {
++		if (response && (tsig.error == dns_rcode_noerror)) {
+ 			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+ 
+ 			ret = dns_rdataset_first(msg->querytsig);
+@@ -1216,6 +1217,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
+ 
+ 	msg->verify_attempted = 1;
++	msg->verified_sig = 0;
++	msg->tsigstatus = dns_tsigerror_badsig;
+ 
+ 	if (msg->tcp_continuation) {
+ 		if (tsigkey == NULL || msg->querytsig == NULL)
+@@ -1339,27 +1342,31 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ #endif
+ 	    alg == DST_ALG_HMACSHA1 ||
+ 	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+-	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
++	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
++	{
+ 		isc_uint16_t digestbits = dst_key_getbits(key);
+ 		if (tsig.siglen > siglen) {
+ 			tsig_log(msg->tsigkey, 2, "signature length too big");
+ 			return (DNS_R_FORMERR);
+ 		}
+ 		if (tsig.siglen > 0 &&
+-		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
++		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
++		{
+ 			tsig_log(msg->tsigkey, 2,
+ 				 "signature length below minimum");
+ 			return (DNS_R_FORMERR);
+ 		}
+ 		if (tsig.siglen > 0 && digestbits != 0 &&
+-		    tsig.siglen < ((digestbits + 1) / 8)) {
++		    tsig.siglen < ((digestbits + 1) / 8))
++		{
+ 			msg->tsigstatus = dns_tsigerror_badtrunc;
+ 			tsig_log(msg->tsigkey, 2,
+ 				 "truncated signature length too small");
+ 			return (DNS_R_TSIGVERIFYFAILURE);
+ 		}
+ 		if (tsig.siglen > 0 && digestbits == 0 &&
+-		    tsig.siglen < siglen) {
++		    tsig.siglen < siglen)
++		{
+ 			msg->tsigstatus = dns_tsigerror_badtrunc;
+ 			tsig_log(msg->tsigkey, 2, "signature length too small");
+ 			return (DNS_R_TSIGVERIFYFAILURE);
+@@ -1378,7 +1385,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 		if (ret != ISC_R_SUCCESS)
+ 			return (ret);
+ 
+-		if (response) {
++		if (response && (tsig.error == dns_rcode_noerror)) {
+ 			isc_buffer_init(&databuf, data, sizeof(data));
+ 			isc_buffer_putuint16(&databuf, querytsig.siglen);
+ 			isc_buffer_usedregion(&databuf, &r);
+@@ -1483,10 +1490,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 			tsig_log(msg->tsigkey, 2,
+ 				 "signature failed to verify(1)");
+ 			goto cleanup_context;
+-		} else if (ret != ISC_R_SUCCESS)
++		} else if (ret != ISC_R_SUCCESS) {
+ 			goto cleanup_context;
+-
+-		dst_context_destroy(&ctx);
++		}
+ 	} else if (tsig.error != dns_tsigerror_badsig &&
+ 		   tsig.error != dns_tsigerror_badkey) {
+ 		msg->tsigstatus = dns_tsigerror_badsig;
+@@ -1494,18 +1500,18 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 		return (DNS_R_TSIGVERIFYFAILURE);
+ 	}
+ 
+-	msg->tsigstatus = dns_rcode_noerror;
+-
+ 	if (tsig.error != dns_rcode_noerror) {
++		msg->tsigstatus = tsig.error;
+ 		if (tsig.error == dns_tsigerror_badtime)
+-			return (DNS_R_CLOCKSKEW);
++			ret = DNS_R_CLOCKSKEW;
+ 		else
+-			return (DNS_R_TSIGERRORSET);
++			ret = DNS_R_TSIGERRORSET;
++		goto cleanup_context;
+ 	}
+ 
++	msg->tsigstatus = dns_rcode_noerror;
+ 	msg->verified_sig = 1;
+-
+-	return (ISC_R_SUCCESS);
++	ret = ISC_R_SUCCESS;
+ 
+ cleanup_context:
+ 	if (ctx != NULL)
+@@ -1537,6 +1543,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ 	REQUIRE(msg->tcp_continuation == 1);
+ 	REQUIRE(msg->querytsig != NULL);
+ 
++	msg->verified_sig = 0;
++	msg->tsigstatus = dns_tsigerror_badsig;
++
+ 	if (!is_response(msg))
+ 		return (DNS_R_EXPECTEDRESPONSE);
+ 
+@@ -1575,7 +1584,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ 		 * Do the key name and algorithm match that of the query?
+ 		 */
+ 		if (!dns_name_equal(keyname, &tsigkey->name) ||
+-		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
++		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
++		{
+ 			msg->tsigstatus = dns_tsigerror_badkey;
+ 			ret = DNS_R_TSIGVERIFYFAILURE;
+ 			tsig_log(msg->tsigkey, 2,
+@@ -1594,7 +1604,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ 			ret = DNS_R_CLOCKSKEW;
+ 			goto cleanup_querystruct;
+ 		} else if (now + msg->timeadjust <
+-			   tsig.timesigned - tsig.fudge) {
++			   tsig.timesigned - tsig.fudge)
++		{
+ 			msg->tsigstatus = dns_tsigerror_badtime;
+ 			tsig_log(msg->tsigkey, 2,
+ 				 "signature is in the future");
+@@ -1700,10 +1711,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ 		sig_r.length = tsig.siglen;
+ 		if (tsig.siglen == 0) {
+ 			if (tsig.error != dns_rcode_noerror) {
+-				if (tsig.error == dns_tsigerror_badtime)
++				msg->tsigstatus = tsig.error;
++				if (tsig.error == dns_tsigerror_badtime) {
+ 					ret = DNS_R_CLOCKSKEW;
+-				else
++				} else {
+ 					ret = DNS_R_TSIGERRORSET;
++				}
+ 			} else {
+ 				tsig_log(msg->tsigkey, 2,
+ 					 "signature is empty");
+@@ -1719,24 +1732,32 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ 				 "signature failed to verify(2)");
+ 			ret = DNS_R_TSIGVERIFYFAILURE;
+ 			goto cleanup_context;
+-		}
+-		else if (ret != ISC_R_SUCCESS)
++		} else if (ret != ISC_R_SUCCESS) {
+ 			goto cleanup_context;
++		}
+ 
+-		dst_context_destroy(&msg->tsigctx);
++		if (tsig.error != dns_rcode_noerror) {
++			msg->tsigstatus = tsig.error;
++			if (tsig.error == dns_tsigerror_badtime)
++				ret = DNS_R_CLOCKSKEW;
++			else
++				ret = DNS_R_TSIGERRORSET;
++			goto cleanup_context;
++		}
+ 	}
+ 
+ 	msg->tsigstatus = dns_rcode_noerror;
+-	return (ISC_R_SUCCESS);
++	msg->verified_sig = 1;
++	ret = ISC_R_SUCCESS;
+ 
+  cleanup_context:
+-	dst_context_destroy(&msg->tsigctx);
++	if (msg->tsigctx != NULL)
++		dst_context_destroy(&msg->tsigctx);
+ 
+  cleanup_querystruct:
+ 	dns_rdata_freestruct(&querytsig);
+ 
+ 	return (ret);
+-
+ }
+ 
+ isc_result_t
author	Francesco Colista <fcolista@alpinelinux.org>	2017-08-07 14:35:48 +0000
committer	Francesco Colista <fcolista@alpinelinux.org>	2017-08-07 14:35:48 +0000
commit	724d3ef9cc4c309dc09e750d37ca4cb86b32df85 (patch)
tree	c929489832696d04f356908a94365ccd955f1bf3 /main/bind
parent	855276e81a96aec5f8f4a85a74793284e800d637 (diff)
download	aports-724d3ef9cc4c309dc09e750d37ca4cb86b32df85.tar.bz2 aports-724d3ef9cc4c309dc09e750d37ca4cb86b32df85.tar.xz