From 01deed0941cabc3a38f07a6a44495140dae59809 Mon Sep 17 00:00:00 2001 From: Francesco Colista Date: Mon, 7 Aug 2017 14:37:03 +0000 Subject: Revert "main/bind: fix for CVE-2017-3142 and CVE-2017-3143. Fixes #7496" This reverts commit 724d3ef9cc4c309dc09e750d37ca4cb86b32df85. --- main/bind/APKBUILD | 9 +- main/bind/CVE-2017-3142-3143.patch | 284 ------------------------------------- 2 files changed, 2 insertions(+), 291 deletions(-) delete mode 100644 main/bind/CVE-2017-3142-3143.patch (limited to 'main/bind') diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD index 90017aead3..525ce1492b 100644 --- a/main/bind/APKBUILD +++ b/main/bind/APKBUILD @@ -7,7 +7,7 @@ pkgver=9.11.1_p2 _ver=${pkgver%_p*} _p=${pkgver#*_p} [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p" -pkgrel=1 +pkgrel=0 pkgdesc="The ISC DNS server" url="http://www.isc.org" arch="all" @@ -27,13 +27,9 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz 127.zone localhost.zone named.ca - CVE-2017-3142-3143.patch " # secfixes: -# 9.11.1_p2-r1: -# - CVE-2017-3142 -# - CVE-2017-3143 # 9.11.0_p5-r0: # - CVE-2017-3136 # - CVE-2017-3137 @@ -148,5 +144,4 @@ d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793 3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone 340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone -badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca -cee41dbbd3681317c6e6cfedb9f258cd8a2ad5308d6e20495593924abeb343f8c9942b561eb411da283d0630104c7c50e404dc73d234a6d6922fb80db712dfd2 CVE-2017-3142-3143.patch" +badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca" diff --git a/main/bind/CVE-2017-3142-3143.patch b/main/bind/CVE-2017-3142-3143.patch deleted file mode 100644 index e16e7d94b7..0000000000 --- a/main/bind/CVE-2017-3142-3143.patch +++ /dev/null @@ -1,284 +0,0 @@ -From: Evan Hunt -Date: Tue, 27 Jun 2017 18:35:52 +0000 (-0700) -Subject: [master] address TSIG bypass/forgery vulnerabilities -X-Git-Url: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff_plain;h=581c1526ab0f74a177980da9ff0514f795ed8669 - -[master] address TSIG bypass/forgery vulnerabilities - -4643. [security] An error in TSIG handling could permit unauthorized - zone transfers or zone updates. (CVE-2017-3142) - (CVE-2017-3143) [RT #45383] ---- - -diff --git a/CHANGES b/CHANGES -index 703484e..a7ecdd3 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,7 @@ -+4643. [security] An error in TSIG handling could permit unauthorized -+ zone transfers or zone updates. (CVE-2017-3142) -+ (CVE-2017-3143) [RT #45383] -+ - 4642. [cleanup] Add more logging of RFC 5011 events affecting the - status of managed keys: newly observed keys, - deletion of revoked keys, etc. [RT #45354] -diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index ea87d05..eae0053 100644 ---- a/doc/arm/notes.xml -+++ b/doc/arm/notes.xml -@@ -69,6 +69,13 @@ - - - -+ An error in TSIG handling could permit unauthorized zone -+ transfers or zone updates. These flaws are disclosed in -+ CVE-2017-3142 and CVE-2017-3143. [RT #45383] -+ -+ -+ -+ - The BIND installer on Windows used an unquoted service path, - which can enable privilege escalation. This flaw is disclosed - in CVE-2017-3141. [RT #45229] -diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c -index fb64f77..1a497fc 100644 ---- a/lib/dns/dnssec.c -+++ b/lib/dns/dnssec.c -@@ -1070,6 +1070,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, - mctx = msg->mctx; - - msg->verify_attempted = 1; -+ msg->verified_sig = 0; -+ msg->sig0status = dns_tsigerror_badsig; - - if (is_response(msg)) { - if (msg->query.base == NULL) -@@ -1165,6 +1167,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, - } - - msg->verified_sig = 1; -+ msg->sig0status = dns_rcode_noerror; - - dst_context_destroy(&ctx); - dns_rdata_freestruct(&sig); -diff --git a/lib/dns/message.c b/lib/dns/message.c -index ca8d77d..a167c3a 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -3115,12 +3115,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { - - result = dns_rdata_tostruct(&rdata, &tsig, NULL); - INSIST(result == ISC_R_SUCCESS); -- if (msg->tsigstatus != dns_rcode_noerror) -+ if (msg->verified_sig && -+ msg->tsigstatus == dns_rcode_noerror && -+ tsig.error == dns_rcode_noerror) -+ { -+ result = ISC_R_SUCCESS; -+ } else if ((!msg->verified_sig) || -+ (msg->tsigstatus != dns_rcode_noerror)) -+ { - result = DNS_R_TSIGVERIFYFAILURE; -- else if (tsig.error != dns_rcode_noerror) -+ } else { -+ INSIST(tsig.error != dns_rcode_noerror); - result = DNS_R_TSIGERRORSET; -- else -- result = ISC_R_SUCCESS; -+ } - dns_rdata_freestruct(&tsig); - - if (msg->tsigkey == NULL) { -diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c -index 400efe9..4e183e6 100644 ---- a/lib/dns/tsig.c -+++ b/lib/dns/tsig.c -@@ -977,9 +977,10 @@ dns_tsig_sign(dns_message_t *msg) { - return (ret); - - /* -- * If this is a response, digest the query signature. -+ * If this is a response and the query's signature -+ * validated, digest the query signature. - */ -- if (response) { -+ if (response && (tsig.error == dns_rcode_noerror)) { - dns_rdata_t querytsigrdata = DNS_RDATA_INIT; - - ret = dns_rdataset_first(msg->querytsig); -@@ -1216,6 +1217,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey)); - - msg->verify_attempted = 1; -+ msg->verified_sig = 0; -+ msg->tsigstatus = dns_tsigerror_badsig; - - if (msg->tcp_continuation) { - if (tsigkey == NULL || msg->querytsig == NULL) -@@ -1339,27 +1342,31 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - #endif - alg == DST_ALG_HMACSHA1 || - alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -- alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) { -+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) -+ { - isc_uint16_t digestbits = dst_key_getbits(key); - if (tsig.siglen > siglen) { - tsig_log(msg->tsigkey, 2, "signature length too big"); - return (DNS_R_FORMERR); - } - if (tsig.siglen > 0 && -- (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) { -+ (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) -+ { - tsig_log(msg->tsigkey, 2, - "signature length below minimum"); - return (DNS_R_FORMERR); - } - if (tsig.siglen > 0 && digestbits != 0 && -- tsig.siglen < ((digestbits + 1) / 8)) { -+ tsig.siglen < ((digestbits + 1) / 8)) -+ { - msg->tsigstatus = dns_tsigerror_badtrunc; - tsig_log(msg->tsigkey, 2, - "truncated signature length too small"); - return (DNS_R_TSIGVERIFYFAILURE); - } - if (tsig.siglen > 0 && digestbits == 0 && -- tsig.siglen < siglen) { -+ tsig.siglen < siglen) -+ { - msg->tsigstatus = dns_tsigerror_badtrunc; - tsig_log(msg->tsigkey, 2, "signature length too small"); - return (DNS_R_TSIGVERIFYFAILURE); -@@ -1378,7 +1385,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - if (ret != ISC_R_SUCCESS) - return (ret); - -- if (response) { -+ if (response && (tsig.error == dns_rcode_noerror)) { - isc_buffer_init(&databuf, data, sizeof(data)); - isc_buffer_putuint16(&databuf, querytsig.siglen); - isc_buffer_usedregion(&databuf, &r); -@@ -1483,10 +1490,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - tsig_log(msg->tsigkey, 2, - "signature failed to verify(1)"); - goto cleanup_context; -- } else if (ret != ISC_R_SUCCESS) -+ } else if (ret != ISC_R_SUCCESS) { - goto cleanup_context; -- -- dst_context_destroy(&ctx); -+ } - } else if (tsig.error != dns_tsigerror_badsig && - tsig.error != dns_tsigerror_badkey) { - msg->tsigstatus = dns_tsigerror_badsig; -@@ -1494,18 +1500,18 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - return (DNS_R_TSIGVERIFYFAILURE); - } - -- msg->tsigstatus = dns_rcode_noerror; -- - if (tsig.error != dns_rcode_noerror) { -+ msg->tsigstatus = tsig.error; - if (tsig.error == dns_tsigerror_badtime) -- return (DNS_R_CLOCKSKEW); -+ ret = DNS_R_CLOCKSKEW; - else -- return (DNS_R_TSIGERRORSET); -+ ret = DNS_R_TSIGERRORSET; -+ goto cleanup_context; - } - -+ msg->tsigstatus = dns_rcode_noerror; - msg->verified_sig = 1; -- -- return (ISC_R_SUCCESS); -+ ret = ISC_R_SUCCESS; - - cleanup_context: - if (ctx != NULL) -@@ -1537,6 +1543,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { - REQUIRE(msg->tcp_continuation == 1); - REQUIRE(msg->querytsig != NULL); - -+ msg->verified_sig = 0; -+ msg->tsigstatus = dns_tsigerror_badsig; -+ - if (!is_response(msg)) - return (DNS_R_EXPECTEDRESPONSE); - -@@ -1575,7 +1584,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { - * Do the key name and algorithm match that of the query? - */ - if (!dns_name_equal(keyname, &tsigkey->name) || -- !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) { -+ !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) -+ { - msg->tsigstatus = dns_tsigerror_badkey; - ret = DNS_R_TSIGVERIFYFAILURE; - tsig_log(msg->tsigkey, 2, -@@ -1594,7 +1604,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { - ret = DNS_R_CLOCKSKEW; - goto cleanup_querystruct; - } else if (now + msg->timeadjust < -- tsig.timesigned - tsig.fudge) { -+ tsig.timesigned - tsig.fudge) -+ { - msg->tsigstatus = dns_tsigerror_badtime; - tsig_log(msg->tsigkey, 2, - "signature is in the future"); -@@ -1700,10 +1711,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { - sig_r.length = tsig.siglen; - if (tsig.siglen == 0) { - if (tsig.error != dns_rcode_noerror) { -- if (tsig.error == dns_tsigerror_badtime) -+ msg->tsigstatus = tsig.error; -+ if (tsig.error == dns_tsigerror_badtime) { - ret = DNS_R_CLOCKSKEW; -- else -+ } else { - ret = DNS_R_TSIGERRORSET; -+ } - } else { - tsig_log(msg->tsigkey, 2, - "signature is empty"); -@@ -1719,24 +1732,32 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { - "signature failed to verify(2)"); - ret = DNS_R_TSIGVERIFYFAILURE; - goto cleanup_context; -- } -- else if (ret != ISC_R_SUCCESS) -+ } else if (ret != ISC_R_SUCCESS) { - goto cleanup_context; -+ } - -- dst_context_destroy(&msg->tsigctx); -+ if (tsig.error != dns_rcode_noerror) { -+ msg->tsigstatus = tsig.error; -+ if (tsig.error == dns_tsigerror_badtime) -+ ret = DNS_R_CLOCKSKEW; -+ else -+ ret = DNS_R_TSIGERRORSET; -+ goto cleanup_context; -+ } - } - - msg->tsigstatus = dns_rcode_noerror; -- return (ISC_R_SUCCESS); -+ msg->verified_sig = 1; -+ ret = ISC_R_SUCCESS; - - cleanup_context: -- dst_context_destroy(&msg->tsigctx); -+ if (msg->tsigctx != NULL) -+ dst_context_destroy(&msg->tsigctx); - - cleanup_querystruct: - dns_rdata_freestruct(&querytsig); - - return (ret); -- - } - - isc_result_t -- cgit v1.2.3