Add advisory and patches for SA-15:23.bind.
This commit is contained in:
parent
9bc66bf912
commit
817e854bad
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=47340
4 changed files with 661 additions and 0 deletions
147
share/security/advisories/FreeBSD-SA-15:23.bind.asc
Normal file
147
share/security/advisories/FreeBSD-SA-15:23.bind.asc
Normal file
|
@ -0,0 +1,147 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-15:23.bind Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: BIND remote denial of service vulnerability
|
||||
|
||||
Category: contrib
|
||||
Module: bind
|
||||
Announced: 2015-09-02
|
||||
Credits: ISC
|
||||
Affects: FreeBSD 9.x
|
||||
Corrected: 2015-09-02 20:06:46 UTC (stable/9, 9.3-STABLE)
|
||||
2015-09-02 20:07:03 UTC (releng/9.3, 9.3-RELEASE-p25)
|
||||
CVE Name: CVE-2015-5722
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
|
||||
The named(8) daemon is an Internet Domain Name Server. The libdns
|
||||
library is a library of DNS protocol support functions.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Parsing a malformed DNSSEC key can cause a validating resolver to exit
|
||||
due to a failed assertion in buffer.c.
|
||||
|
||||
III. Impact
|
||||
|
||||
A remote attacker can deliberately trigger the failed assertion which
|
||||
will cause an affected server to terminate, by using a query that
|
||||
requires a response from a zone containing a malformed key, resulting
|
||||
in a denial of service condition.
|
||||
|
||||
Recursive servers are at greatest risk, however, an authoritative server
|
||||
could also be affected, if an attacker controls a zone that the server
|
||||
must query against to perform its zone service.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, but hosts not running named(8) are not
|
||||
vulnerable.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
The named service has to be restarted after the update. A reboot is
|
||||
recommended but not required.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
The named service has to be restarted after the update. A reboot is
|
||||
recommended but not required.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 9.3]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch.asc
|
||||
# gpg --verify bind.patch.asc
|
||||
|
||||
Please note that FreeBSD 9.3-STABLE is also affected by another issue
|
||||
(CVE-2015-5986), and a different patch should be used.
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart the named(8) daemon, or reboot the system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/9/ r287409
|
||||
releng/9.3/ r287410
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://kb.isc.org/article/AA-01287>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722>
|
||||
|
||||
CVE-2015-5986 is listed here for completeness and affects FreeBSD
|
||||
9.3-STABLE but not FreeBSD 9.3-RELEASE:
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:23.bind.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.7 (FreeBSD)
|
||||
|
||||
iQIcBAEBCgAGBQJV52K9AAoJEO1n7NZdz2rnYQEP/1MY+pxPVMWT86qNKZ8upUpH
|
||||
LadLmtYAERrT9SMBrEFNCgylRdwNabTPKU0ZtxW8I57rks+j4bci053qo9Z7Hyo0
|
||||
tbK3hTtxJZHNBO1G+NFfQxx9U+R+86Korx3NvDiB78XkJaab5On3dSgIMJYPEIL+
|
||||
h0NEfYqe+X+LYg3W46faPdIuOsgxWSYN1T6mcZ5B5lucbT+LXjA5sRj+rUcE+a4O
|
||||
2lIdM1oesWOZrEZo9FjK3UPvBbiEZkspr5IBd0zA825+BZNOpk06SOS/f3N0Pz8u
|
||||
S2vGlxcT37CzC9fPgjQpcNBmB+76xLgz74Inj4uPDSvCz+wmmcr95YOgheZb2N6K
|
||||
Bqakzy9TyRNk1aa8VXb8XpfyfMzroWG/vNjV6trI5wry7U0zRSl4dz+XAoz0A/eO
|
||||
9ue88iWsVh97HBWKH94K8ZCA49G3NLgkbDkJ3awS4TfIKwwh9bGDiDepu1KMqnC1
|
||||
EzyRk2fnr9JIreLj5zR1ctL1xGUvBIzWvHeT72PjgdZ/hqDoXTHKSVnDoR0c6T+U
|
||||
bJBJSLi3KUqaMkKRJez84r7G8RKtudLT292l4UQ3qgbiuaXagY6m1W0WBpLvw/zv
|
||||
RQOsG3HPpDrrV/LiSWKybEX2hIqIHd3tssfjQqvMa4WLO3h8wVONjw74YgRzZaYb
|
||||
t/1F4r4UYtfIJ7omydxx
|
||||
=B0u1
|
||||
-----END PGP SIGNATURE-----
|
485
share/security/patches/SA-15:23/bind.patch
Normal file
485
share/security/patches/SA-15:23/bind.patch
Normal file
|
@ -0,0 +1,485 @@
|
|||
Index: contrib/bind9/lib/dns/hmac_link.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/hmac_link.c (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/hmac_link.c (working copy)
|
||||
@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *d
|
||||
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
|
||||
if (hmacmd5ctx == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
|
||||
+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
|
||||
dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_k
|
||||
else if (hkey1 == NULL || hkey2 == NULL)
|
||||
return (ISC_FALSE);
|
||||
|
||||
- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
|
||||
+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
|
||||
return (ISC_TRUE);
|
||||
else
|
||||
return (ISC_FALSE);
|
||||
@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_
|
||||
isc_buffer_t b;
|
||||
isc_result_t ret;
|
||||
unsigned int bytes;
|
||||
- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
|
||||
+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
|
||||
|
||||
UNUSED(callback);
|
||||
|
||||
bytes = (key->key_size + 7) / 8;
|
||||
- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
|
||||
- bytes = ISC_SHA1_BLOCK_LENGTH;
|
||||
- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
|
||||
+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
|
||||
+ bytes = ISC_MD5_BLOCK_LENGTH;
|
||||
+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
|
||||
}
|
||||
|
||||
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
|
||||
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
|
||||
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
|
||||
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_
|
||||
isc_buffer_init(&b, data, bytes);
|
||||
isc_buffer_add(&b, bytes);
|
||||
ret = hmacmd5_fromdns(key, &b);
|
||||
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
|
||||
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data
|
||||
|
||||
memset(hkey->key, 0, sizeof(hkey->key));
|
||||
|
||||
- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
|
||||
+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
|
||||
isc_md5_init(&md5ctx);
|
||||
isc_md5_update(&md5ctx, r.base, r.length);
|
||||
isc_md5_final(&md5ctx, hkey->key);
|
||||
@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data
|
||||
key->key_size = keylen * 8;
|
||||
key->keydata.hmacmd5 = hkey;
|
||||
|
||||
+ isc_buffer_forward(data, r.length);
|
||||
+
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *dat
|
||||
key->key_size = keylen * 8;
|
||||
key->keydata.hmacsha1 = hkey;
|
||||
|
||||
+ isc_buffer_forward(data, r.length);
|
||||
+
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
key->key_size = keylen * 8;
|
||||
key->keydata.hmacsha224 = hkey;
|
||||
|
||||
+ isc_buffer_forward(data, r.length);
|
||||
+
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
key->key_size = keylen * 8;
|
||||
key->keydata.hmacsha256 = hkey;
|
||||
|
||||
+ isc_buffer_forward(data, r.length);
|
||||
+
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
key->key_size = keylen * 8;
|
||||
key->keydata.hmacsha384 = hkey;
|
||||
|
||||
+ isc_buffer_forward(data, r.length);
|
||||
+
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
key->key_size = keylen * 8;
|
||||
key->keydata.hmacsha512 = hkey;
|
||||
|
||||
+ isc_buffer_forward(data, r.length);
|
||||
+
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
Index: contrib/bind9/lib/dns/include/dst/dst.h
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/include/dst/dst.h (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/include/dst/dst.h (working copy)
|
||||
@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t;
|
||||
#define DST_ALG_HMACSHA256 163 /* XXXMPA */
|
||||
#define DST_ALG_HMACSHA384 164 /* XXXMPA */
|
||||
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
|
||||
+#define DST_ALG_INDIRECT 252
|
||||
#define DST_ALG_PRIVATE 254
|
||||
#define DST_ALG_EXPAND 255
|
||||
#define DST_MAX_ALGS 255
|
||||
Index: contrib/bind9/lib/dns/ncache.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/ncache.c (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/ncache.c (working copy)
|
||||
@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd
|
||||
dns_name_fromregion(&tname, &remaining);
|
||||
INSIST(remaining.length >= tname.length);
|
||||
isc_buffer_forward(&source, tname.length);
|
||||
- remaining.length -= tname.length;
|
||||
- remaining.base += tname.length;
|
||||
+ isc_region_consume(&remaining, tname.length);
|
||||
|
||||
INSIST(remaining.length >= 2);
|
||||
type = isc_buffer_getuint16(&source);
|
||||
- remaining.length -= 2;
|
||||
- remaining.base += 2;
|
||||
+ isc_region_consume(&remaining, 2);
|
||||
|
||||
if (type != dns_rdatatype_rrsig ||
|
||||
!dns_name_equal(&tname, name)) {
|
||||
@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd
|
||||
INSIST(remaining.length >= 1);
|
||||
trust = isc_buffer_getuint8(&source);
|
||||
INSIST(trust <= dns_trust_ultimate);
|
||||
- remaining.length -= 1;
|
||||
- remaining.base += 1;
|
||||
+ isc_region_consume(&remaining, 1);
|
||||
|
||||
raw = remaining.base;
|
||||
count = raw[0] * 256 + raw[1];
|
||||
Index: contrib/bind9/lib/dns/openssldh_link.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/openssldh_link.c (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/openssldh_link.c (working copy)
|
||||
@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
|
||||
|
||||
static void
|
||||
uint16_toregion(isc_uint16_t val, isc_region_t *region) {
|
||||
- *region->base++ = (val & 0xff00) >> 8;
|
||||
- *region->base++ = (val & 0x00ff);
|
||||
+ *region->base = (val & 0xff00) >> 8;
|
||||
+ isc_region_consume(region, 1);
|
||||
+ *region->base = (val & 0x00ff);
|
||||
+ isc_region_consume(region, 1);
|
||||
}
|
||||
|
||||
static isc_uint16_t
|
||||
@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
|
||||
val = ((unsigned int)(cp[0])) << 8;
|
||||
val |= ((unsigned int)(cp[1]));
|
||||
|
||||
- region->base += 2;
|
||||
+ isc_region_consume(region, 2);
|
||||
+
|
||||
return (val);
|
||||
}
|
||||
|
||||
@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t
|
||||
}
|
||||
else
|
||||
BN_bn2bin(dh->p, r.base);
|
||||
- r.base += plen;
|
||||
+ isc_region_consume(&r, plen);
|
||||
|
||||
uint16_toregion(glen, &r);
|
||||
if (glen > 0)
|
||||
BN_bn2bin(dh->g, r.base);
|
||||
- r.base += glen;
|
||||
+ isc_region_consume(&r, glen);
|
||||
|
||||
uint16_toregion(publen, &r);
|
||||
BN_bn2bin(dh->pub_key, r.base);
|
||||
- r.base += publen;
|
||||
+ isc_region_consume(&r, publen);
|
||||
|
||||
isc_buffer_add(data, dnslen);
|
||||
|
||||
@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
if (plen == 1 || plen == 2) {
|
||||
- if (plen == 1)
|
||||
- special = *r.base++;
|
||||
- else
|
||||
+ if (plen == 1) {
|
||||
+ special = *r.base;
|
||||
+ isc_region_consume(&r, 1);
|
||||
+ } else {
|
||||
special = uint16_fromregion(&r);
|
||||
+ }
|
||||
switch (special) {
|
||||
case 1:
|
||||
dh->p = &bn768;
|
||||
@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
|
||||
DH_free(dh);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
- }
|
||||
- else {
|
||||
+ } else {
|
||||
dh->p = BN_bin2bn(r.base, plen, NULL);
|
||||
- r.base += plen;
|
||||
+ isc_region_consume(&r, plen);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -421,8 +425,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
}
|
||||
- }
|
||||
- else {
|
||||
+ } else {
|
||||
if (glen == 0) {
|
||||
DH_free(dh);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
@@ -429,7 +432,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
|
||||
}
|
||||
dh->g = BN_bin2bn(r.base, glen, NULL);
|
||||
}
|
||||
- r.base += glen;
|
||||
+ isc_region_consume(&r, glen);
|
||||
|
||||
if (r.length < 2) {
|
||||
DH_free(dh);
|
||||
@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
dh->pub_key = BN_bin2bn(r.base, publen, NULL);
|
||||
- r.base += publen;
|
||||
+ isc_region_consume(&r, publen);
|
||||
|
||||
key->key_size = BN_num_bits(dh->p);
|
||||
|
||||
Index: contrib/bind9/lib/dns/openssldsa_link.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/openssldsa_link.c (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/openssldsa_link.c (working copy)
|
||||
@@ -29,8 +29,6 @@
|
||||
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
-/* $Id$ */
|
||||
-
|
||||
#ifdef OPENSSL
|
||||
#ifndef USE_EVP
|
||||
#define USE_EVP 1
|
||||
@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
|
||||
DSA *dsa = key->keydata.dsa;
|
||||
isc_region_t r;
|
||||
DSA_SIG *dsasig;
|
||||
+ unsigned int klen;
|
||||
#if USE_EVP
|
||||
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
||||
EVP_PKEY *pkey;
|
||||
@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
|
||||
ISC_R_FAILURE));
|
||||
}
|
||||
free(sigbuf);
|
||||
+
|
||||
#elif 0
|
||||
/* Only use EVP for the Digest */
|
||||
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
|
||||
@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
|
||||
"DSA_do_sign",
|
||||
DST_R_SIGNFAILURE));
|
||||
#endif
|
||||
- *r.base++ = (key->key_size - 512)/64;
|
||||
+
|
||||
+ klen = (key->key_size - 512)/64;
|
||||
+ if (klen > 255)
|
||||
+ return (ISC_R_FAILURE);
|
||||
+ *r.base = klen;
|
||||
+ isc_region_consume(&r, 1);
|
||||
+
|
||||
BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
|
||||
- r.base += ISC_SHA1_DIGESTLENGTH;
|
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
||||
BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
|
||||
- r.base += ISC_SHA1_DIGESTLENGTH;
|
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
||||
DSA_SIG_free(dsasig);
|
||||
isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
|
||||
|
||||
@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_
|
||||
if (r.length < (unsigned int) dnslen)
|
||||
return (ISC_R_NOSPACE);
|
||||
|
||||
- *r.base++ = t;
|
||||
+ *r.base = t;
|
||||
+ isc_region_consume(&r, 1);
|
||||
BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
|
||||
- r.base += ISC_SHA1_DIGESTLENGTH;
|
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
||||
BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
|
||||
- r.base += p_bytes;
|
||||
+ isc_region_consume(&r, p_bytes);
|
||||
BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
|
||||
- r.base += p_bytes;
|
||||
+ isc_region_consume(&r, p_bytes);
|
||||
BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
|
||||
- r.base += p_bytes;
|
||||
+ isc_region_consume(&r, p_bytes);
|
||||
|
||||
isc_buffer_add(data, dnslen);
|
||||
|
||||
@@ -479,7 +486,8 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
return (ISC_R_NOMEMORY);
|
||||
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
|
||||
|
||||
- t = (unsigned int) *r.base++;
|
||||
+ t = (unsigned int) *r.base;
|
||||
+ isc_region_consume(&r, 1);
|
||||
if (t > 8) {
|
||||
DSA_free(dsa);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
@@ -486,22 +494,22 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
}
|
||||
p_bytes = 64 + 8 * t;
|
||||
|
||||
- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
|
||||
+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
|
||||
DSA_free(dsa);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
|
||||
dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
|
||||
- r.base += ISC_SHA1_DIGESTLENGTH;
|
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
|
||||
|
||||
dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
|
||||
- r.base += p_bytes;
|
||||
+ isc_region_consume(&r, p_bytes);
|
||||
|
||||
dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
|
||||
- r.base += p_bytes;
|
||||
+ isc_region_consume(&r, p_bytes);
|
||||
|
||||
dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
|
||||
- r.base += p_bytes;
|
||||
+ isc_region_consume(&r, p_bytes);
|
||||
|
||||
key->key_size = p_bytes * 8;
|
||||
|
||||
Index: contrib/bind9/lib/dns/opensslecdsa_link.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/opensslecdsa_link.c (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/opensslecdsa_link.c (working copy)
|
||||
@@ -14,8 +14,6 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
-/* $Id$ */
|
||||
-
|
||||
#include <config.h>
|
||||
|
||||
#ifdef HAVE_OPENSSL_ECDSA
|
||||
@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_
|
||||
"ECDSA_do_sign",
|
||||
DST_R_SIGNFAILURE));
|
||||
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
|
||||
- r.base += siglen / 2;
|
||||
+ isc_region_consume(&r, siglen / 2);
|
||||
BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
|
||||
- r.base += siglen / 2;
|
||||
+ isc_region_consume(&r, siglen / 2);
|
||||
ECDSA_SIG_free(ecdsasig);
|
||||
isc_buffer_add(sig, siglen);
|
||||
ret = ISC_R_SUCCESS;
|
||||
Index: contrib/bind9/lib/dns/opensslrsa_link.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/opensslrsa_link.c (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/opensslrsa_link.c (working copy)
|
||||
@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
RSA *rsa;
|
||||
isc_region_t r;
|
||||
unsigned int e_bytes;
|
||||
+ unsigned int length;
|
||||
#if USE_EVP
|
||||
EVP_PKEY *pkey;
|
||||
#endif
|
||||
@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
if (r.length == 0)
|
||||
return (ISC_R_SUCCESS);
|
||||
+ length = r.length;
|
||||
|
||||
rsa = RSA_new();
|
||||
if (rsa == NULL)
|
||||
@@ -982,8 +984,8 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
RSA_free(rsa);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
- e_bytes = *r.base++;
|
||||
- r.length--;
|
||||
+ e_bytes = *r.base;
|
||||
+ isc_region_consume(&r, 1);
|
||||
|
||||
if (e_bytes == 0) {
|
||||
if (r.length < 2) {
|
||||
@@ -990,9 +992,10 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
RSA_free(rsa);
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
- e_bytes = ((*r.base++) << 8);
|
||||
- e_bytes += *r.base++;
|
||||
- r.length -= 2;
|
||||
+ e_bytes = (*r.base) << 8;
|
||||
+ isc_region_consume(&r, 1);
|
||||
+ e_bytes += *r.base;
|
||||
+ isc_region_consume(&r, 1);
|
||||
}
|
||||
|
||||
if (r.length < e_bytes) {
|
||||
@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
|
||||
return (DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
|
||||
- r.base += e_bytes;
|
||||
- r.length -= e_bytes;
|
||||
+ isc_region_consume(&r, e_bytes);
|
||||
|
||||
rsa->n = BN_bin2bn(r.base, r.length, NULL);
|
||||
|
||||
key->key_size = BN_num_bits(rsa->n);
|
||||
|
||||
- isc_buffer_forward(data, r.length);
|
||||
+ isc_buffer_forward(data, length);
|
||||
|
||||
#if USE_EVP
|
||||
pkey = EVP_PKEY_new();
|
||||
Index: contrib/bind9/lib/dns/resolver.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/resolver.c (revision 287393)
|
||||
+++ contrib/bind9/lib/dns/resolver.c (working copy)
|
||||
@@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *r
|
||||
|
||||
REQUIRE(VALID_RESOLVER(resolver));
|
||||
|
||||
+ /*
|
||||
+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
|
||||
+ */
|
||||
+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
|
||||
+ return (ISC_FALSE);
|
||||
+
|
||||
#if USE_ALGLOCK
|
||||
RWLOCK(&resolver->alglock, isc_rwlocktype_read);
|
||||
#endif
|
||||
@@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_resolver_t *r
|
||||
#endif
|
||||
if (found)
|
||||
return (ISC_FALSE);
|
||||
+
|
||||
return (dst_algorithm_supported(alg));
|
||||
}
|
||||
|
17
share/security/patches/SA-15:23/bind.patch.asc
Normal file
17
share/security/patches/SA-15:23/bind.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.7 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJV52LHAAoJEO1n7NZdz2rnLHcP/iRhghnkzM4yzEQeluR2nQG9
|
||||
VBdJfaJStqcnBWGh7YOCEDc8O53WG/UvghNJp195ElnRqI2U8fcbV/5SkL+4b0LQ
|
||||
vmBVG91IA8wqXc+XohaRUj5Lh3pMyVbo9jrjIO2r1uZlAwEiJxIoRvI6iwaCmNT3
|
||||
Sz1gHj+Q1ejf4iQMQzvtORkySU2lV/oHGmrLq3HJwY9RJhhaSULCg9vTeHy5UDZ0
|
||||
hOhPhcjZxWBLwI91ucM1h3ds3Xg006SE/DCpzgG18QzOUUQJBrRv9AMX22Lh/ZTY
|
||||
v4AZvdtcRXIG/+LBo2rFTMF/dxCOMlRXk3ROoZiF0QhdWDnSpcZ68FjcBQMzX+bs
|
||||
ic6o3PJ+92HLBUlfIkuz2ebPPuKPQgXwUCfNnmwzmT3b6PSQmlmE6xyg/hKqxGyP
|
||||
nZTym/TyK6fTcJ8QsZGY94eF0mXfojk3Rcwkp5Gll2uLhLU70So1iugPfooJ2BJV
|
||||
UVUfLuKpr0NWq8nQ1EhlP/5ebsvk5uvm7p47WIul3cgoCnCplGxsiW4T9mc5MbOM
|
||||
6Zlr8UsPNz9oMFqQAtz0Ixjr4cQdVT65JEER/nQrl5GWPJjFMDCfH4tBeUUYwU9u
|
||||
EylrAcQrZ/UD2z+PmDsqC14CSZLe5UpHKT4TP6gQS8B+TAvyZc70LsUzR++UH6CK
|
||||
cONDnF8JJVo1Zmv1UcF5
|
||||
=9I73
|
||||
-----END PGP SIGNATURE-----
|
|
@ -7,6 +7,18 @@
|
|||
<year>
|
||||
<name>2015</name>
|
||||
|
||||
<month>
|
||||
<name>9</name>
|
||||
|
||||
<day>
|
||||
<name>2</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-15:23.bind</name>
|
||||
</advisory>
|
||||
</day>
|
||||
</month>
|
||||
|
||||
<month>
|
||||
<name>8</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue