Add advisory and patches for SA-15:23.bind.
This commit is contained in:
		
							parent
							
								
									9bc66bf912
								
							
						
					
					
						commit
						817e854bad
					
				
				
				Notes:
				
					svn2git
				
				2020-12-08 03:00:23 +00:00 
				
			
			svn path=/head/; revision=47340
					 4 changed files with 661 additions and 0 deletions
				
			
		
							
								
								
									
										147
									
								
								share/security/advisories/FreeBSD-SA-15:23.bind.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										147
									
								
								share/security/advisories/FreeBSD-SA-15:23.bind.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,147 @@ | |||
| -----BEGIN PGP SIGNED MESSAGE----- | ||||
| Hash: SHA512 | ||||
| 
 | ||||
| ============================================================================= | ||||
| FreeBSD-SA-15:23.bind                                       Security Advisory | ||||
|                                                           The FreeBSD Project | ||||
| 
 | ||||
| Topic:          BIND remote denial of service vulnerability | ||||
| 
 | ||||
| Category:       contrib | ||||
| Module:         bind | ||||
| Announced:      2015-09-02 | ||||
| Credits:        ISC | ||||
| Affects:        FreeBSD 9.x | ||||
| Corrected:      2015-09-02 20:06:46 UTC (stable/9, 9.3-STABLE) | ||||
|                 2015-09-02 20:07:03 UTC (releng/9.3, 9.3-RELEASE-p25) | ||||
| CVE Name:       CVE-2015-5722 | ||||
| 
 | ||||
| For general information regarding FreeBSD Security Advisories, | ||||
| including descriptions of the fields above, security branches, and the | ||||
| following sections, please visit <URL:https://security.FreeBSD.org/>. | ||||
| 
 | ||||
| I.   Background | ||||
| 
 | ||||
| BIND 9 is an implementation of the Domain Name System (DNS) protocols. | ||||
| The named(8) daemon is an Internet Domain Name Server.  The libdns | ||||
| library is a library of DNS protocol support functions. | ||||
| 
 | ||||
| II.  Problem Description | ||||
| 
 | ||||
| Parsing a malformed DNSSEC key can cause a validating resolver to exit | ||||
| due to a failed assertion in buffer.c. | ||||
| 
 | ||||
| III. Impact | ||||
| 
 | ||||
| A remote attacker can deliberately trigger the failed assertion which | ||||
| will cause an affected server to terminate, by using a query that | ||||
| requires a response from a zone containing a malformed key, resulting | ||||
| in a denial of service condition. | ||||
| 
 | ||||
| Recursive servers are at greatest risk, however, an authoritative server | ||||
| could also be affected, if an attacker controls a zone that the server | ||||
| must query against to perform its zone service. | ||||
| 
 | ||||
| IV.  Workaround | ||||
| 
 | ||||
| No workaround is available, but hosts not running named(8) are not | ||||
| vulnerable. | ||||
| 
 | ||||
| V.   Solution | ||||
| 
 | ||||
| Perform one of the following: | ||||
| 
 | ||||
| 1) Upgrade your vulnerable system to a supported FreeBSD stable or | ||||
| release / security branch (releng) dated after the correction date. | ||||
| 
 | ||||
| The named service has to be restarted after the update.  A reboot is | ||||
| recommended but not required. | ||||
| 
 | ||||
| 2) To update your vulnerable system via a binary patch: | ||||
| 
 | ||||
| Systems running a RELEASE version of FreeBSD on the i386 or amd64 | ||||
| platforms can be updated via the freebsd-update(8) utility: | ||||
| 
 | ||||
| # freebsd-update fetch | ||||
| # freebsd-update install | ||||
| 
 | ||||
| The named service has to be restarted after the update.  A reboot is | ||||
| recommended but not required. | ||||
| 
 | ||||
| 3) To update your vulnerable system via a source code patch: | ||||
| 
 | ||||
| The following patches have been verified to apply to the applicable | ||||
| FreeBSD release branches. | ||||
| 
 | ||||
| a) Download the relevant patch from the location below, and verify the | ||||
| detached PGP signature using your PGP utility. | ||||
| 
 | ||||
| [FreeBSD 9.3] | ||||
| # fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch | ||||
| # fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch.asc | ||||
| # gpg --verify bind.patch.asc | ||||
| 
 | ||||
| Please note that FreeBSD 9.3-STABLE is also affected by another issue | ||||
| (CVE-2015-5986), and a different patch should be used. | ||||
| 
 | ||||
| b) Apply the patch.  Execute the following commands as root: | ||||
| 
 | ||||
| # cd /usr/src | ||||
| # patch < /path/to/patch | ||||
| 
 | ||||
| c) Recompile the operating system using buildworld and installworld as | ||||
| described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. | ||||
| 
 | ||||
| Restart the named(8) daemon, or reboot the system. | ||||
| 
 | ||||
| VI.  Correction details | ||||
| 
 | ||||
| The following list contains the correction revision numbers for each | ||||
| affected branch. | ||||
| 
 | ||||
| Branch/path                                                      Revision | ||||
| - ------------------------------------------------------------------------- | ||||
| stable/9/                                                         r287409 | ||||
| releng/9.3/                                                       r287410 | ||||
| - ------------------------------------------------------------------------- | ||||
| 
 | ||||
| To see which files were modified by a particular revision, run the | ||||
| following command, replacing NNNNNN with the revision number, on a | ||||
| machine with Subversion installed: | ||||
| 
 | ||||
| # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base | ||||
| 
 | ||||
| Or visit the following URL, replacing NNNNNN with the revision number: | ||||
| 
 | ||||
| <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> | ||||
| 
 | ||||
| VII. References | ||||
| 
 | ||||
| <URL:https://kb.isc.org/article/AA-01287> | ||||
| 
 | ||||
| <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722> | ||||
| 
 | ||||
| CVE-2015-5986 is listed here for completeness and affects FreeBSD | ||||
| 9.3-STABLE but not FreeBSD 9.3-RELEASE: | ||||
| 
 | ||||
| <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986> | ||||
| 
 | ||||
| The latest revision of this advisory is available at | ||||
| <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:23.bind.asc> | ||||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAEBCgAGBQJV52K9AAoJEO1n7NZdz2rnYQEP/1MY+pxPVMWT86qNKZ8upUpH | ||||
| LadLmtYAERrT9SMBrEFNCgylRdwNabTPKU0ZtxW8I57rks+j4bci053qo9Z7Hyo0 | ||||
| tbK3hTtxJZHNBO1G+NFfQxx9U+R+86Korx3NvDiB78XkJaab5On3dSgIMJYPEIL+ | ||||
| h0NEfYqe+X+LYg3W46faPdIuOsgxWSYN1T6mcZ5B5lucbT+LXjA5sRj+rUcE+a4O | ||||
| 2lIdM1oesWOZrEZo9FjK3UPvBbiEZkspr5IBd0zA825+BZNOpk06SOS/f3N0Pz8u | ||||
| S2vGlxcT37CzC9fPgjQpcNBmB+76xLgz74Inj4uPDSvCz+wmmcr95YOgheZb2N6K | ||||
| Bqakzy9TyRNk1aa8VXb8XpfyfMzroWG/vNjV6trI5wry7U0zRSl4dz+XAoz0A/eO | ||||
| 9ue88iWsVh97HBWKH94K8ZCA49G3NLgkbDkJ3awS4TfIKwwh9bGDiDepu1KMqnC1 | ||||
| EzyRk2fnr9JIreLj5zR1ctL1xGUvBIzWvHeT72PjgdZ/hqDoXTHKSVnDoR0c6T+U | ||||
| bJBJSLi3KUqaMkKRJez84r7G8RKtudLT292l4UQ3qgbiuaXagY6m1W0WBpLvw/zv | ||||
| RQOsG3HPpDrrV/LiSWKybEX2hIqIHd3tssfjQqvMa4WLO3h8wVONjw74YgRzZaYb | ||||
| t/1F4r4UYtfIJ7omydxx | ||||
| =B0u1 | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										485
									
								
								share/security/patches/SA-15:23/bind.patch
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										485
									
								
								share/security/patches/SA-15:23/bind.patch
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,485 @@ | |||
| Index: contrib/bind9/lib/dns/hmac_link.c
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/hmac_link.c	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/hmac_link.c	(working copy)
 | ||||
| @@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *d
 | ||||
|  	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); | ||||
|  	if (hmacmd5ctx == NULL) | ||||
|  		return (ISC_R_NOMEMORY); | ||||
| -	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
 | ||||
| +	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
 | ||||
|  	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; | ||||
|  	return (ISC_R_SUCCESS); | ||||
|  } | ||||
| @@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_k
 | ||||
|  	else if (hkey1 == NULL || hkey2 == NULL) | ||||
|  		return (ISC_FALSE); | ||||
|   | ||||
| -	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
 | ||||
| +	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
 | ||||
|  		return (ISC_TRUE); | ||||
|  	else | ||||
|  		return (ISC_FALSE); | ||||
| @@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_
 | ||||
|  	isc_buffer_t b; | ||||
|  	isc_result_t ret; | ||||
|  	unsigned int bytes; | ||||
| -	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
 | ||||
| +	unsigned char data[ISC_MD5_BLOCK_LENGTH];
 | ||||
|   | ||||
|  	UNUSED(callback); | ||||
|   | ||||
|  	bytes = (key->key_size + 7) / 8; | ||||
| -	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
 | ||||
| -		bytes = ISC_SHA1_BLOCK_LENGTH;
 | ||||
| -		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
 | ||||
| +	if (bytes > ISC_MD5_BLOCK_LENGTH) {
 | ||||
| +		bytes = ISC_MD5_BLOCK_LENGTH;
 | ||||
| +		key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
 | ||||
|  	} | ||||
|   | ||||
| -	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 | ||||
| +	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
 | ||||
|  	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); | ||||
|   | ||||
|  	if (ret != ISC_R_SUCCESS) | ||||
| @@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_
 | ||||
|  	isc_buffer_init(&b, data, bytes); | ||||
|  	isc_buffer_add(&b, bytes); | ||||
|  	ret = hmacmd5_fromdns(key, &b); | ||||
| -	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 | ||||
| +	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
 | ||||
|   | ||||
|  	return (ret); | ||||
|  } | ||||
| @@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data
 | ||||
|   | ||||
|  	memset(hkey->key, 0, sizeof(hkey->key)); | ||||
|   | ||||
| -	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
 | ||||
| +	if (r.length > ISC_MD5_BLOCK_LENGTH) {
 | ||||
|  		isc_md5_init(&md5ctx); | ||||
|  		isc_md5_update(&md5ctx, r.base, r.length); | ||||
|  		isc_md5_final(&md5ctx, hkey->key); | ||||
| @@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data
 | ||||
|  	key->key_size = keylen * 8; | ||||
|  	key->keydata.hmacmd5 = hkey; | ||||
|   | ||||
| +	isc_buffer_forward(data, r.length);
 | ||||
| +
 | ||||
|  	return (ISC_R_SUCCESS); | ||||
|  } | ||||
|   | ||||
| @@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *dat
 | ||||
|  	key->key_size = keylen * 8; | ||||
|  	key->keydata.hmacsha1 = hkey; | ||||
|   | ||||
| +	isc_buffer_forward(data, r.length);
 | ||||
| +
 | ||||
|  	return (ISC_R_SUCCESS); | ||||
|  } | ||||
|   | ||||
| @@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  	key->key_size = keylen * 8; | ||||
|  	key->keydata.hmacsha224 = hkey; | ||||
|   | ||||
| +	isc_buffer_forward(data, r.length);
 | ||||
| +
 | ||||
|  	return (ISC_R_SUCCESS); | ||||
|  } | ||||
|   | ||||
| @@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  	key->key_size = keylen * 8; | ||||
|  	key->keydata.hmacsha256 = hkey; | ||||
|   | ||||
| +	isc_buffer_forward(data, r.length);
 | ||||
| +
 | ||||
|  	return (ISC_R_SUCCESS); | ||||
|  } | ||||
|   | ||||
| @@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  	key->key_size = keylen * 8; | ||||
|  	key->keydata.hmacsha384 = hkey; | ||||
|   | ||||
| +	isc_buffer_forward(data, r.length);
 | ||||
| +
 | ||||
|  	return (ISC_R_SUCCESS); | ||||
|  } | ||||
|   | ||||
| @@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  	key->key_size = keylen * 8; | ||||
|  	key->keydata.hmacsha512 = hkey; | ||||
|   | ||||
| +	isc_buffer_forward(data, r.length);
 | ||||
| +
 | ||||
|  	return (ISC_R_SUCCESS); | ||||
|  } | ||||
|   | ||||
| Index: contrib/bind9/lib/dns/include/dst/dst.h
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/include/dst/dst.h	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/include/dst/dst.h	(working copy)
 | ||||
| @@ -69,6 +69,7 @@ typedef struct dst_context 	dst_context_t;
 | ||||
|  #define DST_ALG_HMACSHA256	163	/* XXXMPA */ | ||||
|  #define DST_ALG_HMACSHA384	164	/* XXXMPA */ | ||||
|  #define DST_ALG_HMACSHA512	165	/* XXXMPA */ | ||||
| +#define DST_ALG_INDIRECT	252
 | ||||
|  #define DST_ALG_PRIVATE		254 | ||||
|  #define DST_ALG_EXPAND		255 | ||||
|  #define DST_MAX_ALGS		255 | ||||
| Index: contrib/bind9/lib/dns/ncache.c
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/ncache.c	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/ncache.c	(working copy)
 | ||||
| @@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd
 | ||||
|  		dns_name_fromregion(&tname, &remaining); | ||||
|  		INSIST(remaining.length >= tname.length); | ||||
|  		isc_buffer_forward(&source, tname.length); | ||||
| -		remaining.length -= tname.length;
 | ||||
| -		remaining.base += tname.length;
 | ||||
| +		isc_region_consume(&remaining, tname.length);
 | ||||
|   | ||||
|  		INSIST(remaining.length >= 2); | ||||
|  		type = isc_buffer_getuint16(&source); | ||||
| -		remaining.length -= 2;
 | ||||
| -		remaining.base += 2;
 | ||||
| +		isc_region_consume(&remaining, 2);
 | ||||
|   | ||||
|  		if (type != dns_rdatatype_rrsig || | ||||
|  		    !dns_name_equal(&tname, name)) { | ||||
| @@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd
 | ||||
|  		INSIST(remaining.length >= 1); | ||||
|  		trust = isc_buffer_getuint8(&source); | ||||
|  		INSIST(trust <= dns_trust_ultimate); | ||||
| -		remaining.length -= 1;
 | ||||
| -		remaining.base += 1;
 | ||||
| +		isc_region_consume(&remaining, 1);
 | ||||
|   | ||||
|  		raw = remaining.base; | ||||
|  		count = raw[0] * 256 + raw[1]; | ||||
| Index: contrib/bind9/lib/dns/openssldh_link.c
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/openssldh_link.c	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/openssldh_link.c	(working copy)
 | ||||
| @@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
 | ||||
|   | ||||
|  static void | ||||
|  uint16_toregion(isc_uint16_t val, isc_region_t *region) { | ||||
| -	*region->base++ = (val & 0xff00) >> 8;
 | ||||
| -	*region->base++ = (val & 0x00ff);
 | ||||
| +	*region->base = (val & 0xff00) >> 8;
 | ||||
| +	isc_region_consume(region, 1);
 | ||||
| +	*region->base = (val & 0x00ff);
 | ||||
| +	isc_region_consume(region, 1);
 | ||||
|  } | ||||
|   | ||||
|  static isc_uint16_t | ||||
| @@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
 | ||||
|  	val = ((unsigned int)(cp[0])) << 8; | ||||
|  	val |= ((unsigned int)(cp[1])); | ||||
|   | ||||
| -	region->base += 2;
 | ||||
| +	isc_region_consume(region, 2);
 | ||||
| +
 | ||||
|  	return (val); | ||||
|  } | ||||
|   | ||||
| @@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t
 | ||||
|  	} | ||||
|  	else | ||||
|  		BN_bn2bin(dh->p, r.base); | ||||
| -	r.base += plen;
 | ||||
| +	isc_region_consume(&r, plen);
 | ||||
|   | ||||
|  	uint16_toregion(glen, &r); | ||||
|  	if (glen > 0) | ||||
|  		BN_bn2bin(dh->g, r.base); | ||||
| -	r.base += glen;
 | ||||
| +	isc_region_consume(&r, glen);
 | ||||
|   | ||||
|  	uint16_toregion(publen, &r); | ||||
|  	BN_bn2bin(dh->pub_key, r.base); | ||||
| -	r.base += publen;
 | ||||
| +	isc_region_consume(&r, publen);
 | ||||
|   | ||||
|  	isc_buffer_add(data, dnslen); | ||||
|   | ||||
| @@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
 | ||||
|  		return (DST_R_INVALIDPUBLICKEY); | ||||
|  	} | ||||
|  	if (plen == 1 || plen == 2) { | ||||
| -		if (plen == 1)
 | ||||
| -			special = *r.base++;
 | ||||
| -		else
 | ||||
| +		if (plen == 1) {
 | ||||
| +			special = *r.base;
 | ||||
| +			isc_region_consume(&r, 1);
 | ||||
| +		} else {
 | ||||
|  			special = uint16_fromregion(&r); | ||||
| +		}
 | ||||
|  		switch (special) { | ||||
|  			case 1: | ||||
|  				dh->p = &bn768; | ||||
| @@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
 | ||||
|  				DH_free(dh); | ||||
|  				return (DST_R_INVALIDPUBLICKEY); | ||||
|  		} | ||||
| -	}
 | ||||
| -	else {
 | ||||
| +	} else {
 | ||||
|  		dh->p = BN_bin2bn(r.base, plen, NULL); | ||||
| -		r.base += plen;
 | ||||
| +		isc_region_consume(&r, plen);
 | ||||
|  	} | ||||
|   | ||||
|  	/* | ||||
| @@ -421,8 +425,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
 | ||||
|  				return (DST_R_INVALIDPUBLICKEY); | ||||
|  			} | ||||
|  		} | ||||
| -	}
 | ||||
| -	else {
 | ||||
| +	} else {
 | ||||
|  		if (glen == 0) { | ||||
|  			DH_free(dh); | ||||
|  			return (DST_R_INVALIDPUBLICKEY); | ||||
| @@ -429,7 +432,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
 | ||||
|  		} | ||||
|  		dh->g = BN_bin2bn(r.base, glen, NULL); | ||||
|  	} | ||||
| -	r.base += glen;
 | ||||
| +	isc_region_consume(&r, glen);
 | ||||
|   | ||||
|  	if (r.length < 2) { | ||||
|  		DH_free(dh); | ||||
| @@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da
 | ||||
|  		return (DST_R_INVALIDPUBLICKEY); | ||||
|  	} | ||||
|  	dh->pub_key = BN_bin2bn(r.base, publen, NULL); | ||||
| -	r.base += publen;
 | ||||
| +	isc_region_consume(&r, publen);
 | ||||
|   | ||||
|  	key->key_size = BN_num_bits(dh->p); | ||||
|   | ||||
| Index: contrib/bind9/lib/dns/openssldsa_link.c
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/openssldsa_link.c	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/openssldsa_link.c	(working copy)
 | ||||
| @@ -29,8 +29,6 @@
 | ||||
|   * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||||
|   */ | ||||
|   | ||||
| -/* $Id$ */
 | ||||
| -
 | ||||
|  #ifdef OPENSSL | ||||
|  #ifndef USE_EVP | ||||
|  #define USE_EVP 1 | ||||
| @@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
 | ||||
|  	DSA *dsa = key->keydata.dsa; | ||||
|  	isc_region_t r; | ||||
|  	DSA_SIG *dsasig; | ||||
| +	unsigned int klen;
 | ||||
|  #if USE_EVP | ||||
|  	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; | ||||
|  	EVP_PKEY *pkey; | ||||
| @@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
 | ||||
|  					       ISC_R_FAILURE)); | ||||
|  	} | ||||
|  	free(sigbuf); | ||||
| +
 | ||||
|  #elif 0 | ||||
|  	/* Only use EVP for the Digest */ | ||||
|  	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { | ||||
| @@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t
 | ||||
|  					       "DSA_do_sign", | ||||
|  					       DST_R_SIGNFAILURE)); | ||||
|  #endif | ||||
| -	*r.base++ = (key->key_size - 512)/64;
 | ||||
| +
 | ||||
| +	klen = (key->key_size - 512)/64;
 | ||||
| +	if (klen > 255)
 | ||||
| +		return (ISC_R_FAILURE);
 | ||||
| +	*r.base = klen;
 | ||||
| +	isc_region_consume(&r, 1);
 | ||||
| +
 | ||||
|  	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); | ||||
| -	r.base += ISC_SHA1_DIGESTLENGTH;
 | ||||
| +	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
 | ||||
|  	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); | ||||
| -	r.base += ISC_SHA1_DIGESTLENGTH;
 | ||||
| +	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
 | ||||
|  	DSA_SIG_free(dsasig); | ||||
|  	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); | ||||
|   | ||||
| @@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_
 | ||||
|  	if (r.length < (unsigned int) dnslen) | ||||
|  		return (ISC_R_NOSPACE); | ||||
|   | ||||
| -	*r.base++ = t;
 | ||||
| +	*r.base = t;
 | ||||
| +	isc_region_consume(&r, 1);
 | ||||
|  	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); | ||||
| -	r.base += ISC_SHA1_DIGESTLENGTH;
 | ||||
| +	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
 | ||||
|  	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); | ||||
| -	r.base += p_bytes;
 | ||||
| +	isc_region_consume(&r, p_bytes);
 | ||||
|  	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); | ||||
| -	r.base += p_bytes;
 | ||||
| +	isc_region_consume(&r, p_bytes);
 | ||||
|  	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); | ||||
| -	r.base += p_bytes;
 | ||||
| +	isc_region_consume(&r, p_bytes);
 | ||||
|   | ||||
|  	isc_buffer_add(data, dnslen); | ||||
|   | ||||
| @@ -479,7 +486,8 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  		return (ISC_R_NOMEMORY); | ||||
|  	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; | ||||
|   | ||||
| -	t = (unsigned int) *r.base++;
 | ||||
| +	t = (unsigned int) *r.base;
 | ||||
| +	isc_region_consume(&r, 1);
 | ||||
|  	if (t > 8) { | ||||
|  		DSA_free(dsa); | ||||
|  		return (DST_R_INVALIDPUBLICKEY); | ||||
| @@ -486,22 +494,22 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  	} | ||||
|  	p_bytes = 64 + 8 * t; | ||||
|   | ||||
| -	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
 | ||||
| +	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
 | ||||
|  		DSA_free(dsa); | ||||
|  		return (DST_R_INVALIDPUBLICKEY); | ||||
|  	} | ||||
|   | ||||
|  	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); | ||||
| -	r.base += ISC_SHA1_DIGESTLENGTH;
 | ||||
| +	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
 | ||||
|   | ||||
|  	dsa->p = BN_bin2bn(r.base, p_bytes, NULL); | ||||
| -	r.base += p_bytes;
 | ||||
| +	isc_region_consume(&r, p_bytes);
 | ||||
|   | ||||
|  	dsa->g = BN_bin2bn(r.base, p_bytes, NULL); | ||||
| -	r.base += p_bytes;
 | ||||
| +	isc_region_consume(&r, p_bytes);
 | ||||
|   | ||||
|  	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); | ||||
| -	r.base += p_bytes;
 | ||||
| +	isc_region_consume(&r, p_bytes);
 | ||||
|   | ||||
|  	key->key_size = p_bytes * 8; | ||||
|   | ||||
| Index: contrib/bind9/lib/dns/opensslecdsa_link.c
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/opensslecdsa_link.c	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/opensslecdsa_link.c	(working copy)
 | ||||
| @@ -14,8 +14,6 @@
 | ||||
|   * PERFORMANCE OF THIS SOFTWARE. | ||||
|   */ | ||||
|   | ||||
| -/* $Id$ */
 | ||||
| -
 | ||||
|  #include <config.h> | ||||
|   | ||||
|  #ifdef HAVE_OPENSSL_ECDSA | ||||
| @@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_
 | ||||
|  					       "ECDSA_do_sign", | ||||
|  					       DST_R_SIGNFAILURE)); | ||||
|  	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); | ||||
| -	r.base += siglen / 2;
 | ||||
| +	isc_region_consume(&r, siglen / 2);
 | ||||
|  	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); | ||||
| -	r.base += siglen / 2;
 | ||||
| +	isc_region_consume(&r, siglen / 2);
 | ||||
|  	ECDSA_SIG_free(ecdsasig); | ||||
|  	isc_buffer_add(sig, siglen); | ||||
|  	ret = ISC_R_SUCCESS; | ||||
| Index: contrib/bind9/lib/dns/opensslrsa_link.c
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/opensslrsa_link.c	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/opensslrsa_link.c	(working copy)
 | ||||
| @@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  	RSA *rsa; | ||||
|  	isc_region_t r; | ||||
|  	unsigned int e_bytes; | ||||
| +	unsigned int length;
 | ||||
|  #if USE_EVP | ||||
|  	EVP_PKEY *pkey; | ||||
|  #endif | ||||
| @@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  	isc_buffer_remainingregion(data, &r); | ||||
|  	if (r.length == 0) | ||||
|  		return (ISC_R_SUCCESS); | ||||
| +	length = r.length;
 | ||||
|   | ||||
|  	rsa = RSA_new(); | ||||
|  	if (rsa == NULL) | ||||
| @@ -982,8 +984,8 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  		RSA_free(rsa); | ||||
|  		return (DST_R_INVALIDPUBLICKEY); | ||||
|  	} | ||||
| -	e_bytes = *r.base++;
 | ||||
| -	r.length--;
 | ||||
| +	e_bytes = *r.base;
 | ||||
| +	isc_region_consume(&r, 1);
 | ||||
|   | ||||
|  	if (e_bytes == 0) { | ||||
|  		if (r.length < 2) { | ||||
| @@ -990,9 +992,10 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  			RSA_free(rsa); | ||||
|  			return (DST_R_INVALIDPUBLICKEY); | ||||
|  		} | ||||
| -		e_bytes = ((*r.base++) << 8);
 | ||||
| -		e_bytes += *r.base++;
 | ||||
| -		r.length -= 2;
 | ||||
| +		e_bytes = (*r.base) << 8;
 | ||||
| +		isc_region_consume(&r, 1);
 | ||||
| +		e_bytes += *r.base;
 | ||||
| +		isc_region_consume(&r, 1);
 | ||||
|  	} | ||||
|   | ||||
|  	if (r.length < e_bytes) { | ||||
| @@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d
 | ||||
|  		return (DST_R_INVALIDPUBLICKEY); | ||||
|  	} | ||||
|  	rsa->e = BN_bin2bn(r.base, e_bytes, NULL); | ||||
| -	r.base += e_bytes;
 | ||||
| -	r.length -= e_bytes;
 | ||||
| +	isc_region_consume(&r, e_bytes);
 | ||||
|   | ||||
|  	rsa->n = BN_bin2bn(r.base, r.length, NULL); | ||||
|   | ||||
|  	key->key_size = BN_num_bits(rsa->n); | ||||
|   | ||||
| -	isc_buffer_forward(data, r.length);
 | ||||
| +	isc_buffer_forward(data, length);
 | ||||
|   | ||||
|  #if USE_EVP | ||||
|  	pkey = EVP_PKEY_new(); | ||||
| Index: contrib/bind9/lib/dns/resolver.c
 | ||||
| ===================================================================
 | ||||
| --- contrib/bind9/lib/dns/resolver.c	(revision 287393)
 | ||||
| +++ contrib/bind9/lib/dns/resolver.c	(working copy)
 | ||||
| @@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *r
 | ||||
|   | ||||
|  	REQUIRE(VALID_RESOLVER(resolver)); | ||||
|   | ||||
| +	/*
 | ||||
| +	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
 | ||||
| +	 */
 | ||||
| +	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
 | ||||
| +		return (ISC_FALSE);
 | ||||
| +
 | ||||
|  #if USE_ALGLOCK | ||||
|  	RWLOCK(&resolver->alglock, isc_rwlocktype_read); | ||||
|  #endif | ||||
| @@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_resolver_t *r
 | ||||
|  #endif | ||||
|  	if (found) | ||||
|  		return (ISC_FALSE); | ||||
| +
 | ||||
|  	return (dst_algorithm_supported(alg)); | ||||
|  } | ||||
|   | ||||
							
								
								
									
										17
									
								
								share/security/patches/SA-15:23/bind.patch.asc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								share/security/patches/SA-15:23/bind.patch.asc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | |||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v2.1.7 (FreeBSD) | ||||
| 
 | ||||
| iQIcBAABCgAGBQJV52LHAAoJEO1n7NZdz2rnLHcP/iRhghnkzM4yzEQeluR2nQG9 | ||||
| VBdJfaJStqcnBWGh7YOCEDc8O53WG/UvghNJp195ElnRqI2U8fcbV/5SkL+4b0LQ | ||||
| vmBVG91IA8wqXc+XohaRUj5Lh3pMyVbo9jrjIO2r1uZlAwEiJxIoRvI6iwaCmNT3 | ||||
| Sz1gHj+Q1ejf4iQMQzvtORkySU2lV/oHGmrLq3HJwY9RJhhaSULCg9vTeHy5UDZ0 | ||||
| hOhPhcjZxWBLwI91ucM1h3ds3Xg006SE/DCpzgG18QzOUUQJBrRv9AMX22Lh/ZTY | ||||
| v4AZvdtcRXIG/+LBo2rFTMF/dxCOMlRXk3ROoZiF0QhdWDnSpcZ68FjcBQMzX+bs | ||||
| ic6o3PJ+92HLBUlfIkuz2ebPPuKPQgXwUCfNnmwzmT3b6PSQmlmE6xyg/hKqxGyP | ||||
| nZTym/TyK6fTcJ8QsZGY94eF0mXfojk3Rcwkp5Gll2uLhLU70So1iugPfooJ2BJV | ||||
| UVUfLuKpr0NWq8nQ1EhlP/5ebsvk5uvm7p47WIul3cgoCnCplGxsiW4T9mc5MbOM | ||||
| 6Zlr8UsPNz9oMFqQAtz0Ixjr4cQdVT65JEER/nQrl5GWPJjFMDCfH4tBeUUYwU9u | ||||
| EylrAcQrZ/UD2z+PmDsqC14CSZLe5UpHKT4TP6gQS8B+TAvyZc70LsUzR++UH6CK | ||||
| cONDnF8JJVo1Zmv1UcF5 | ||||
| =9I73 | ||||
| -----END PGP SIGNATURE----- | ||||
|  | @ -7,6 +7,18 @@ | |||
|   <year> | ||||
|     <name>2015</name> | ||||
| 
 | ||||
|     <month> | ||||
|       <name>9</name> | ||||
| 
 | ||||
|       <day> | ||||
|         <name>2</name> | ||||
| 
 | ||||
|         <advisory> | ||||
|           <name>FreeBSD-SA-15:23.bind</name> | ||||
|         </advisory> | ||||
|       </day> | ||||
|     </month> | ||||
| 
 | ||||
|     <month> | ||||
|       <name>8</name> | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue