diff --git a/SPECS/dhcp/CVE-2022-2795.patch b/SPECS/dhcp/CVE-2022-2795.patch new file mode 100644 index 00000000000..feb93418e5a --- /dev/null +++ b/SPECS/dhcp/CVE-2022-2795.patch @@ -0,0 +1,67 @@ +From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH 1/3] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) + +Upstream-Status: Backport +CVE: CVE-2022-2795 +Reference to upstream patch: +https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8 + +Signed-off-by: Mathieu Dubois-Briand +--- + bind_ln/lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/bind_ln/lib/dns/resolver.c b/bind_ln/lib/dns/resolver.c +index 8ae9a993bbd7..ac9a9ef5d009 100644 +--- a/bind_ln/lib/dns/resolver.c ++++ b/bind_ln/lib/dns/resolver.c +@@ -180,6 +180,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.34.1 + diff --git a/SPECS/dhcp/CVE-2022-38177.patch b/SPECS/dhcp/CVE-2022-38177.patch new file mode 100644 index 00000000000..1af6fc2836b --- /dev/null +++ b/SPECS/dhcp/CVE-2022-38177.patch @@ -0,0 +1,31 @@ +From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:15:34 +1000 +Subject: [PATCH 2/3] Free eckey on siglen mismatch + +Upstream-Status: Backport +CVE: CVE-2022-38177 +Reference to upstream patch: +https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590 + +Signed-off-by: Mathieu Dubois-Briand +--- + bind_ln/lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bind_ln/lib/dns/opensslecdsa_link.c b/bind_ln/lib/dns/opensslecdsa_link.c +index 83b5b51cd78c..7576e04ac635 100644 +--- a/bind_ln/lib/dns/opensslecdsa_link.c ++++ b/bind_ln/lib/dns/opensslecdsa_link.c +@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ECDSA384SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) + DST_RET (dst__openssl_toresult3(dctx->category, +-- +2.34.1 + diff --git a/SPECS/dhcp/CVE-2022-38178.patch b/SPECS/dhcp/CVE-2022-38178.patch new file mode 100644 index 00000000000..4c66660b3be --- /dev/null +++ b/SPECS/dhcp/CVE-2022-38178.patch @@ -0,0 +1,33 @@ +From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:28:13 +1000 +Subject: [PATCH 3/3] Free ctx on invalid siglen + +(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) + +Upstream-Status: Backport +CVE: CVE-2022-38178 +Reference to upstream patch: +https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6 + +Signed-off-by: Mathieu Dubois-Briand +--- + bind_ln/lib/dns/openssleddsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bind_ln/lib/dns/openssleddsa_link.c b/bind_ln/lib/dns/openssleddsa_link.c +index 8b115ec283f0..b4fcd607c131 100644 +--- a/bind_ln/lib/dns/openssleddsa_link.c ++++ b/bind_ln/lib/dns/openssleddsa_link.c +@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ED448SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(ISC_R_NOTIMPLEMENTED); + + isc_buffer_usedregion(buf, &tbsreg); + +-- +2.34.1 + diff --git a/SPECS/dhcp/dhcp.spec b/SPECS/dhcp/dhcp.spec index 8481b23a811..3349cbffca8 100644 --- a/SPECS/dhcp/dhcp.spec +++ b/SPECS/dhcp/dhcp.spec @@ -1,10 +1,13 @@ Summary: Dynamic host configuration protocol Name: dhcp Version: 4.4.3 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 Url: https://www.isc.org/dhcp/ Source0: ftp://ftp.isc.org/isc/dhcp/%{version}/%{name}-%{version}.tar.gz +Patch0: CVE-2022-38177.patch +Patch1: CVE-2022-38178.patch +Patch2: CVE-2022-2795.patch Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Mariner @@ -38,7 +41,13 @@ The ISC DHCP Client, dhclient, provides a means for configuring one or more netw %prep -%autosetup -p1 +%setup -q -n dhcp-%{version} + +# Extracting bundled 'bind' to allow some of the patches to modify it. +tar -C bind -xf bind/bind.tar.gz +ln -s bind/bind-9* bind_ln + +%autopatch -p1 %build CFLAGS="$CFLAGS \ @@ -169,6 +178,9 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/ %{_mandir}/man8/dhclient.8.gz %changelog +* Tue Apr 30 2024 Elaine Zhao - 4.4.3-2 +- Fix CVE-2022-38177, CVE-2022-38178, CVE-2022-2795 for bundled bind + * Tue Apr 23 2024 CBL-Mariner Servicing Account - 4.4.3-1 - Auto-upgrade to 4.4.3 - Fix for CVE-2022-2928 and CVE-2022-2929