main/bind: add security patches

- CVE-2020-8621
- CVE-2020-8622
- CVE-2020-8624

4 files changed, 90 insertions, 2 deletions

diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 743ad9a655..da445d0e27 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -8,7 +8,7 @@ pkgver=9.14.12
 _ver=${pkgver%_p*}
 _p=${pkgver#*_p}
 _major=${pkgver%%.*}
-pkgrel=0
+pkgrel=1
 [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
 pkgdesc="The ISC DNS server"
 url="https://www.isc.org"
@@ -45,7 +45,11 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc
 	$pkgname-plugins $pkgname-tools
 	"
 source="
-	https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz
+	https://downloads.isc.org/isc/${pkgname}$_major/$_ver/$pkgname-$_ver.tar.gz
+	CVE-2020-8621.patch
+	CVE-2020-8622.patch
+	CVE-2020-8624.patch
+
 	bind.plugindir.patch
 	bind.so_bsdcompat.patch
 	named.initd
@@ -57,9 +61,14 @@ source="
 	"
 
 # secfixes:
+#   9.14.12-r1:
+#     - CVE-2020-8621
+#     - CVE-2020-8622
+#     - CVE-2020-8624
 #   9.14.12-r0:
 #     - CVE-2020-8616
 #     - CVE-2020-8617
+#     - CVE-2020-8619
 #   9.14.8-r0:
 #     - CVE-2019-6477
 #   9.14.7-r0:
@@ -245,6 +254,9 @@ libs() {
 #gpgfingerprints="good:AE3F AC79 6711 EC59 FC00  7AA4 74BB 6B9A 4CBB 3D38"
 
 sha512sums="f4e6c50cbe8fdb44cdd8e30b4560b6fe2fccd0fd5bde527a897a66e85065265da0d0aceb95af42d5568dea95d59e68574e5a486bbb7e6c5d0af275538c353ddf  bind-9.14.12.tar.gz
+0b43baa94adf382c49bf01f55a7a25fcd6fc34f6cf985bb19eafb499d2ae8be4571f54dd970e30dfccb375edde9f1c231e0f820504c599cb707ed34730668102  CVE-2020-8621.patch
+4edc7aa26fc5187d815f013c9291c71c2273a278bf97419a866b562bf7abbe4aafe39618d77e28ea42cfdecd7716ff1a9425efa38ce9352af9202cbfe74134f9  CVE-2020-8622.patch
+c39a06971bee86a8f8832d0cc211bec44f84b5c812899afc19c86413a9cba79ad4ab28dfb32b63cdee4d3997de9fe669dc130d2e8211a17e7344ca113aa33ed8  CVE-2020-8624.patch
 2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6  bind.plugindir.patch
 7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6  bind.so_bsdcompat.patch
 ca779f52a0a96d774bbc4dbb4e62d136f483ce528693ac73b844435be73500d8495bfddce34534825b5f6fa3197601e3175918a076428bab52bbc33c509a816e  named.initd
diff --git a/main/bind/CVE-2020-8621.patch b/main/bind/CVE-2020-8621.patch
new file mode 100644
index 0000000000..f401fc46fd
--- /dev/null
+++ b/main/bind/CVE-2020-8621.patch
@@ -0,0 +1,20 @@
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 7d443fd55b..3c0e3013aa 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -4020,6 +4020,15 @@ fctx_nextaddress(fetchctx_t *fctx) {
+ 			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+ 			fctx->find = NULL;
+ 			fctx->forwarding = true;
++
++			/*
++			 * QNAME minimization is disabled when
++			 * forwarding, and has to remain disabled if
++			 * we switch back to normal recursion; otherwise
++			 * forwarding could leave us in an inconsistent
++			 * state.
++			 */
++			fctx->minimized = false;
+ 			return (addrinfo);
+ 		}
+ 	}
diff --git a/main/bind/CVE-2020-8622.patch b/main/bind/CVE-2020-8622.patch
new file mode 100644
index 0000000000..b963712113
--- /dev/null
+++ b/main/bind/CVE-2020-8622.patch
@@ -0,0 +1,42 @@
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index d9e341a09e..7c813a5cf6 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+ 	msg->header_ok = 0;
+ 	msg->question_ok = 0;
+ 
++	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
++		isc_buffer_usedregion(&origsource, &msg->saved);
++	} else {
++		msg->saved.length = isc_buffer_usedlength(&origsource);
++		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
++		if (msg->saved.base == NULL) {
++			return (ISC_R_NOMEMORY);
++		}
++		memmove(msg->saved.base, isc_buffer_base(&origsource),
++			msg->saved.length);
++		msg->free_saved = 1;
++	}
++
+ 	isc_buffer_remainingregion(source, &r);
+ 	if (r.length < DNS_MESSAGE_HEADERLEN)
+ 		return (ISC_R_UNEXPECTEDEND);
+@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+ 	}
+ 
+  truncated:
+-	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
+-		isc_buffer_usedregion(&origsource, &msg->saved);
+-	else {
+-		msg->saved.length = isc_buffer_usedlength(&origsource);
+-		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+-		if (msg->saved.base == NULL)
+-			return (ISC_R_NOMEMORY);
+-		memmove(msg->saved.base, isc_buffer_base(&origsource),
+-			msg->saved.length);
+-		msg->free_saved = 1;
+-	}
+ 
+ 	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+ 		return (DNS_R_RECOVERABLE);
diff --git a/main/bind/CVE-2020-8624.patch b/main/bind/CVE-2020-8624.patch
new file mode 100644
index 0000000000..4968bda55b
--- /dev/null
+++ b/main/bind/CVE-2020-8624.patch
@@ -0,0 +1,14 @@
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index 55f191bad4..b77a07c14a 100644
+--- a/bin/named/zoneconf.c
++++ b/bin/named/zoneconf.c
+@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+ 
+ 		str = cfg_obj_asstring(matchtype);
+ 		CHECK(dns_ssu_mtypefromstring(str, &mtype));
+-		if (mtype == dns_ssumatchtype_subdomain) {
++		if (mtype == dns_ssumatchtype_subdomain &&
++		    strcasecmp(str, "zonesub") == 0) {
+ 			usezone = true;
+ 		}
+