aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/bind/APKBUILD16
-rw-r--r--main/bind/CVE-2020-8621.patch20
-rw-r--r--main/bind/CVE-2020-8622.patch42
-rw-r--r--main/bind/CVE-2020-8624.patch14
4 files changed, 90 insertions, 2 deletions
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 743ad9a655..da445d0e27 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -8,7 +8,7 @@ pkgver=9.14.12
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
_major=${pkgver%%.*}
-pkgrel=0
+pkgrel=1
[ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p"
pkgdesc="The ISC DNS server"
url="https://www.isc.org"
@@ -45,7 +45,11 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-openrc
$pkgname-plugins $pkgname-tools
"
source="
- https://ftp.isc.org/isc/${pkgname}${_major}/$_ver/$pkgname-$_ver.tar.gz
+ https://downloads.isc.org/isc/${pkgname}$_major/$_ver/$pkgname-$_ver.tar.gz
+ CVE-2020-8621.patch
+ CVE-2020-8622.patch
+ CVE-2020-8624.patch
+
bind.plugindir.patch
bind.so_bsdcompat.patch
named.initd
@@ -57,9 +61,14 @@ source="
"
# secfixes:
+# 9.14.12-r1:
+# - CVE-2020-8621
+# - CVE-2020-8622
+# - CVE-2020-8624
# 9.14.12-r0:
# - CVE-2020-8616
# - CVE-2020-8617
+# - CVE-2020-8619
# 9.14.8-r0:
# - CVE-2019-6477
# 9.14.7-r0:
@@ -245,6 +254,9 @@ libs() {
#gpgfingerprints="good:AE3F AC79 6711 EC59 FC00 7AA4 74BB 6B9A 4CBB 3D38"
sha512sums="f4e6c50cbe8fdb44cdd8e30b4560b6fe2fccd0fd5bde527a897a66e85065265da0d0aceb95af42d5568dea95d59e68574e5a486bbb7e6c5d0af275538c353ddf bind-9.14.12.tar.gz
+0b43baa94adf382c49bf01f55a7a25fcd6fc34f6cf985bb19eafb499d2ae8be4571f54dd970e30dfccb375edde9f1c231e0f820504c599cb707ed34730668102 CVE-2020-8621.patch
+4edc7aa26fc5187d815f013c9291c71c2273a278bf97419a866b562bf7abbe4aafe39618d77e28ea42cfdecd7716ff1a9425efa38ce9352af9202cbfe74134f9 CVE-2020-8622.patch
+c39a06971bee86a8f8832d0cc211bec44f84b5c812899afc19c86413a9cba79ad4ab28dfb32b63cdee4d3997de9fe669dc130d2e8211a17e7344ca113aa33ed8 CVE-2020-8624.patch
2b32d1e7f62cd1e01bb4fdd92d15460bc14761b933d5acc463a91f5ecd4773d7477c757c5dd2738e8e433693592cf3f623ffc142241861c91848f01aa84640d6 bind.plugindir.patch
7167dccdb2833643dfdb92994373d2cc087e52ba23b51bd68bd322ff9aca6744f01fa9d8a4b9cd8c4ce471755a85c03ec956ec0d8a1d4fae02124ddbed6841f6 bind.so_bsdcompat.patch
ca779f52a0a96d774bbc4dbb4e62d136f483ce528693ac73b844435be73500d8495bfddce34534825b5f6fa3197601e3175918a076428bab52bbc33c509a816e named.initd
diff --git a/main/bind/CVE-2020-8621.patch b/main/bind/CVE-2020-8621.patch
new file mode 100644
index 0000000000..f401fc46fd
--- /dev/null
+++ b/main/bind/CVE-2020-8621.patch
@@ -0,0 +1,20 @@
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 7d443fd55b..3c0e3013aa 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -4020,6 +4020,15 @@ fctx_nextaddress(fetchctx_t *fctx) {
+ addrinfo->flags |= FCTX_ADDRINFO_MARK;
+ fctx->find = NULL;
+ fctx->forwarding = true;
++
++ /*
++ * QNAME minimization is disabled when
++ * forwarding, and has to remain disabled if
++ * we switch back to normal recursion; otherwise
++ * forwarding could leave us in an inconsistent
++ * state.
++ */
++ fctx->minimized = false;
+ return (addrinfo);
+ }
+ }
diff --git a/main/bind/CVE-2020-8622.patch b/main/bind/CVE-2020-8622.patch
new file mode 100644
index 0000000000..b963712113
--- /dev/null
+++ b/main/bind/CVE-2020-8622.patch
@@ -0,0 +1,42 @@
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index d9e341a09e..7c813a5cf6 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+ msg->header_ok = 0;
+ msg->question_ok = 0;
+
++ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
++ isc_buffer_usedregion(&origsource, &msg->saved);
++ } else {
++ msg->saved.length = isc_buffer_usedlength(&origsource);
++ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
++ if (msg->saved.base == NULL) {
++ return (ISC_R_NOMEMORY);
++ }
++ memmove(msg->saved.base, isc_buffer_base(&origsource),
++ msg->saved.length);
++ msg->free_saved = 1;
++ }
++
+ isc_buffer_remainingregion(source, &r);
+ if (r.length < DNS_MESSAGE_HEADERLEN)
+ return (ISC_R_UNEXPECTEDEND);
+@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+ }
+
+ truncated:
+- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
+- isc_buffer_usedregion(&origsource, &msg->saved);
+- else {
+- msg->saved.length = isc_buffer_usedlength(&origsource);
+- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+- if (msg->saved.base == NULL)
+- return (ISC_R_NOMEMORY);
+- memmove(msg->saved.base, isc_buffer_base(&origsource),
+- msg->saved.length);
+- msg->free_saved = 1;
+- }
+
+ if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+ return (DNS_R_RECOVERABLE);
diff --git a/main/bind/CVE-2020-8624.patch b/main/bind/CVE-2020-8624.patch
new file mode 100644
index 0000000000..4968bda55b
--- /dev/null
+++ b/main/bind/CVE-2020-8624.patch
@@ -0,0 +1,14 @@
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index 55f191bad4..b77a07c14a 100644
+--- a/bin/named/zoneconf.c
++++ b/bin/named/zoneconf.c
+@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+
+ str = cfg_obj_asstring(matchtype);
+ CHECK(dns_ssu_mtypefromstring(str, &mtype));
+- if (mtype == dns_ssumatchtype_subdomain) {
++ if (mtype == dns_ssumatchtype_subdomain &&
++ strcasecmp(str, "zonesub") == 0) {
+ usezone = true;
+ }
+