1 files changed, 45 insertions, 0 deletions

diff --git a/main/bind/CVE-2020-8625.patch b/main/bind/CVE-2020-8625.patch
new file mode 100644
index 00000000000..143b6b38414
--- /dev/null
+++ b/main/bind/CVE-2020-8625.patch
@@ -0,0 +1,45 @@
+From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 7 Jan 2021 10:44:46 +0100
+Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation
+
+The ISC SPNEGO implementation is based on mod_auth_kerb code.  When
+CVE-2006-5989 was disclosed, the relevant fix was not applied to the
+BIND 9 codebase, making the latter vulnerable to the aforementioned flaw
+when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in
+named.conf.
+
+The original description of CVE-2006-5989 was:
+
+    Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0
+    allows remote attackers to cause a denial of service (crash) via a
+    crafted Kerberos message that triggers a heap-based buffer overflow
+    in the component array.
+
+Later research revealed that this flaw also theoretically enables remote
+code execution, though achieving the latter in real-world conditions is
+currently deemed very difficult.
+
+This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND
+TKEY Query Heap-based Buffer Overflow Remote Code Execution
+Vulnerability") by Trend Micro Zero Day Initiative.
+---
+ lib/dns/spnego.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
+index e61d1c600f..753dc8049f 100644
+--- a/lib/dns/spnego.c
++++ b/lib/dns/spnego.c
+@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+ 		return (ASN1_OVERRUN);
+ 	}
+ 
+-	data->components = malloc(len * sizeof(*data->components));
++	data->components = malloc((len + 1) * sizeof(*data->components));
+ 	if (data->components == NULL) {
+ 		return (ENOMEM);
+ 	}
+-- 
+GitLab
+