From dbb077410e34be153bd7cdae4801272d52bf71aa Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Wed, 28 Sep 2022 16:39:43 +0800 Subject: [PATCH] bind:fix CVE-2022-2795 Signed-off-by: huangyu --- CVE-2022-2795.patch | 60 +++++++++++++++++++++++++++++++++++++++++++++ bind.spec | 7 +++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-2795.patch diff --git a/CVE-2022-2795.patch b/CVE-2022-2795.patch new file mode 100644 index 0000000..c978c73 --- /dev/null +++ b/CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8b..73a0ee9f779 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +GitLab + diff --git a/bind.spec b/bind.spec index a2c8e42..9d8f65b 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 9 +Release: 10 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -81,6 +81,7 @@ Patch164:bind-9.11-rh1666814.patch Patch6000:backport-CVE-2022-0396.patch Patch6001:backport-CVE-2021-25220.patch +Patch6002:backport-CVE-2022-2795.patch Patch9000:bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -379,6 +380,7 @@ in HTML and PDF format. %patch9000 -p1 %patch6000 -p1 %patch6001 -p1 +%patch6002 -p1 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1101,6 +1103,9 @@ fi; %endif %changelog +* Wed Sep 28 2022 huangyu - 32:9.16.23-10 +- DESC: fix CVE-2022-2795 + * Wed Aug 31 2022 yangchenguang - 32:9.16.23-9 - DESC: fix downgrade bind-utils conflict bind-dnssec-doc -- Gitee