diff --git a/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch new file mode 100644 index 0000000000000000000000000000000000000000..20996e4e253f4dfaf25f359540d00b81ecfb26ba --- /dev/null +++ b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch @@ -0,0 +1,119 @@ +From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 11 Oct 2021 18:13:39 +0000 +Subject: [PATCH] Fix catalog zone reconfiguration crash + +The following scenario triggers a "named" crash: + +1. Configure a catalog zone. +2. Start "named". +3. Comment out the "catalog-zone" clause. +4. Run `rndc reconfig`. +5. Uncomment the "catalog-zone" clause. +6. Run `rndc reconfig` again. + +Implement the required cleanup of the in-memory catalog zone during +the first `rndc reconfig`, so that the second `rndc reconfig` could +find it in an expected state. + +(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda) +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a +--- + bin/named/server.c | 2 ++ + lib/dns/include/dns/zone.h | 20 ++++++++++++++++++++ + lib/dns/win32/libdns.def.in | 2 ++ + lib/dns/zone.c | 18 ++++++++++++++++++ + 4 files changed, 42 insertions(+) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 860ccae8a1..9c0f12f63f 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, + + if (zone_is_catz) { + dns_zone_catz_enable(zone, view->catzs); ++ } else if (dns_zone_catz_is_enabled(zone)) { ++ dns_zone_catz_disable(zone); + } + + /* +diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h +index 08e2263c5b..33ab5c60fd 100644 +--- a/lib/dns/include/dns/zone.h ++++ b/lib/dns/include/dns/zone.h +@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); + * \li prior to calling, zone->catzs is NULL or is equal to 'catzs' + */ + ++void ++dns_zone_catz_disable(dns_zone_t *zone); ++/*%< ++ * Disable zone as catalog zone, if it is one. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone); ++/*%< ++ * Return a boolean indicating whether the zone is enabled as catalog zone. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ + void + dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db); + /*%< +diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in +index 31f511103f..1e0f7cf64a 100644 +--- a/lib/dns/win32/libdns.def.in ++++ b/lib/dns/win32/libdns.def.in +@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown + dns_zone_addnsec3chain + dns_zone_asyncload + dns_zone_attach ++dns_zone_catz_disable + dns_zone_catz_enable + dns_zone_catz_enable_db ++dns_zone_catz_is_enabled + dns_zone_cdscheck + dns_zone_checknames + dns_zone_clearforwardacl +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 65a3aacab7..bc33e6ede8 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + UNLOCK_ZONE(zone); + } + ++void ++dns_zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ LOCK_ZONE(zone); ++ if (zone->catzs != NULL) { ++ dns_catz_catzs_detach(&zone->catzs); ++ } ++ UNLOCK_ZONE(zone); ++} ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ return (zone->catzs != NULL); ++} ++ + /* + * If a zone is a catalog zone, attach it to update notification in database. + */ +-- +2.27.0 + diff --git a/bind.spec b/bind.spec index e1b31c62729f382460b232bda779ac512397cc07..d8afb4b3648e2a10524d84d2b829c3c46f86559b 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 10 +Release: 11 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -87,6 +87,7 @@ Patch6004:backport-CVE-2022-38177.patch Patch6005:backport-CVE-2022-38178.patch Patch6006:backport-CVE-2022-2906.patch Patch6007:backport-CVE-2022-2881.patch +Patch6008:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch Patch9000:bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -391,6 +392,7 @@ in HTML and PDF format. %patch6005 -p1 %patch6006 -p1 %patch6007 -p1 +%patch6008 -p1 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1113,6 +1115,9 @@ fi; %endif %changelog +* Thu Sep 29 2022 huangyu - 32:9.16.23-11 +- DESC: add some patches + * Wed Sep 28 2022 huangyu - 32:9.16.23-10 - DESC:fix CVE-2022-2881 CVE-2022-2906 CVE-2022-2795 CVE-2022-38177 CVE-2022-38178 CVE-2022-3080