From 3a1ae4b490b5118c0e650dff2d79d6826d7dfc92 Mon Sep 17 00:00:00 2001 From: zhaoyonghao Date: Tue, 2 Dec 2025 16:40:58 +0800 Subject: [PATCH] backport some patches from upstream --- ...1-Fix-bug-in-keymgr-Depends-function.patch | 48 ++++ ...se-header_prev-in-expire_lru_headers.patch | 50 ++++ ...03-Fix-the-DNS_GETDB_STALEFIRST-flag.patch | 37 +++ backport-04-Fix-reading-extra-messages.patch | 73 ++++++ ...te-listeners-on-DNS-transport-change.patch | 213 ++++++++++++++++++ ...ic-when-detecting-same-listener-type.patch | 60 +++++ ...ble-dig-host-crash-in-NS-search-mode.patch | 39 ++++ ...K-status-here-and-squash-memory-leak.patch | 44 ++++ bind.spec | 17 +- 9 files changed, 580 insertions(+), 1 deletion(-) create mode 100644 backport-01-Fix-bug-in-keymgr-Depends-function.patch create mode 100644 backport-02-Do-not-use-header_prev-in-expire_lru_headers.patch create mode 100644 backport-03-Fix-the-DNS_GETDB_STALEFIRST-flag.patch create mode 100644 backport-04-Fix-reading-extra-messages.patch create mode 100644 backport-05-Recreate-listeners-on-DNS-transport-change.patch create mode 100644 backport-06-Fix-flawed-logic-when-detecting-same-listener-type.patch create mode 100644 backport-07-Fix-a-possible-dig-host-crash-in-NS-search-mode.patch create mode 100644 backport-08-Don-t-look-for-KSK-status-here-and-squash-memory-leak.patch diff --git a/backport-01-Fix-bug-in-keymgr-Depends-function.patch b/backport-01-Fix-bug-in-keymgr-Depends-function.patch new file mode 100644 index 0000000..c33da91 --- /dev/null +++ b/backport-01-Fix-bug-in-keymgr-Depends-function.patch @@ -0,0 +1,48 @@ +From 1b2e6f494a89651ac922b7476c7b57d976535df5 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Wed, 31 Jan 2024 12:25:29 +0100 +Subject: [PATCH] Fix bug in keymgr Depends function + +The Depends relation refers to types of rollovers in which a certain +record type is going to be swapped. Specifically, the Depends relation +says there should be no dependency on the predecessor key (the set +Dep(x, T) must be empty). + +But if the key is phased out (all its states are in HIDDEN), there is +no longer a dependency. Since the relationship is still maintained +(Predecessor and Successor metadata), the keymgr_dep function still +returned true. In other words, the set Dep(x, T) is not considered +empty. + +This slows down key rollovers, only retiring keys when the successor +key has been fully propagated. + +(cherry picked from commit 0aac81cf805aac0e36b429eebffd766a4a07aa0f) + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/1b2e6f494a89651ac922b7476c7b57d976535df5 +--- + lib/dns/keymgr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c +index 34fa1dd0cc6..023dee9e43a 100644 +--- a/lib/dns/keymgr.c ++++ b/lib/dns/keymgr.c +@@ -617,6 +617,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) { + * Check if k is a direct successor of d, e.g. d depends on k. + */ + if (keymgr_direct_dep(d->key, k)) { ++ dst_key_state_t hidden[NUM_KEYSTATES] = { ++ HIDDEN, HIDDEN, HIDDEN, HIDDEN ++ }; ++ if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) { ++ continue; ++ } ++ + if (dep != NULL) { + *dep = dst_key_id(d->key); + } +-- +GitLab + diff --git a/backport-02-Do-not-use-header_prev-in-expire_lru_headers.patch b/backport-02-Do-not-use-header_prev-in-expire_lru_headers.patch new file mode 100644 index 0000000..dfc1ef6 --- /dev/null +++ b/backport-02-Do-not-use-header_prev-in-expire_lru_headers.patch @@ -0,0 +1,50 @@ +From 61ca5265900eabdbc4c7a827158469a41c8986a5 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 23 Feb 2024 10:12:47 +1100 +Subject: [PATCH] Do not use header_prev in expire_lru_headers + +dns__cacherbt_expireheader can unlink / free header_prev underneath +it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader +instead to get the next pointer to be processed. + +(cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab) + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/61ca5265900eabdbc4c7a827158469a41c8986a5 +--- + lib/dns/rbtdb.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index b09d97ff644..b9e58a42b3c 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -10213,22 +10213,21 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) { + static size_t + expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, + bool tree_locked) { +- rdatasetheader_t *header, *header_prev; ++ rdatasetheader_t *header; + size_t purged = 0; + + for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); + header != NULL && + header->last_used <= atomic_load(&rbtdb->last_used) && + purged <= purgesize; +- header = header_prev) ++ header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum])) + { +- header_prev = ISC_LIST_PREV(header, link); + /* + * Unlink the entry at this point to avoid checking it + * again even if it's currently used someone else and + * cannot be purged at this moment. This entry won't be + * referenced any more (so unlinking is safe) since the +- * TTL was reset to 0. ++ * TTL will be reset to 0. + */ + ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); + size_t header_size = rdataset_size(header); +-- +GitLab + diff --git a/backport-03-Fix-the-DNS_GETDB_STALEFIRST-flag.patch b/backport-03-Fix-the-DNS_GETDB_STALEFIRST-flag.patch new file mode 100644 index 0000000..98dbdf3 --- /dev/null +++ b/backport-03-Fix-the-DNS_GETDB_STALEFIRST-flag.patch @@ -0,0 +1,37 @@ +From 2bcd6c2fd37e993e224430e9134fda813b6dcadf Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Wed, 31 Jan 2024 13:01:13 +0000 +Subject: [PATCH] Fix the DNS_GETDB_STALEFIRST flag + +The DNS_GETDB_STALEFIRST flag is defined as 0x0C, which is the +combination of the DNS_GETDB_PARTIAL (0x04) and the +DNS_GETDB_IGNOREACL (0x08) flags (0x04 | 0x08 == 0x0C) , which is +an obvious error. + +All the flags should be power of two, so they don't interfere with +each other. Fix the DNS_GETDB_STALEFIRST flag by setting it to 0x10. + +(cherry picked from commit be7d8fafe292424ba0fdecf6687c5c72f85a25d1) + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/2bcd6c2fd37e993e224430e9134fda813b6dcadf +--- + lib/ns/query.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 7c98d1ab479..9a557460231 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -197,7 +197,7 @@ client_trace(ns_client_t *client, int level, const char *message) { + #define DNS_GETDB_NOLOG 0x02U + #define DNS_GETDB_PARTIAL 0x04U + #define DNS_GETDB_IGNOREACL 0x08U +-#define DNS_GETDB_STALEFIRST 0X0CU ++#define DNS_GETDB_STALEFIRST 0X10U + + #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) + +-- +GitLab + diff --git a/backport-04-Fix-reading-extra-messages.patch b/backport-04-Fix-reading-extra-messages.patch new file mode 100644 index 0000000..1e63a72 --- /dev/null +++ b/backport-04-Fix-reading-extra-messages.patch @@ -0,0 +1,73 @@ +From 7b390a7fb6ca10b60147b72acec0e951da251a7d Mon Sep 17 00:00:00 2001 +From: Artem Boldariev +Date: Wed, 17 Jan 2024 15:40:56 +0200 +Subject: [PATCH] Fix reading extra messages in TLS DNS in client mode + +When connecting to a remote party the TLS DNS code could process more +than one message at a time despite the fact that it is expected that +we should stop after every DNS message. + +Every DNS message is handled and consumed from the input buffer by +isc__nm_process_sock_buffer(). However, as opposed to TCP DNS code, it +can be called more than once when processing incoming data from a +server (see tls_cycle_input()). That, in turn means that we can +process more than one message at a time. Some higher level code might +not expect that, as it breaks the contract. + +In particular, in the original report that happened during +isc__nm_async_tlsdnsshutdown() call: when shutting down multiple calls +to tls_cycle() are possible (each possibly leading to a +isc__nm_process_sock_buffer()). If there are any non processed +messages left, for any of the messages left the read callback will be +called even when it is not expected as there were no preceding +isc_nm_read(). + +To keep TCP DNS and TLS DNS code in sync, we make a similar change to +it as well, although it should not matter. + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/7b390a7fb6ca10b60147b72acec0e951da251a7d +--- + lib/isc/netmgr/tcpdns.c | 7 +++++++ + lib/isc/netmgr/tlsdns.c | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c +index eda6aa62ce6..cabc90533d9 100644 +--- a/lib/isc/netmgr/tcpdns.c ++++ b/lib/isc/netmgr/tcpdns.c +@@ -808,6 +808,13 @@ isc__nm_tcpdns_processbuffer(isc_nmsocket_t *sock) { + return (ISC_R_CANCELED); + } + ++ if (sock->client && !sock->recv_read) { ++ /* ++ * We are not reading data - stop here. ++ */ ++ return (ISC_R_CANCELED); ++ } ++ + req = isc__nm_get_read_req(sock, NULL); + REQUIRE(VALID_UVREQ(req)); + +diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c +index d30e33fbfd2..cfc62eb5e91 100644 +--- a/lib/isc/netmgr/tlsdns.c ++++ b/lib/isc/netmgr/tlsdns.c +@@ -1016,6 +1016,13 @@ isc__nm_tlsdns_processbuffer(isc_nmsocket_t *sock) { + return (ISC_R_CANCELED); + } + ++ if (sock->client && !sock->recv_read) { ++ /* ++ * We are not reading data - stop here. ++ */ ++ return (ISC_R_CANCELED); ++ } ++ + req = isc__nm_get_read_req(sock, NULL); + REQUIRE(VALID_UVREQ(req)); + +-- +GitLab + diff --git a/backport-05-Recreate-listeners-on-DNS-transport-change.patch b/backport-05-Recreate-listeners-on-DNS-transport-change.patch new file mode 100644 index 0000000..e2ea7b3 --- /dev/null +++ b/backport-05-Recreate-listeners-on-DNS-transport-change.patch @@ -0,0 +1,213 @@ +From 2be0acf3f37a35d7dfad67f060f343402664136c Mon Sep 17 00:00:00 2001 +From: Artem Boldariev +Date: Tue, 9 Jan 2024 19:16:26 +0200 +Subject: [PATCH] Recreate listeners on DNS transport change + +This commit ensures that listeners are recreated on reconfiguration in +the case when their type changes (or when PROXY protocol type changes, +too). + +Previously, if a "listen-on" statement was modified to represent a +different transport, BIND would not pick-up the change on +reconfiguration if listener type changes (e.g. DoH -> DoT) for a given +interface address and port combination. This commit fixes that by +recreating the listener. + +Initially, that worked for most of the new transports as we would +recreate listeners on each reconfiguration for DoH and DoT. But at +some point we changed that in such a way that listeners were not +recreated to avoid rebinding a port as on some platforms only root can +do that for port numbers <1000, making some ports binding possible +only on start-up. We chose to asynchronously update listener socket +settings (like TLS contexts, HTTP settings) instead. + +Now, we both avoid recreating the sockets if unnecessary and recreate +listeners when listener type changes. + +(cherry picked from commit d59cf5e0cec7aba9048f685e3cfd1f0e495f474c) + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/2be0acf3f37a35d7dfad67f060f343402664136c +--- + lib/ns/include/ns/interfacemgr.h | 1 + + lib/ns/interfacemgr.c | 96 +++++++++++++++++++++++++------- + 2 files changed, 77 insertions(+), 20 deletions(-) + +diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h +index 028f86d570a..0ae6fffd39c 100644 +--- a/lib/ns/include/ns/interfacemgr.h ++++ b/lib/ns/include/ns/interfacemgr.h +@@ -77,6 +77,7 @@ struct ns_interface { + char name[32]; /*%< Null terminated. */ + isc_nmsocket_t *udplistensocket; + isc_nmsocket_t *tcplistensocket; ++ isc_nmsocket_t *tlslistensocket; + isc_nmsocket_t *http_listensocket; + isc_nmsocket_t *http_secure_listensocket; + isc_quota_t *http_quota; +diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c +index 50b87dfb5e3..d9f479046f9 100644 +--- a/lib/ns/interfacemgr.c ++++ b/lib/ns/interfacemgr.c +@@ -541,7 +541,7 @@ ns_interface_listentls(ns_interface_t *ifp, isc_tlsctx_t *sslctx) { + result = isc_nm_listentlsdns( + ifp->mgr->nm, &ifp->addr, ns__client_request, ifp, + ns__client_tcpconn, ifp, sizeof(ns_client_t), ifp->mgr->backlog, +- &ifp->mgr->sctx->tcpquota, sslctx, &ifp->tcplistensocket); ++ &ifp->mgr->sctx->tcpquota, sslctx, &ifp->tlslistensocket); + + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, +@@ -672,6 +672,9 @@ interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name, + interface_create(mgr, addr, name, &ifp); + } else { + REQUIRE(!LISTENING(ifp)); ++ LOCK(&mgr->lock); ++ ifp->generation = mgr->generation; ++ UNLOCK(&mgr->lock); + } + + ifp->flags |= NS_INTERFACEFLAG_LISTENING; +@@ -743,6 +746,10 @@ ns_interface_shutdown(ns_interface_t *ifp) { + isc_nm_stoplistening(ifp->tcplistensocket); + isc_nmsocket_close(&ifp->tcplistensocket); + } ++ if (ifp->tlslistensocket != NULL) { ++ isc_nm_stoplistening(ifp->tlslistensocket); ++ isc_nmsocket_close(&ifp->tlslistensocket); ++ } + if (ifp->http_listensocket != NULL) { + isc_nm_stoplistening(ifp->http_listensocket); + isc_nmsocket_close(&ifp->http_listensocket); +@@ -798,6 +805,14 @@ find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { + return (ifp); + } + ++static void ++log_interface_shutdown(const ns_interface_t *ifp) { ++ char sabuf[ISC_SOCKADDR_FORMATSIZE]; ++ isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf)); ++ isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, ++ "no longer listening on %s", sabuf); ++} ++ + /*% + * Remove any interfaces whose generation number is not the current one. + */ +@@ -822,10 +837,7 @@ purge_old_interfaces(ns_interfacemgr_t *mgr) { + for (ifp = ISC_LIST_HEAD(interfaces); ifp != NULL; ifp = next) { + next = ISC_LIST_NEXT(ifp, link); + if (LISTENING(ifp)) { +- char sabuf[256]; +- isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf)); +- isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, +- "no longer listening on %s", sabuf); ++ log_interface_shutdown(ifp); + ns_interface_shutdown(ifp); + } + ISC_LIST_UNLINK(interfaces, ifp, link); +@@ -942,9 +954,8 @@ replace_listener_tlsctx(ns_interface_t *ifp, isc_tlsctx_t *newctx) { + isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf)); + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, + "updating TLS context on %s", sabuf); +- if (ifp->tcplistensocket != NULL) { +- /* 'tcplistensocket' is used for DoT */ +- isc_nmsocket_set_tlsctx(ifp->tcplistensocket, newctx); ++ if (ifp->tlslistensocket != NULL) { ++ isc_nmsocket_set_tlsctx(ifp->tlslistensocket, newctx); + } else if (ifp->http_secure_listensocket != NULL) { + isc_nmsocket_set_tlsctx(ifp->http_secure_listensocket, newctx); + } +@@ -1015,6 +1026,57 @@ update_listener_configuration(ns_interfacemgr_t *mgr, ns_interface_t *ifp, + UNLOCK(&mgr->lock); + } + ++static bool ++same_listener_type(ns_interface_t *ifp, ns_listenelt_t *new_le) { ++ bool same_transport_type = false; ++ ++ if (new_le->is_http && new_le->sslctx != NULL && ++ ifp->http_secure_listensocket != NULL) ++ { ++ /* HTTPS/DoH */ ++ same_transport_type = true; ++ } else if (new_le->is_http && new_le->sslctx == NULL && ++ ifp->http_listensocket != NULL) ++ { ++ /* HTTP/plain DoH */ ++ same_transport_type = true; ++ } else if (new_le->sslctx != NULL && ifp->tlslistensocket != NULL) { ++ /* TLS/DoT */ ++ same_transport_type = true; ++ } else if (new_le->sslctx == NULL && (ifp->udplistensocket != NULL || ++ ifp->tcplistensocket != NULL)) ++ { ++ /* "plain" DNS/Do53 */ ++ same_transport_type = true; ++ } ++ ++ return (same_transport_type); ++} ++ ++static bool ++interface_update_or_shutdown(ns_interfacemgr_t *mgr, ns_interface_t *ifp, ++ ns_listenelt_t *le, const bool config) { ++ if (LISTENING(ifp) && config && !same_listener_type(ifp, le)) { ++ /* ++ * DNS listener type has been changed on re-configuration. We ++ * will need to recreate the listener anew. ++ */ ++ log_interface_shutdown(ifp); ++ ns_interface_shutdown(ifp); ++ } else { ++ LOCK(&mgr->lock); ++ ifp->generation = mgr->generation; ++ UNLOCK(&mgr->lock); ++ if (LISTENING(ifp)) { ++ if (config) { ++ update_listener_configuration(mgr, ifp, le); ++ } ++ return (true); ++ } ++ } ++ return (false); ++} ++ + static isc_result_t + do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { + isc_interfaceiter_t *iter = NULL; +@@ -1082,12 +1144,9 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { + + ifp = find_matching_interface(mgr, &listen_addr); + if (ifp != NULL) { +- ifp->generation = mgr->generation; +- if (LISTENING(ifp)) { +- if (config) { +- update_listener_configuration( +- mgr, ifp, le); +- } ++ bool cont = interface_update_or_shutdown( ++ mgr, ifp, le, config); ++ if (cont) { + continue; + } + } +@@ -1233,12 +1292,9 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { + + ifp = find_matching_interface(mgr, &listen_sockaddr); + if (ifp != NULL) { +- ifp->generation = mgr->generation; +- if (LISTENING(ifp)) { +- if (config) { +- update_listener_configuration( +- mgr, ifp, le); +- } ++ bool cont = interface_update_or_shutdown( ++ mgr, ifp, le, config); ++ if (cont) { + continue; + } + } +-- +GitLab + diff --git a/backport-06-Fix-flawed-logic-when-detecting-same-listener-type.patch b/backport-06-Fix-flawed-logic-when-detecting-same-listener-type.patch new file mode 100644 index 0000000..86d2952 --- /dev/null +++ b/backport-06-Fix-flawed-logic-when-detecting-same-listener-type.patch @@ -0,0 +1,60 @@ +From cff69c65b5e5710c62361e968eb7a36eea8c0fb9 Mon Sep 17 00:00:00 2001 +From: Artem Boldariev +Date: Fri, 12 Jan 2024 17:50:12 +0200 +Subject: [PATCH] Fix flawed logic when detecting same listener type + +The older version of the code was reporting that listeners are going +to be of the same type after reconfiguration when switching from DoT +to HTTPS listener, making BIND abort its executions. + +That was happening due to the flaw in logic due to which the code +could consider a current listener and a configuration for the new one +to be of the same type (DoT) even when the new listener entry is +explicitly marked as HTTP. + +The checks for PROXY in between the configuration were masking that +behaviour, but when porting it to 9.18 (when there is no PROXY +support), the behaviour was exposed. + +Now the code mirrors the logic in 'interface_setup()' closely (as it +was meant to). + +(cherry picked from commit 8ae661048d7baa3b1fb955cecc4101a2daa32a65) + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/cff69c65b5e5710c62361e968eb7a36eea8c0fb9 +--- + lib/ns/interfacemgr.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c +index d9f479046f9..c7e057bf9ee 100644 +--- a/lib/ns/interfacemgr.c ++++ b/lib/ns/interfacemgr.c +@@ -1030,16 +1030,13 @@ static bool + same_listener_type(ns_interface_t *ifp, ns_listenelt_t *new_le) { + bool same_transport_type = false; + +- if (new_le->is_http && new_le->sslctx != NULL && +- ifp->http_secure_listensocket != NULL) +- { +- /* HTTPS/DoH */ +- same_transport_type = true; +- } else if (new_le->is_http && new_le->sslctx == NULL && +- ifp->http_listensocket != NULL) +- { +- /* HTTP/plain DoH */ +- same_transport_type = true; ++ /* See 'interface_setup()' above */ ++ if (new_le->is_http) { ++ /* HTTP/DoH */ ++ same_transport_type = (new_le->sslctx != NULL && ++ ifp->http_secure_listensocket != NULL) || ++ (new_le->sslctx == NULL && ++ ifp->http_listensocket != NULL); + } else if (new_le->sslctx != NULL && ifp->tlslistensocket != NULL) { + /* TLS/DoT */ + same_transport_type = true; +-- +GitLab + diff --git a/backport-07-Fix-a-possible-dig-host-crash-in-NS-search-mode.patch b/backport-07-Fix-a-possible-dig-host-crash-in-NS-search-mode.patch new file mode 100644 index 0000000..f38dc8a --- /dev/null +++ b/backport-07-Fix-a-possible-dig-host-crash-in-NS-search-mode.patch @@ -0,0 +1,39 @@ +From 11e85d15f96e25ff9dc462f3c2cd7598b672117e Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Tue, 9 Jan 2024 11:35:11 +0000 +Subject: [PATCH] Fix a possible dig/host crash in "NS search" mode + +When getting a SERVFAIL reply from a query, 'host' tries to start +the next query in the lookup's list (also true for 'dig +nofail'). +However, when running with the '-C' switch (or +nssearch for 'dig'), +all the queries in the lookup start from the beginning, so that logic +brings to a crash because of the attempted start of the query which +was already started. + +Don't start the next query in the affected code path when in +nssearch +mode. + +(cherry picked from commit f6658b333e44982d8272799e1577b6872909537f) + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/11e85d15f96e25ff9dc462f3c2cd7598b672117e +--- + bin/dig/dighost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index a8ae79fc28a..5b4dca2774b 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -4365,7 +4365,7 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, + if (l->current_query == query) { + query_detach(&l->current_query); + } +- if (next != NULL) { ++ if (next != NULL && (!l->ns_search_only || l->trace_root)) { + debug("sending query %p", next); + if (l->tcp_mode) { + start_tcp(next); +-- +GitLab + diff --git a/backport-08-Don-t-look-for-KSK-status-here-and-squash-memory-leak.patch b/backport-08-Don-t-look-for-KSK-status-here-and-squash-memory-leak.patch new file mode 100644 index 0000000..5a5f284 --- /dev/null +++ b/backport-08-Don-t-look-for-KSK-status-here-and-squash-memory-leak.patch @@ -0,0 +1,44 @@ +From 0ceb01386cc44027e568d574989ba0ef33723a3e Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 13 Dec 2023 17:55:09 +1100 +Subject: [PATCH] Don't look for KSK status here and squash memory leak + +Just remove the key from consideration as it is being removed. + +The old code could leak a key reference as dst_free_key was not +called every time we continued. This simplification will address +this as well. + +(cherry picked from commit a3d0476d1793a2095047c8e911b33f8bf0ee04cf) + +Conflict:no +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/0ceb01386cc44027e568d574989ba0ef33723a3e +--- + lib/dns/zone.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index b60764a4cb1..729adcb6e48 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -9657,16 +9657,7 @@ zone_sign(dns_zone_t *zone) { + if (ALG(zone_keys[i]) == signing->algorithm && + dst_key_id(zone_keys[i]) == signing->keyid) + { +- bool ksk = false; +- isc_result_t ret = dst_key_getbool( +- zone_keys[i], DST_BOOL_KSK, +- &ksk); +- if (ret != ISC_R_SUCCESS) { +- ksk = KSK(zone_keys[i]); +- } +- if (ksk) { +- dst_key_free(&zone_keys[i]); +- } ++ dst_key_free(&zone_keys[i]); + continue; + } + zone_keys[j] = zone_keys[i]; +-- +GitLab + diff --git a/bind.spec b/bind.spec index b85e7cf..f1436bb 100644 --- a/bind.spec +++ b/bind.spec @@ -29,7 +29,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.18.21 -Release: 5 +Release: 6 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -76,6 +76,15 @@ Patch6012:backport-CVE-2025-40778-01.patch Patch6013:backport-CVE-2025-40778-02.patch Patch6014:backport-CVE-2025-40778-03.patch Patch6015:backport-CVE-2025-40780.patch +Patch6016:backport-01-Fix-bug-in-keymgr-Depends-function.patch +Patch6017:backport-02-Do-not-use-header_prev-in-expire_lru_headers.patch +Patch6018:backport-03-Fix-the-DNS_GETDB_STALEFIRST-flag.patch +Patch6019:backport-04-Fix-reading-extra-messages.patch +Patch6020:backport-05-Recreate-listeners-on-DNS-transport-change.patch +Patch6021:backport-06-Fix-flawed-logic-when-detecting-same-listener-type.patch +Patch6022:backport-07-Fix-a-possible-dig-host-crash-in-NS-search-mode.patch +Patch6023:backport-08-Don-t-look-for-KSK-status-here-and-squash-memory-leak.patch + # Common patches %{?systemd_ordering} @@ -915,6 +924,12 @@ fi; %endif %changelog +* Tue Dec 02 2025 zhaoyonghao - 32:9.18.21-6 +- Type:bugfix +- CVE: +- SUG:NA +- DESC:backport some patches from upstream + * Mon Nov 03 2025 tangce - 32:9.18.21-5 - Type:CVE - CVE:CVE-2025-8677,CVE-2025-40778,CVE-2025-40780 -- Gitee