diff -Nru bind9-9.18.1/debian/changelog bind9-9.18.1/debian/changelog --- bind9-9.18.1/debian/changelog 2022-05-17 11:38:24.000000000 +0000 +++ bind9-9.18.1/debian/changelog 2022-09-20 11:51:26.000000000 +0000 @@ -1,3 +1,29 @@ +bind9 (1:9.18.1-1ubuntu1.2) jammy-security; urgency=medium + + * SECURITY UPDATE: Processing large delegations may severely degrade + resolver performance + - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c. + - CVE-2022-2795 + * SECURITY UPDATE: Buffer overread in statistics channel code + - debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c. + - CVE-2022-2881 + * SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key + exchange via TKEY RRs + - debian/patches/CVE-2022-2906.patch: adjust return code handling in + lib/dns/openssldh_link.c. + - CVE-2022-2906 + * SECURITY UPDATE: resolvers configured to answer from cache with zero + stale-answer-timeout may terminate unexpectedly + - debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in + lib/ns/include/ns/query.h, lib/ns/query.c. + - CVE-2022-3080 + * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code + - debian/patches/CVE-2022-38178.patch: fix return handling in + lib/dns/openssleddsa_link.c. + - CVE-2022-38178 + + -- Marc Deslauriers Tue, 20 Sep 2022 07:51:26 -0400 + bind9 (1:9.18.1-1ubuntu1.1) jammy-security; urgency=medium * SECURITY UPDATE: Destroying a TLS session early causes assertion diff -Nru bind9-9.18.1/debian/patches/CVE-2022-2795.patch bind9-9.18.1/debian/patches/CVE-2022-2795.patch --- bind9-9.18.1/debian/patches/CVE-2022-2795.patch 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.18.1/debian/patches/CVE-2022-2795.patch 2022-09-20 11:51:26.000000000 +0000 @@ -0,0 +1,43 @@ +Description: fix processing large delegations may severely degrade resolver performance +Origin: provided by ISC + +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -204,6 +204,17 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 ++ ++STATIC_ASSERT(NS_PROCESSING_LIMIT > NS_RR_LIMIT, ++ "The maximum number of NS RRs processed for each delegation " ++ "(NS_PROCESSING_LIMIT) must be larger than the large delegation " ++ "threshold (NS_RR_LIMIT)."); + + /* Hash table for zone counters */ + #ifndef RES_DOMAIN_HASH_BITS +@@ -3468,6 +3479,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3658,6 +3670,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); diff -Nru bind9-9.18.1/debian/patches/CVE-2022-2881.patch bind9-9.18.1/debian/patches/CVE-2022-2881.patch --- bind9-9.18.1/debian/patches/CVE-2022-2881.patch 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.18.1/debian/patches/CVE-2022-2881.patch 2022-09-20 11:51:26.000000000 +0000 @@ -0,0 +1,24 @@ +Description: fix buffer overread in statistics channel code +Origin: provided by ISC + +diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c +index 7a1512b6f79..e90ef03921c 100644 +--- a/lib/isc/httpd.c ++++ b/lib/isc/httpd.c +@@ -202,6 +202,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) { + if (r.base != NULL) { + isc_mem_put(mctx, r.base, r.length); + } ++ ++ isc_buffer_initnull(buffer); + } + + isc_result_t +@@ -825,6 +827,7 @@ httpd_compress(isc_httpd_t *httpd) { + + inputlen = isc_buffer_usedlength(&httpd->bodybuffer); + alloc_compspace(httpd, inputlen); ++ isc_buffer_clear(&httpd->compbuffer); + isc_buffer_region(&httpd->compbuffer, &r); + + /* diff -Nru bind9-9.18.1/debian/patches/CVE-2022-2906.patch bind9-9.18.1/debian/patches/CVE-2022-2906.patch --- bind9-9.18.1/debian/patches/CVE-2022-2906.patch 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.18.1/debian/patches/CVE-2022-2906.patch 2022-09-20 11:51:26.000000000 +0000 @@ -0,0 +1,108 @@ +Description: fix memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs +Origin: provided by ISC + +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index d5dbc2e889..1a01c2b351 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -165,6 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static bool + openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { ++ bool ret = true; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + DH *dh1, *dh2; + const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; +@@ -214,18 +215,17 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || + BN_cmp(pub_key1, pub_key2) != 0) + { +- return (false); ++ DST_RET(false); + } + + if (priv_key1 != NULL || priv_key2 != NULL) { +- if (priv_key1 == NULL || priv_key2 == NULL) { +- return (false); +- } +- if (BN_cmp(priv_key1, priv_key2) != 0) { +- return (false); ++ if (priv_key1 == NULL || priv_key2 == NULL || ++ BN_cmp(priv_key1, priv_key2) != 0) { ++ DST_RET(false); + } + } + ++err: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (p1 != NULL) { + BN_free(p1); +@@ -253,11 +253,12 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + } + #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ + +- return (true); ++ return (ret); + } + + static bool + openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { ++ bool ret = true; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + DH *dh1, *dh2; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +@@ -295,9 +296,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { +- return (false); ++ DST_RET(false); + } + ++err: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (p1 != NULL) { + BN_free(p1); +@@ -313,7 +315,7 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + } + #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ + +- return (true); ++ return (ret); + } + + #if OPENSSL_VERSION_NUMBER < 0x30000000L +@@ -675,6 +677,7 @@ uint16_fromregion(isc_region_t *region) { + + static isc_result_t + openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { ++ isc_result_t ret = ISC_R_SUCCESS; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + DH *dh; + const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; +@@ -716,7 +719,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + publen = BN_num_bytes(pub_key); + dnslen = plen + glen + publen + 6; + if (r.length < (unsigned int)dnslen) { +- return (ISC_R_NOSPACE); ++ DST_RET(ISC_R_NOSPACE); + } + + uint16_toregion(plen, &r); +@@ -745,6 +748,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_add(data, dnslen); + ++err: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (p != NULL) { + BN_free(p); +@@ -757,7 +761,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + } + #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ + +- return (ISC_R_SUCCESS); ++ return (ret); + } + + static isc_result_t diff -Nru bind9-9.18.1/debian/patches/CVE-2022-3080.patch bind9-9.18.1/debian/patches/CVE-2022-3080.patch --- bind9-9.18.1/debian/patches/CVE-2022-3080.patch 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.18.1/debian/patches/CVE-2022-3080.patch 2022-09-20 11:51:26.000000000 +0000 @@ -0,0 +1,99 @@ +Description: fix resolvers configured to answer from cache with zero + stale-answer-timeout may terminate unexpectedly +Origin: backported from patch provided by ISC + +--- a/lib/ns/include/ns/query.h ++++ b/lib/ns/include/ns/query.h +@@ -148,6 +148,7 @@ struct query_ctx { + bool authoritative; /* authoritative query? */ + bool want_restart; /* CNAME chain or other + * restart needed */ ++ bool refresh_rrset; /* stale RRset refresh needed */ + bool need_wildcardproof; /* wildcard proof needed */ + bool nxrewrite; /* negative answer from RPZ */ + bool findcoveringnsec; /* lookup covering NSEC */ +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5791,7 +5791,6 @@ query_lookup(query_ctx_t *qctx) { + bool dbfind_stale = false; + bool stale_timeout = false; + bool stale_found = false; +- bool refresh_rrset = false; + bool stale_refresh_window = false; + + CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); +@@ -5975,8 +5974,7 @@ query_lookup(query_ctx_t *qctx) { + "%s stale answer used, an attempt to " + "refresh the RRset will still be made", + namebuf); +- refresh_rrset = STALE(qctx->rdataset); +- qctx->client->nodetach = refresh_rrset; ++ qctx->refresh_rrset = STALE(qctx->rdataset); + } + } else { + /* +@@ -6014,17 +6012,6 @@ query_lookup(query_ctx_t *qctx) { + + result = query_gotanswer(qctx, result); + +- if (refresh_rrset) { +- /* +- * If we reached this point then it means that we have found a +- * stale RRset entry in cache and BIND is configured to allow +- * queries to be answered with stale data if no active RRset +- * is available, i.e. "stale-anwer-client-timeout 0". But, we +- * still need to refresh the RRset. +- */ +- query_refresh_rrset(qctx); +- } +- + cleanup: + return (result); + } +@@ -8034,11 +8021,14 @@ query_addanswer(query_ctx_t *qctx) { + + /* + * On normal lookups, clear any rdatasets that were added on a +- * lookup due to stale-answer-client-timeout. ++ * lookup due to stale-answer-client-timeout. Do not clear if we ++ * are going to refresh the RRset, because the stale contents are ++ * prioritized. + */ + if (QUERY_STALEOK(&qctx->client->query) && +- !QUERY_STALETIMEOUT(&qctx->client->query)) ++ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) + { ++ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); + query_clear_stale(qctx->client); + /* + * We can clear the attribute to prevent redundant clearing +@@ -11765,9 +11755,29 @@ ns_query_done(query_ctx_t *qctx) { + /* + * Client may have been detached after query_send(), so + * we test and store the flag state here, for safety. ++ * If we are refreshing the RRSet, we must not detach from the client ++ * in the query_send(), so we need to override the flag. + */ ++ if (qctx->refresh_rrset) { ++ qctx->client->nodetach = true; ++ } + nodetach = qctx->client->nodetach; + query_send(qctx->client); ++ ++ if (qctx->refresh_rrset) { ++ /* ++ * If we reached this point then it means that we have found a ++ * stale RRset entry in cache and BIND is configured to allow ++ * queries to be answered with stale data if no active RRset ++ * is available, i.e. "stale-anwer-client-timeout 0". But, we ++ * still need to refresh the RRset. To prevent adding duplicate ++ * RRsets, clear the RRsets from the message before doing the ++ * refresh. ++ */ ++ message_clearrdataset(qctx->client->message, 0); ++ query_refresh_rrset(qctx); ++ } ++ + if (!nodetach) { + qctx->detach_client = true; + } diff -Nru bind9-9.18.1/debian/patches/CVE-2022-38178.patch bind9-9.18.1/debian/patches/CVE-2022-38178.patch --- bind9-9.18.1/debian/patches/CVE-2022-38178.patch 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.18.1/debian/patches/CVE-2022-38178.patch 2022-09-20 11:51:26.000000000 +0000 @@ -0,0 +1,21 @@ +Description: fix memory leaks in EdDSA DNSSEC verification code +Origin: provided by ISC + +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c +index 2f599647da..fa8d51b1ef 100644 +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -234,11 +234,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + } + #endif /* if HAVE_OPENSSL_ED448 */ + if (siglen == 0) { +- return (ISC_R_NOTIMPLEMENTED); ++ DST_RET(ISC_R_NOTIMPLEMENTED); + } + + if (sig->length != siglen) { +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + } + + isc_buffer_usedregion(buf, &tbsreg); diff -Nru bind9-9.18.1/debian/patches/series bind9-9.18.1/debian/patches/series --- bind9-9.18.1/debian/patches/series 2022-05-17 11:38:16.000000000 +0000 +++ bind9-9.18.1/debian/patches/series 2022-09-20 11:51:02.000000000 +0000 @@ -6,3 +6,8 @@ lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch CVE-2022-1183.patch +CVE-2022-2795.patch +CVE-2022-2881.patch +CVE-2022-2906.patch +CVE-2022-3080.patch +CVE-2022-38178.patch