* [bug#31835] [PATCH] gnu: BIND: Fix CVE-2018-5738.
@ 2018-06-14 20:51 Leo Famulari
2018-06-15 0:11 ` Kei Kebreau
0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2018-06-14 20:51 UTC (permalink / raw)
To: 31835
* gnu/packages/patches/bind-CVE-2018-5738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/dns.scm (isc-bind)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/dns.scm | 2 +
gnu/packages/patches/bind-CVE-2018-5738.patch | 100 ++++++++++++++++++
3 files changed, 103 insertions(+)
create mode 100644 gnu/packages/patches/bind-CVE-2018-5738.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 01e071872..4d2cefdbd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -581,6 +581,7 @@ dist_patch_DATA = \
%D%/packages/patches/azr3.patch \
%D%/packages/patches/bash-completion-directories.patch \
%D%/packages/patches/bazaar-CVE-2017-14176.patch \
+ %D%/packages/patches/bind-CVE-2018-5738.patch \
%D%/packages/patches/binutils-loongson-workaround.patch \
%D%/packages/patches/blast+-fix-makefile.patch \
%D%/packages/patches/boost-fix-icu-build.patch \
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 0b8d8be57..4fce4b34b 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -50,6 +50,7 @@
#:use-module (gnu packages tls)
#:use-module (gnu packages web)
#:use-module (gnu packages xml)
+ #:use-module (gnu packages)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
@@ -104,6 +105,7 @@ and BOOTP/TFTP for network booting of diskless machines.")
(uri (string-append
"ftp://ftp.isc.org/isc/bind9/" version "/" name "-"
version ".tar.gz"))
+ (patches (search-patches "bind-CVE-2018-5738.patch"))
(sha256
(base32
"0a9dvyg1dk7vpqn9gz7p5jas3bz7z22bjd66b98g1qk16i2w7rqd"))))
diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch
new file mode 100644
index 000000000..ddef01465
--- /dev/null
+++ b/gnu/packages/patches/bind-CVE-2018-5738.patch
@@ -0,0 +1,100 @@
+Fix CVE-2018-5738:
+
+https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index f63554e..847c4ff 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ CHECKM(named_config_getport(config, &port), "port");
+ dns_view_setdstport(view, port);
+
+- CHECK(configure_view_acl(vconfig, config, named_g_config,
+- "allow-query", NULL, actx,
+- named_g_mctx, &view->queryacl));
+-
+ /*
+ * Make the list of response policy zone names for a view that
+ * is used for real lookups and so cares about hints.
+@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ "allow-query-cache-on", NULL, actx,
+ named_g_mctx, &view->cacheonacl));
+ /*
+- * Set "allow-query-cache", "allow-recursion", and
+- * "allow-recursion-on" acls if configured in named.conf.
+- * (Ignore the global defaults for now, because these ACLs
+- * can inherit from each other when only some of them set at
+- * the options/view level.)
++ * Set the "allow-query", "allow-query-cache", "allow-recursion",
++ * and "allow-recursion-on" ACLs if configured in named.conf, but
++ * NOT from the global defaults. This is done by leaving the third
++ * argument to configure_view_acl() NULL.
++ *
++ * We ignore the global defaults here because these ACLs
++ * can inherit from each other. If any are still unset after
++ * applying the inheritance rules, we'll look up the defaults at
++ * that time.
+ */
+- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+- NULL, actx, named_g_mctx, &view->cacheacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query", NULL, actx,
++ named_g_mctx, &view->queryacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query-cache", NULL, actx,
++ named_g_mctx, &view->cacheacl));
+
+ if (strcmp(view->name, "_bind") != 0 &&
+ view->rdclass != dns_rdataclass_chaos)
+ {
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion", NULL, actx,
+ named_g_mctx, &view->recursionacl));
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion-on", NULL, actx,
+ named_g_mctx, &view->recursiononacl));
+@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ * the global config.
+ */
+ if (view->recursionacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-recursion", NULL,
+ actx, named_g_mctx,
+ &view->recursionacl));
+ }
+ if (view->recursiononacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-recursion-on", NULL,
+ actx, named_g_mctx,
+ &view->recursiononacl));
+ }
+ if (view->cacheacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-query-cache", NULL,
+ actx, named_g_mctx,
+@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ CHECK(dns_acl_none(mctx, &view->cacheacl));
+ }
+
++ if (view->queryacl == NULL) {
++ /* global default only */
++ CHECK(configure_view_acl(NULL, NULL, named_g_config,
++ "allow-query", NULL,
++ actx, named_g_mctx,
++ &view->queryacl));
++ }
++
+ /*
+ * Ignore case when compressing responses to the specified
+ * clients. This causes case not always to be preserved,
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [bug#31835] [PATCH] gnu: BIND: Fix CVE-2018-5738.
2018-06-14 20:51 [bug#31835] [PATCH] gnu: BIND: Fix CVE-2018-5738 Leo Famulari
@ 2018-06-15 0:11 ` Kei Kebreau
2018-06-15 20:43 ` bug#31835: " Leo Famulari
0 siblings, 1 reply; 3+ messages in thread
From: Kei Kebreau @ 2018-06-15 0:11 UTC (permalink / raw)
To: Leo Famulari; +Cc: 31835
[-- Attachment #1: Type: text/plain, Size: 6378 bytes --]
Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/patches/bind-CVE-2018-5738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/dns.scm (isc-bind)[source]: Use it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/dns.scm | 2 +
> gnu/packages/patches/bind-CVE-2018-5738.patch | 100 ++++++++++++++++++
> 3 files changed, 103 insertions(+)
> create mode 100644 gnu/packages/patches/bind-CVE-2018-5738.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 01e071872..4d2cefdbd 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -581,6 +581,7 @@ dist_patch_DATA = \
> %D%/packages/patches/azr3.patch \
> %D%/packages/patches/bash-completion-directories.patch \
> %D%/packages/patches/bazaar-CVE-2017-14176.patch \
> + %D%/packages/patches/bind-CVE-2018-5738.patch \
> %D%/packages/patches/binutils-loongson-workaround.patch \
> %D%/packages/patches/blast+-fix-makefile.patch \
> %D%/packages/patches/boost-fix-icu-build.patch \
> diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
> index 0b8d8be57..4fce4b34b 100644
> --- a/gnu/packages/dns.scm
> +++ b/gnu/packages/dns.scm
> @@ -50,6 +50,7 @@
> #:use-module (gnu packages tls)
> #:use-module (gnu packages web)
> #:use-module (gnu packages xml)
> + #:use-module (gnu packages)
> #:use-module ((guix licenses) #:prefix license:)
> #:use-module (guix packages)
> #:use-module (guix download)
> @@ -104,6 +105,7 @@ and BOOTP/TFTP for network booting of diskless machines.")
> (uri (string-append
> "ftp://ftp.isc.org/isc/bind9/" version "/" name "-"
> version ".tar.gz"))
> + (patches (search-patches "bind-CVE-2018-5738.patch"))
> (sha256
> (base32
> "0a9dvyg1dk7vpqn9gz7p5jas3bz7z22bjd66b98g1qk16i2w7rqd"))))
> diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch
> new file mode 100644
> index 000000000..ddef01465
> --- /dev/null
> +++ b/gnu/packages/patches/bind-CVE-2018-5738.patch
> @@ -0,0 +1,100 @@
> +Fix CVE-2018-5738:
> +
> +https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
> +
> +diff --git a/bin/named/server.c b/bin/named/server.c
> +index f63554e..847c4ff 100644
> +--- a/bin/named/server.c
> ++++ b/bin/named/server.c
> +@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
> + CHECKM(named_config_getport(config, &port), "port");
> + dns_view_setdstport(view, port);
> +
> +- CHECK(configure_view_acl(vconfig, config, named_g_config,
> +- "allow-query", NULL, actx,
> +- named_g_mctx, &view->queryacl));
> +-
> + /*
> + * Make the list of response policy zone names for a view that
> + * is used for real lookups and so cares about hints.
> +@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
> + "allow-query-cache-on", NULL, actx,
> + named_g_mctx, &view->cacheonacl));
> + /*
> +- * Set "allow-query-cache", "allow-recursion", and
> +- * "allow-recursion-on" acls if configured in named.conf.
> +- * (Ignore the global defaults for now, because these ACLs
> +- * can inherit from each other when only some of them set at
> +- * the options/view level.)
> ++ * Set the "allow-query", "allow-query-cache", "allow-recursion",
> ++ * and "allow-recursion-on" ACLs if configured in named.conf, but
> ++ * NOT from the global defaults. This is done by leaving the third
> ++ * argument to configure_view_acl() NULL.
> ++ *
> ++ * We ignore the global defaults here because these ACLs
> ++ * can inherit from each other. If any are still unset after
> ++ * applying the inheritance rules, we'll look up the defaults at
> ++ * that time.
> + */
> +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
> +- NULL, actx, named_g_mctx, &view->cacheacl));
> ++
> ++ /* named.conf only */
> ++ CHECK(configure_view_acl(vconfig, config, NULL,
> ++ "allow-query", NULL, actx,
> ++ named_g_mctx, &view->queryacl));
> ++
> ++ /* named.conf only */
> ++ CHECK(configure_view_acl(vconfig, config, NULL,
> ++ "allow-query-cache", NULL, actx,
> ++ named_g_mctx, &view->cacheacl));
> +
> + if (strcmp(view->name, "_bind") != 0 &&
> + view->rdclass != dns_rdataclass_chaos)
> + {
> ++ /* named.conf only */
> + CHECK(configure_view_acl(vconfig, config, NULL,
> + "allow-recursion", NULL, actx,
> + named_g_mctx, &view->recursionacl));
> ++ /* named.conf only */
> + CHECK(configure_view_acl(vconfig, config, NULL,
> + "allow-recursion-on", NULL, actx,
> + named_g_mctx, &view->recursiononacl));
> +@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
> + * the global config.
> + */
> + if (view->recursionacl == NULL) {
> ++ /* global default only */
> + CHECK(configure_view_acl(NULL, NULL, named_g_config,
> + "allow-recursion", NULL,
> + actx, named_g_mctx,
> + &view->recursionacl));
> + }
> + if (view->recursiononacl == NULL) {
> ++ /* global default only */
> + CHECK(configure_view_acl(NULL, NULL, named_g_config,
> + "allow-recursion-on", NULL,
> + actx, named_g_mctx,
> + &view->recursiononacl));
> + }
> + if (view->cacheacl == NULL) {
> ++ /* global default only */
> + CHECK(configure_view_acl(NULL, NULL, named_g_config,
> + "allow-query-cache", NULL,
> + actx, named_g_mctx,
> +@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
> + CHECK(dns_acl_none(mctx, &view->cacheacl));
> + }
> +
> ++ if (view->queryacl == NULL) {
> ++ /* global default only */
> ++ CHECK(configure_view_acl(NULL, NULL, named_g_config,
> ++ "allow-query", NULL,
> ++ actx, named_g_mctx,
> ++ &view->queryacl));
> ++ }
> ++
> + /*
> + * Ignore case when compressing responses to the specified
> + * clients. This causes case not always to be preserved,
Hi Leo,
This patch looks fine and builds properly and reproducibly on my
machine.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#31835: [PATCH] gnu: BIND: Fix CVE-2018-5738.
2018-06-15 0:11 ` Kei Kebreau
@ 2018-06-15 20:43 ` Leo Famulari
0 siblings, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2018-06-15 20:43 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 31835-done
[-- Attachment #1: Type: text/plain, Size: 452 bytes --]
On Thu, Jun 14, 2018 at 08:11:25PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > * gnu/packages/patches/bind-CVE-2018-5738.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/dns.scm (isc-bind)[source]: Use it.
> Hi Leo,
>
> This patch looks fine and builds properly and reproducibly on my
> machine.
Thanks for the review! Pushed as
12e530ba63ad848d3d3194f09e8b54b693d74896
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-06-15 20:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-14 20:51 [bug#31835] [PATCH] gnu: BIND: Fix CVE-2018-5738 Leo Famulari
2018-06-15 0:11 ` Kei Kebreau
2018-06-15 20:43 ` bug#31835: " Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.