]> code.ossystems Code Review - openembedded-core.git/commitdiff
Code Review / openembedded-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: cfbd144)
bind: Security Advisory - bind - CVE-2020-8624
authorLi Zhou <li.zhou@windriver.com>
Wed, 2 Sep 2020 08:19:31 +0000 (16:19 +0800)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Thu, 10 Sep 2020 12:21:31 +0000 (13:21 +0100)
Backport patch from <https://gitlab.isc.org/isc-projects/bind9/
commit/e4cccf9668c7adee4724a7649ec64685f82c8677> to solve CVE-2020-8624.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch [new file with mode: 0644] patch | blob
meta/recipes-connectivity/bind/bind_9.11.19.bb patch | blob | history

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
new file mode 100644 (file)
index 0000000..9cffe35
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
@@ -0,0 +1,33 @@
+From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 29 Jul 2020 23:36:03 +1000
+Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as
+ 'zonesub'
+
+resulting in names outside the specified subdomain having the wrong
+restrictions for the given key.
+
+Upstream-Status: Backport
+CVE: CVE-2020-8624
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ bin/named/zoneconf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index e237bdb..4898447 100644
+--- a/bin/named/zoneconf.c
++++ b/bin/named/zoneconf.c
+@@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+               str = cfg_obj_asstring(matchtype);
+               CHECK(dns_ssu_mtypefromstring(str, &mtype));
+-              if (mtype == dns_ssumatchtype_subdomain) {
++              if (mtype == dns_ssumatchtype_subdomain &&
++                  strcasecmp(str, "zonesub") == 0) {
+                       usezone = true;
+               }
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index aed1a73317aff8c5f7df910aa4527a8bbc72e78d..d4467b0b4847c23e061d4ff45fbb951ef90e2786 100644 (file)
--- a/meta/recipes-connectivity/bind/bind_9.11.19.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            file://CVE-2020-8622.patch \
            file://CVE-2020-8623.patch \
+           file://CVE-2020-8624.patch \
            "
 
 SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
Mirror of the official openembedded-core repository