From 38323f3b9f6e9a41a78f92d21905548c64bba3a5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Oct 2022 13:22:11 +1100 Subject: [PATCH 1/3] Move the mapping of SIG and RRSIG to ANY dns_db_findext() asserts if RRSIG is passed to it and query_lookup_stale() failed to map RRSIG to ANY to prevent this. To avoid cases like this in the future, move the mapping of SIG and RRSIG to ANY for qctx->type to qctx_init(). (cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6) --- lib/ns/query.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index 36f3c40dc1..0ad4f0f13e 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5237,6 +5237,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, qctx->result = ISC_R_SUCCESS; qctx->findcoveringnsec = qctx->view->synthfromdnssec; + /* + * If it's an RRSIG or SIG query, we'll iterate the node. + */ + if (qctx->qtype == dns_rdatatype_rrsig || + qctx->qtype == dns_rdatatype_sig) + { + qctx->type = dns_rdatatype_any; + } + CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx); } @@ -5424,15 +5433,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) { CALL_HOOK(NS_QUERY_SETUP, &qctx); - /* - * If it's a SIG query, we'll iterate the node. - */ - if (qctx.qtype == dns_rdatatype_rrsig || - qctx.qtype == dns_rdatatype_sig) - { - qctx.type = dns_rdatatype_any; - } - /* * Check SERVFAIL cache */ From a4b760d8f60592e9f6ebf76e912b0dc80290b3f7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 28 Oct 2022 11:26:59 +1100 Subject: [PATCH 2/3] Add CHANGES note for [GL #3622] (cherry picked from commit 8ca018b5ec2c25bbfc4b951aa9826a46d01fba51) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 95a7fc82bd..bdfbf45a2d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6066. [security] Handle RRSIG lookups when serve-stale is active. + (CVE-2022-3736) [GL #3622] + 6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of From 645dd3fdf1522d66fabe403e0ca6ec2ebbea2e96 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 28 Oct 2022 11:31:19 +1100 Subject: [PATCH 3/3] Add release note for [GL #3622] (cherry picked from commit 42c42be9a997a30dcf83c8a77a2f57811757a72d) --- doc/notes/notes-current.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 305cea5933..a5b1df2982 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,6 +24,14 @@ Security Fixes ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. :gl:`#3523` +- :iscman:`named` could crash with an assertion failure when an RRSIG + query was received and :any:`stale-answer-client-timeout` was set to a + non-zero value. This has been fixed. (CVE-2022-3736) + + ISC would like to thank Borja Marcos from Sarenet (with assistance by + Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to + our attention. :gl:`#3622` + New Features ~~~~~~~~~~~~