diff --git a/CHANGES b/CHANGES index 7ae6f8538b..6c0ba022b1 100644 --- a/CHANGES +++ b/CHANGES @@ -29,9 +29,12 @@ 6247. [func] Implement incremental hashing in both isc_siphash and isc_hash units. [GL #4306] + --- 9.19.17 released --- + 6246. [placeholder] -6245. [placeholder] +6245. [security] Limit the amount of recursion that can be performed + by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152] 6244. [bug] Adjust log levels on malformed messages to NOTICE when transferring in a zone. [GL #4290] diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 2d8a31ee94..5eff08bf47 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -39,6 +39,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst .. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.17.rst .. include:: ../notes/notes-9.19.16.rst .. include:: ../notes/notes-9.19.15.rst .. include:: ../notes/notes-9.19.14.rst diff --git a/doc/notes/notes-9.19.17.rst b/doc/notes/notes-9.19.17.rst new file mode 100644 index 0000000000..7081fa3e71 --- /dev/null +++ b/doc/notes/notes-9.19.17.rst @@ -0,0 +1,99 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.19.17 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Previously, sending a specially crafted message over the control + channel could cause the packet-parsing code to run out of available + stack memory, causing :iscman:`named` to terminate unexpectedly. + This has been fixed. (CVE-2023-3341) + + ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for + bringing this vulnerability to our attention. :gl:`#4152` + +New Features +~~~~~~~~~~~~ + +- Support for User Statically Defined Tracing (USDT) probes has been + added. These probes enable fine-grained application tracing and + introduce no overhead when they are not enabled. :gl:`#4041` + +- The client-side support of the EDNS EXPIRE option has been expanded to + include IXFR and AXFR query types. This enhancement enables + :iscman:`named` to perform AXFR and IXFR queries while incorporating + the EDNS EXPIRE option. :gl:`#4170` + +Removed Features +~~~~~~~~~~~~~~~~ + +- The :any:`dnssec-must-be-secure` option has been deprecated and will + be removed in a future release. :gl:`#4263` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Compiling with jemalloc versions older than 4.0.0 is no longer + supported; those versions do not provide the features required by + current BIND 9 releases. :gl:`#4296` + +- If the ``server`` command is specified, :iscman:`nsupdate` now honors + the :option:`nsupdate -v` option for SOA queries by sending both the + UPDATE request and the initial query over TCP. :gl:`#1181` + +Bug Fixes +~~~~~~~~~ + +- The value of the If-Modified-Since header in the statistics channel + was not being correctly validated for its length, potentially allowing + an authorized user to trigger a buffer overflow. Ensuring the + statistics channel is configured correctly to grant access exclusively + to authorized users is essential (see the :any:`statistics-channels` + block definition and usage section). :gl:`#4124` + + This issue was reported independently by Eric Sesterhenn of X41 D-Sec + GmbH and Cameron Whitehead. + +- The Content-Length header in the statistics channel was lacking proper + bounds checking. A negative or excessively large value could + potentially trigger an integer overflow and result in an assertion + failure. :gl:`#4125` + + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. + +- Several memory leaks caused by not clearing the OpenSSL error stack + were fixed. :gl:`#4159` + + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. + +- The introduction of ``krb5-subdomain-self-rhs`` and + ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused + :iscman:`named` to return SERVFAIL responses to deletion requests for + non-existent PTR and SRV records. This has been fixed. :gl:`#4280` + +- The :any:`stale-refresh-time` feature was mistakenly disabled when the + server cache was flushed by :option:`rndc flush`. This has been fixed. + :gl:`#4278` + +- BIND's memory consumption has been improved by implementing dedicated + jemalloc memory arenas for sending buffers. This optimization ensures + that memory usage is more efficient and better manages the return of + memory pages to the operating system. :gl:`#4038` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h index 734ace7728..4d2aedcc77 100644 --- a/lib/isc/include/isc/result.h +++ b/lib/isc/include/isc/result.h @@ -273,6 +273,7 @@ typedef enum isc_result { ISCCC_R_EXPIRED, ISCCC_R_CLOCKSKEW, ISCCC_R_DUPLICATE, + ISCCC_R_MAXDEPTH, ISC_R_NRESULTS, /*% The number of results. */ ISC_R_MAKE_ENUM_32BIT = INT32_MAX, diff --git a/lib/isc/result.c b/lib/isc/result.c index 99e0be7d38..765105ab55 100644 --- a/lib/isc/result.c +++ b/lib/isc/result.c @@ -270,6 +270,7 @@ static const char *description[ISC_R_NRESULTS] = { [ISCCC_R_EXPIRED] = "expired", [ISCCC_R_CLOCKSKEW] = "clock skew", [ISCCC_R_DUPLICATE] = "duplicate", + [ISCCC_R_MAXDEPTH] = "max depth", }; static const char *identifier[ISC_R_NRESULTS] = { @@ -521,6 +522,7 @@ static const char *identifier[ISC_R_NRESULTS] = { [ISCCC_R_EXPIRED] = "ISCCC_R_EXPIRED", [ISCCC_R_CLOCKSKEW] = "ISCCC_R_CLOCKSKEW", [ISCCC_R_DUPLICATE] = "ISCCC_R_DUPLICATE", + [ISCCC_R_MAXDEPTH] = "ISCCC_R_MAXDEPTH", }; STATIC_ASSERT((DNS_R_SERVFAIL - DNS_R_NOERROR == 2), diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index 58fb86e6e2..dd8397054a 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -51,6 +51,10 @@ #define MAX_TAGS 256 #define DUP_LIFETIME 900 +#ifndef ISCCC_MAXDEPTH +#define ISCCC_MAXDEPTH \ + 10 /* Big enough for rndc which just sends a string each way. */ +#endif typedef isccc_sexpr_t *sexpr_ptr; @@ -483,19 +487,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, static isc_result_t table_fromwire(isccc_region_t *source, isccc_region_t *secret, - uint32_t algorithm, isccc_sexpr_t **alistp); + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); static isc_result_t -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); +list_fromwire(isccc_region_t *source, unsigned int depth, + isccc_sexpr_t **listp); static isc_result_t -value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { +value_fromwire(isccc_region_t *source, unsigned int depth, + isccc_sexpr_t **valuep) { unsigned int msgtype; uint32_t len; isccc_sexpr_t *value; isccc_region_t active; isc_result_t result; + if (depth > ISCCC_MAXDEPTH) { + return (ISCCC_R_MAXDEPTH); + } + if (REGION_SIZE(*source) < 1 + 4) { return (ISC_R_UNEXPECTEDEND); } @@ -516,9 +526,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { result = ISC_R_NOMEMORY; } } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) { - result = table_fromwire(&active, NULL, 0, valuep); + result = table_fromwire(&active, NULL, 0, depth + 1, valuep); } else if (msgtype == ISCCC_CCMSGTYPE_LIST) { - result = list_fromwire(&active, valuep); + result = list_fromwire(&active, depth + 1, valuep); } else { result = ISCCC_R_SYNTAX; } @@ -528,7 +538,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { static isc_result_t table_fromwire(isccc_region_t *source, isccc_region_t *secret, - uint32_t algorithm, isccc_sexpr_t **alistp) { + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) { char key[256]; uint32_t len; isc_result_t result; @@ -538,6 +548,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, REQUIRE(alistp != NULL && *alistp == NULL); + if (depth > ISCCC_MAXDEPTH) { + return (ISCCC_R_MAXDEPTH); + } + checksum_rstart = NULL; first_tag = true; alist = isccc_alist_create(); @@ -554,7 +568,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, GET_MEM(key, len, source->rstart); key[len] = '\0'; /* Ensure NUL termination. */ value = NULL; - result = value_fromwire(source, &value); + result = value_fromwire(source, depth + 1, &value); if (result != ISC_R_SUCCESS) { goto bad; } @@ -592,14 +606,19 @@ bad: } static isc_result_t -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { +list_fromwire(isccc_region_t *source, unsigned int depth, + isccc_sexpr_t **listp) { isccc_sexpr_t *list, *value; isc_result_t result; + if (depth > ISCCC_MAXDEPTH) { + return (ISCCC_R_MAXDEPTH); + } + list = NULL; while (!REGION_EMPTY(*source)) { value = NULL; - result = value_fromwire(source, &value); + result = value_fromwire(source, depth + 1, &value); if (result != ISC_R_SUCCESS) { isccc_sexpr_free(&list); return (result); @@ -631,7 +650,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, return (ISCCC_R_UNKNOWNVERSION); } - return (table_fromwire(source, secret, algorithm, alistp)); + return (table_fromwire(source, secret, algorithm, 0, alistp)); } static isc_result_t diff --git a/util/release-tarball-comparison.sh b/util/release-tarball-comparison.sh index 4fdb354466..ee006aaf2f 100755 --- a/util/release-tarball-comparison.sh +++ b/util/release-tarball-comparison.sh @@ -74,7 +74,7 @@ run_in_container "git -c advice.detachedHead=false clone --branch v${BIND_VERSIO cd bind9 && \ apt-get -y install --no-install-recommends python3-pip && \ rm -f /usr/lib/python3.*/EXTERNALLY-MANAGED && \ - pip3 install \$(awk '!/^#/ { printf \"%s \", \$0 }' doc/arm/requirements.txt) && \ + pip3 install -r doc/arm/requirements.txt && \ if [ $(echo "${BIND_VERSION}" | cut -b 1-5) = 9.16. ]; then \ git archive --prefix=${BIND_DIRECTORY}/ --output=${BIND_DIRECTORY}.tar HEAD && \ mkdir ${BIND_DIRECTORY} && \