From 820b0cceef0b67b041973da4041ea53d5e276363 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 20 Jun 2023 15:21:36 +1000 Subject: [PATCH 1/9] Limit isccc_cc_fromwire recursion depth Named and rndc do not need a lot of recursion so the depth is set to 10. --- lib/isc/include/isc/result.h | 1 + lib/isc/result.c | 2 ++ lib/isccc/cc.c | 39 +++++++++++++++++++++++++++--------- 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h index 734ace7728..4d2aedcc77 100644 --- a/lib/isc/include/isc/result.h +++ b/lib/isc/include/isc/result.h @@ -273,6 +273,7 @@ typedef enum isc_result { ISCCC_R_EXPIRED, ISCCC_R_CLOCKSKEW, ISCCC_R_DUPLICATE, + ISCCC_R_MAXDEPTH, ISC_R_NRESULTS, /*% The number of results. */ ISC_R_MAKE_ENUM_32BIT = INT32_MAX, diff --git a/lib/isc/result.c b/lib/isc/result.c index 99e0be7d38..765105ab55 100644 --- a/lib/isc/result.c +++ b/lib/isc/result.c @@ -270,6 +270,7 @@ static const char *description[ISC_R_NRESULTS] = { [ISCCC_R_EXPIRED] = "expired", [ISCCC_R_CLOCKSKEW] = "clock skew", [ISCCC_R_DUPLICATE] = "duplicate", + [ISCCC_R_MAXDEPTH] = "max depth", }; static const char *identifier[ISC_R_NRESULTS] = { @@ -521,6 +522,7 @@ static const char *identifier[ISC_R_NRESULTS] = { [ISCCC_R_EXPIRED] = "ISCCC_R_EXPIRED", [ISCCC_R_CLOCKSKEW] = "ISCCC_R_CLOCKSKEW", [ISCCC_R_DUPLICATE] = "ISCCC_R_DUPLICATE", + [ISCCC_R_MAXDEPTH] = "ISCCC_R_MAXDEPTH", }; STATIC_ASSERT((DNS_R_SERVFAIL - DNS_R_NOERROR == 2), diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index 58fb86e6e2..dd8397054a 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -51,6 +51,10 @@ #define MAX_TAGS 256 #define DUP_LIFETIME 900 +#ifndef ISCCC_MAXDEPTH +#define ISCCC_MAXDEPTH \ + 10 /* Big enough for rndc which just sends a string each way. */ +#endif typedef isccc_sexpr_t *sexpr_ptr; @@ -483,19 +487,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, static isc_result_t table_fromwire(isccc_region_t *source, isccc_region_t *secret, - uint32_t algorithm, isccc_sexpr_t **alistp); + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); static isc_result_t -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); +list_fromwire(isccc_region_t *source, unsigned int depth, + isccc_sexpr_t **listp); static isc_result_t -value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { +value_fromwire(isccc_region_t *source, unsigned int depth, + isccc_sexpr_t **valuep) { unsigned int msgtype; uint32_t len; isccc_sexpr_t *value; isccc_region_t active; isc_result_t result; + if (depth > ISCCC_MAXDEPTH) { + return (ISCCC_R_MAXDEPTH); + } + if (REGION_SIZE(*source) < 1 + 4) { return (ISC_R_UNEXPECTEDEND); } @@ -516,9 +526,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { result = ISC_R_NOMEMORY; } } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) { - result = table_fromwire(&active, NULL, 0, valuep); + result = table_fromwire(&active, NULL, 0, depth + 1, valuep); } else if (msgtype == ISCCC_CCMSGTYPE_LIST) { - result = list_fromwire(&active, valuep); + result = list_fromwire(&active, depth + 1, valuep); } else { result = ISCCC_R_SYNTAX; } @@ -528,7 +538,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { static isc_result_t table_fromwire(isccc_region_t *source, isccc_region_t *secret, - uint32_t algorithm, isccc_sexpr_t **alistp) { + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) { char key[256]; uint32_t len; isc_result_t result; @@ -538,6 +548,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, REQUIRE(alistp != NULL && *alistp == NULL); + if (depth > ISCCC_MAXDEPTH) { + return (ISCCC_R_MAXDEPTH); + } + checksum_rstart = NULL; first_tag = true; alist = isccc_alist_create(); @@ -554,7 +568,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, GET_MEM(key, len, source->rstart); key[len] = '\0'; /* Ensure NUL termination. */ value = NULL; - result = value_fromwire(source, &value); + result = value_fromwire(source, depth + 1, &value); if (result != ISC_R_SUCCESS) { goto bad; } @@ -592,14 +606,19 @@ bad: } static isc_result_t -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { +list_fromwire(isccc_region_t *source, unsigned int depth, + isccc_sexpr_t **listp) { isccc_sexpr_t *list, *value; isc_result_t result; + if (depth > ISCCC_MAXDEPTH) { + return (ISCCC_R_MAXDEPTH); + } + list = NULL; while (!REGION_EMPTY(*source)) { value = NULL; - result = value_fromwire(source, &value); + result = value_fromwire(source, depth + 1, &value); if (result != ISC_R_SUCCESS) { isccc_sexpr_free(&list); return (result); @@ -631,7 +650,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, return (ISCCC_R_UNKNOWNVERSION); } - return (table_fromwire(source, secret, algorithm, alistp)); + return (table_fromwire(source, secret, algorithm, 0, alistp)); } static isc_result_t From 6af8d39ea2440206c4b960d33e9f84b0eb9e4c85 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 20 Jun 2023 15:27:40 +1000 Subject: [PATCH 2/9] Add CHANGES note for [GL #4152] --- CHANGES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index be320c0f61..4d87aa9e17 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,7 @@ 6246. [placeholder] -6245. [placeholder] +6245. [security] Limit the amount of recursion that can be performed + by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152] 6244. [bug] Adjust log levels on malformed messages to NOTICE when transferring in a zone. [GL #4290] From ecd77e610bbbd9905bda1ebfe76eaf37d6c6f866 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 20 Jun 2023 15:38:40 +1000 Subject: [PATCH 3/9] Add release note for [GL #4152] --- doc/notes/notes-current.rst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 6b35550361..9cd2daac3e 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -15,7 +15,13 @@ Notes for BIND 9.19.17 Security Fixes ~~~~~~~~~~~~~~ -- None. +- Previously, sending a specially crafted message over the control + channel could cause the packet-parsing code to run out of available + stack memory, causing :iscman:`named` to terminate unexpectedly. + This has been fixed. (CVE-2023-3341) + + ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for + bringing this vulnerability to our attention. :gl:`#4152` New Features ~~~~~~~~~~~~ From 93dc606fa88e9ccedffa54995bbe77ae01415933 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Mon, 4 Sep 2023 20:04:43 +0200 Subject: [PATCH 4/9] Simplify Sphinx tools installation Pointing pip3 to the "requirements file" eliminates the necessity for removing comments. --- util/release-tarball-comparison.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/release-tarball-comparison.sh b/util/release-tarball-comparison.sh index 4fdb354466..ee006aaf2f 100755 --- a/util/release-tarball-comparison.sh +++ b/util/release-tarball-comparison.sh @@ -74,7 +74,7 @@ run_in_container "git -c advice.detachedHead=false clone --branch v${BIND_VERSIO cd bind9 && \ apt-get -y install --no-install-recommends python3-pip && \ rm -f /usr/lib/python3.*/EXTERNALLY-MANAGED && \ - pip3 install \$(awk '!/^#/ { printf \"%s \", \$0 }' doc/arm/requirements.txt) && \ + pip3 install -r doc/arm/requirements.txt && \ if [ $(echo "${BIND_VERSION}" | cut -b 1-5) = 9.16. ]; then \ git archive --prefix=${BIND_DIRECTORY}/ --output=${BIND_DIRECTORY}.tar HEAD && \ mkdir ${BIND_DIRECTORY} && \ From da05434b2d500a8505240145724a9c2f77425f96 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Wed, 6 Sep 2023 16:23:59 +0200 Subject: [PATCH 5/9] Prepare release notes for BIND 9.19.17 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.19.17.rst} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename doc/notes/{notes-current.rst => notes-9.19.17.rst} (100%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 2d8a31ee94..90180d97a1 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,7 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.17.rst .. include:: ../notes/notes-9.19.16.rst .. include:: ../notes/notes-9.19.15.rst .. include:: ../notes/notes-9.19.14.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.19.17.rst similarity index 100% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.19.17.rst From 01020d705d2c36ebe9c7361905b1bccc5ad1bbec Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Wed, 6 Sep 2023 20:16:01 +0200 Subject: [PATCH 6/9] Tweak and reword release notes --- doc/notes/notes-9.19.17.rst | 76 ++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 34 deletions(-) diff --git a/doc/notes/notes-9.19.17.rst b/doc/notes/notes-9.19.17.rst index 9cd2daac3e..5606fb2692 100644 --- a/doc/notes/notes-9.19.17.rst +++ b/doc/notes/notes-9.19.17.rst @@ -26,62 +26,70 @@ Security Fixes New Features ~~~~~~~~~~~~ -- Add support for User Statically Defined Tracing (USDT) probes - static tracing - points for user-level software. This allows a fine-grained application - tracing with zero-overhead when the probes are not enabled. :gl:`#4041` +- Support for User Statically Defined Tracing (USDT) probes has been + added. These probes enable fine-grained application tracing and + introduce no overhead when they are not enabled. :gl:`#4041` Removed Features ~~~~~~~~~~~~~~~~ -- The :any:`dnssec-must-be-secure` option has been deprecated and will be - removed in a future release. :gl:`#4263` +- The :any:`dnssec-must-be-secure` option has been deprecated and will + be removed in a future release. :gl:`#4263` Feature Changes ~~~~~~~~~~~~~~~ -- Make :iscman:`nsupdate` honor the ``-v`` option for SOA queries, that is send - the request over TCP, only if the server is specified. :gl:`#1181` +- If the ``server`` command is specified, :iscman:`nsupdate` now honors + the :option:`nsupdate -v` option for SOA queries by sending both the + UPDATE request and the initial query over TCP. :gl:`#1181` -- Extend client side support for the EDNS EXPIRE option to IXFR and - AXFR query types. ``named`` will now be making EDNS queries AXFR - and IXFR queries with EDNS options present. :gl:`#4170` +- The client-side support of the EDNS EXPIRE option has been expanded to + include IXFR and AXFR query types. This enhancement enables + :iscman:`named` to perform AXFR and IXFR queries while incorporating + the EDNS EXPIRE option. :gl:`#4170` -- Compiling with jemalloc versions older than 4.0.0 is no longer supported; - those versions do not provide the features required by current BIND 9 - releases. :gl:`#4296` +- Compiling with jemalloc versions older than 4.0.0 is no longer + supported; those versions do not provide the features required by + current BIND 9 releases. :gl:`#4296` Bug Fixes ~~~~~~~~~ -- The value of If-Modified-Since header in statistics channel was not checked - for length leading to possible buffer overflow by an authorized user. We - would like to emphasize that statistics channel must be properly setup to - allow access only from authorized users of the system. :gl:`#4124` +- The value of the If-Modified-Since header in the statistics channel + was not being correctly validated for its length, potentially allowing + an authorized user to trigger a buffer overflow. Ensuring the + statistics channel is configured correctly to grant access exclusively + to authorized users is essential (see the :any:`statistics-channels` + block definition and usage section). :gl:`#4124` - This issue was reported independently by Eric Sesterhenn of X41 D-SEC and - Cameron Whitehead. + This issue was reported independently by Eric Sesterhenn of X41 D-Sec + GmbH and Cameron Whitehead. -- The value of Content-Length header in statistics channel was not - bound checked and negative or large enough value could lead to - overflow and assertion failure. :gl:`#4125` +- The Content-Length header in the statistics channel was lacking proper + bounds checking. A negative or excessively large value could + potentially trigger an integer overflow and result in an assertion + failure. :gl:`#4125` - This issue was reported by Eric Sesterhenn of X41 D-SEC. + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. -- Address memory leaks due to not clearing OpenSSL error stack. :gl:`#4159` +- Several memory leaks caused by not clearing the OpenSSL error stack + were fixed. :gl:`#4159` - This issue was reported by Eric Sesterhenn of X41 D-SEC. + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. -- Following the introduction of krb5-subdomain-self-rhs and - ms-subdomain-self-rhs update rules, removal of nonexistent PTR - and SRV records via UPDATE could fail. This has been fixed. :gl:`#4280` +- The introduction of ``krb5-subdomain-self-rhs`` and + ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused + :iscman:`named` to return SERVFAIL responses to deletion requests for + non-existent PTR and SRV records. This has been fixed. :gl:`#4280` -- The value of :any:`stale-refresh-time` was set to zero after ``rndc flush``. - This has been fixed. :gl:`#4278` +- The :any:`stale-refresh-time` feature was mistakenly disabled when the + server cache was flushed by :option:`rndc flush`. This has been fixed. + :gl:`#4278` -- BIND could consume more memory than it needs. That has been fixed by - using specialised jemalloc memory arenas dedicated to sending buffers. It - allowed us to optimize the process of returning memory pages back to - the operating system. :gl:`#4038` +- BIND's memory consumption has been improved by implementing dedicated + jemalloc memory arenas for sending buffers. This optimization ensures + that memory usage is more efficient and better manages the return of + memory pages to the operating system. :gl:`#4038` Known Issues ~~~~~~~~~~~~ From cec1e232d97fb4b1c832ff43905a9356dd963f40 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Fri, 8 Sep 2023 10:00:58 +0200 Subject: [PATCH 7/9] Reorder release notes --- doc/notes/notes-9.19.17.rst | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/notes/notes-9.19.17.rst b/doc/notes/notes-9.19.17.rst index 5606fb2692..7081fa3e71 100644 --- a/doc/notes/notes-9.19.17.rst +++ b/doc/notes/notes-9.19.17.rst @@ -30,6 +30,11 @@ New Features added. These probes enable fine-grained application tracing and introduce no overhead when they are not enabled. :gl:`#4041` +- The client-side support of the EDNS EXPIRE option has been expanded to + include IXFR and AXFR query types. This enhancement enables + :iscman:`named` to perform AXFR and IXFR queries while incorporating + the EDNS EXPIRE option. :gl:`#4170` + Removed Features ~~~~~~~~~~~~~~~~ @@ -39,19 +44,14 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- If the ``server`` command is specified, :iscman:`nsupdate` now honors - the :option:`nsupdate -v` option for SOA queries by sending both the - UPDATE request and the initial query over TCP. :gl:`#1181` - -- The client-side support of the EDNS EXPIRE option has been expanded to - include IXFR and AXFR query types. This enhancement enables - :iscman:`named` to perform AXFR and IXFR queries while incorporating - the EDNS EXPIRE option. :gl:`#4170` - - Compiling with jemalloc versions older than 4.0.0 is no longer supported; those versions do not provide the features required by current BIND 9 releases. :gl:`#4296` +- If the ``server`` command is specified, :iscman:`nsupdate` now honors + the :option:`nsupdate -v` option for SOA queries by sending both the + UPDATE request and the initial query over TCP. :gl:`#1181` + Bug Fixes ~~~~~~~~~ From 9f780d84e12eb8a318a8bb7b7b7fb4f9e56b60aa Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Fri, 8 Sep 2023 10:39:40 +0200 Subject: [PATCH 8/9] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 4d87aa9e17..4cb9f4cdbd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.19.17 released --- + 6246. [placeholder] 6245. [security] Limit the amount of recursion that can be performed From 464cf8ce5e881e487e34666ea39170aaee29c246 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Fri, 8 Sep 2023 10:40:19 +0200 Subject: [PATCH 9/9] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 496ec8fff8..0117d941f2 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 19)dnl m4_define([bind_VERSION_PATCH], 17)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl