# HG changeset patch # User Ben Chang # Date 1485199504 28800 # Node ID 12dea84f307b24a185947ae6f55f342c7e0540ea # Parent ba368fc828e679b66d05487f5c0a8fb909d4f701 25371178 Upgrade Solaris to BIND 9.6-ESV-R11-S10 25360334 problem in SERVICE/DNS-SERVER 25382925 ISC's change 4489 broke the handling of CNAME -> DNAME in responses diff -r ba368fc828e6 -r 12dea84f307b components/bind/Makefile --- a/components/bind/Makefile Fri Jan 06 01:50:42 2017 -0800 +++ b/components/bind/Makefile Mon Jan 23 11:25:04 2017 -0800 @@ -18,14 +18,14 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. # include ../../make-rules/shared-macros.mk COMPONENT_NAME= bind COMPONENT_VERSION= 9.6-ESV-R11 -HUMAN_VERSION= $(COMPONENT_VERSION)-S9 -IPS_COMPONENT_VERSION= 9.6.3.11.9 +HUMAN_VERSION= $(COMPONENT_VERSION)-S10 +IPS_COMPONENT_VERSION= 9.6.3.11.10 COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz COMPONENT_PROJECT_URL= http://www.isc.org/software/bind/ diff -r ba368fc828e6 -r 12dea84f307b components/bind/bindc.p5m --- a/components/bind/bindc.p5m Fri Jan 06 01:50:42 2017 -0800 +++ b/components/bind/bindc.p5m Mon Jan 23 11:25:04 2017 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. # set name=pkg.fmri \ @@ -40,9 +40,9 @@ link path=usr/lib/dns/libbind9.so target=libbind9.so.50.0.11 link path=usr/lib/dns/libbind9.so.50 target=libbind9.so.50.0.11 file path=usr/lib/dns/libbind9.so.50.0.11 -link path=usr/lib/dns/libdns.so target=libdns.so.113.1.4 -link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.4 -file path=usr/lib/dns/libdns.so.113.1.4 +link path=usr/lib/dns/libdns.so target=libdns.so.113.1.5 +link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.5 +file path=usr/lib/dns/libdns.so.113.1.5 link path=usr/lib/dns/libisc.so target=libisc.so.110.0.2 link path=usr/lib/dns/libisc.so.110 target=libisc.so.110.0.2 file path=usr/lib/dns/libisc.so.110.0.2 diff -r ba368fc828e6 -r 12dea84f307b components/bind/patches/011-RT43522.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/patches/011-RT43522.patch Mon Jan 23 11:25:04 2017 -0800 @@ -0,0 +1,66 @@ +This patch was derived from a source code patch provided by ISC to +resolve ISC ticket RT #43522. [9.6-ESV-R11-S10] + +--- old/./CHANGES Wed Jan 11 23:20:20 2017 ++++ new/./CHANGES Wed Jan 11 23:20:20 2017 +@@ -1,3 +1,9 @@ ++ --- 9.6-ESV-R11-S10 released --- ++ ++4508. [security] Named incorrectly tried to cache TKEY records which ++ could trigger a assertion failure when there was ++ a class mismatch. (CVE-2016-9131) [RT #43522] ++ + --- 9.6-ESV-R11-S9 released --- + + 4489. [security] It was possible to trigger assertions when processing +--- old/lib/dns/resolver.c Wed Jan 11 23:20:20 2017 ++++ new/lib/dns/resolver.c Wed Jan 11 23:20:20 2017 +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any +@@ -5848,6 +5848,25 @@ + ISC_LOG_NOTICE, "NSEC3 in answer"); + return (DNS_R_FORMERR); + } ++ if (rdataset->type == dns_rdatatype_tkey) { ++ /* ++ * TKEY is not a valid record in a ++ * response to any query we can make. ++ */ ++ isc_log_write(dns_lctx, ++ DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ++ ISC_LOG_NOTICE, "TKEY in answer"); ++ return (DNS_R_FORMERR); ++ } ++ if (rdataset->rdclass != fctx->res->rdclass) { ++ isc_log_write(dns_lctx, ++ DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ++ ISC_LOG_NOTICE, "Mismatched class " ++ "in answer"); ++ return (DNS_R_FORMERR); ++ } + if (rdataset->type == type && !found_cname) { + /* + * We've found an ordinary answer. +@@ -6017,6 +6036,15 @@ + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { ++ if (rdataset->rdclass != fctx->res->rdclass) { ++ isc_log_write(dns_lctx, ++ DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ++ ISC_LOG_NOTICE, "Mismatched class " ++ "in answer"); ++ return (DNS_R_FORMERR); ++ } ++ + /* + * Only pass DNAME or RRSIG(DNAME). + */ diff -r ba368fc828e6 -r 12dea84f307b components/bind/patches/012-RT43548.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/patches/012-RT43548.patch Mon Jan 23 11:25:04 2017 -0800 @@ -0,0 +1,45 @@ +This patch was derived from a source code patch provided by ISC to +resolve ISC ticket RT #43548. [9.6-ESV-R11-S10] + +--- old/./CHANGES Wed Jan 11 23:22:41 2017 ++++ new/./CHANGES Wed Jan 11 23:22:41 2017 +@@ -1,5 +1,10 @@ + --- 9.6-ESV-R11-S10 released --- + ++4510. [security] Named mishandled some responses where covering RRSIG ++ records are returned without the requested data ++ resulting in a assertion failure. (CVE-2016-9147) ++ [RT #43548] ++ + 4508. [security] Named incorrectly tried to cache TKEY records which + could trigger a assertion failure when there was + a class mismatch. (CVE-2016-9131) [RT #43522] +--- old/lib/dns/resolver.c Wed Jan 11 23:22:41 2017 ++++ new/lib/dns/resolver.c Wed Jan 11 23:22:41 2017 +@@ -5958,15 +5958,19 @@ + * a CNAME or DNAME). + */ + INSIST(!external); +- if ((rdataset->type != +- dns_rdatatype_cname) || +- !found_dname || +- (aflag == +- DNS_RDATASETATTR_ANSWER)) ++ /* ++ * Don't use found_cname here ++ * as we have just set it ++ * above. ++ */ ++ if (cname == NULL && ++ !found_dname && ++ aflag == ++ DNS_RDATASETATTR_ANSWER) + { + have_answer = ISC_TRUE; +- if (rdataset->type == +- dns_rdatatype_cname) ++ if (found_cname && ++ cname == NULL) + cname = name; + name->attributes |= + DNS_NAMEATTR_ANSWER; diff -r ba368fc828e6 -r 12dea84f307b components/bind/patches/013-RT43632.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/patches/013-RT43632.patch Mon Jan 23 11:25:04 2017 -0800 @@ -0,0 +1,175 @@ +This patch was derived from a source code patch provided by ISC to +resolve ISC ticket RT #43632. [9.6-ESV-R11-S10] + +--- old/./CHANGES Wed Jan 11 14:12:28 2017 ++++ new/./CHANGES Wed Jan 11 14:12:28 2017 +@@ -1,5 +1,9 @@ + --- 9.6-ESV-R11-S10 released --- + ++4517. [security] Named could mishandle authority sections that were ++ missing RRSIGs triggering an assertion failure. ++ (CVE-2016-9444) [RT #43632] ++ + 4510. [security] Named mishandled some responses where covering RRSIG + records are returned without the requested data + resulting in a assertion failure. (CVE-2016-9147) +--- old/lib/dns/api Wed Jan 11 14:12:28 2017 ++++ new/lib/dns/api Wed Jan 11 14:12:28 2017 +@@ -5,5 +5,5 @@ + # 9.9: 90-109 + # 9.9-sub: 130-139 + LIBINTERFACE = 114 +-LIBREVISION = 4 ++LIBREVISION = 5 + LIBAGE = 1 +--- old/lib/dns/message.c Wed Jan 11 14:12:28 2017 ++++ new/lib/dns/message.c Wed Jan 11 14:12:28 2017 +@@ -1169,6 +1169,63 @@ + return (ISC_FALSE); + } + ++/* ++ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have ++ * covering RRSIGs. ++ */ ++static isc_boolean_t ++auth_signed(dns_namelist_t *section) { ++ dns_name_t *name; ++ ++ for (name = ISC_LIST_HEAD(*section); ++ name != NULL; ++ name = ISC_LIST_NEXT(name, link)) ++ { ++ int auth_dnssec = 0, auth_rrsig = 0; ++ dns_rdataset_t *rds; ++ ++ for (rds = ISC_LIST_HEAD(name->list); ++ rds != NULL; ++ rds = ISC_LIST_NEXT(rds, link)) ++ { ++ switch (rds->type) { ++ case dns_rdatatype_ds: ++ auth_dnssec |= 0x1; ++ break; ++ case dns_rdatatype_nsec: ++ auth_dnssec |= 0x2; ++ break; ++ case dns_rdatatype_nsec3: ++ auth_dnssec |= 0x4; ++ break; ++ case dns_rdatatype_rrsig: ++ break; ++ default: ++ continue; ++ } ++ ++ switch (rds->covers) { ++ case dns_rdatatype_ds: ++ auth_rrsig |= 0x1; ++ break; ++ case dns_rdatatype_nsec: ++ auth_rrsig |= 0x2; ++ break; ++ case dns_rdatatype_nsec3: ++ auth_rrsig |= 0x4; ++ break; ++ default: ++ break; ++ } ++ } ++ ++ if (auth_dnssec != auth_rrsig) ++ return (ISC_FALSE); ++ } ++ ++ return (ISC_TRUE); ++} ++ + static isc_result_t + getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, + dns_section_t sectionid, unsigned int options) +@@ -1194,12 +1251,12 @@ + best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT); + seen_problem = ISC_FALSE; + ++ section = &msg->sections[sectionid]; ++ + for (count = 0; count < msg->counts[sectionid]; count++) { + int recstart = source->current; + isc_boolean_t skip_name_search, skip_type_search; + +- section = &msg->sections[sectionid]; +- + skip_name_search = ISC_FALSE; + skip_type_search = ISC_FALSE; + free_rdataset = ISC_FALSE; +@@ -1372,7 +1429,7 @@ + goto cleanup; + rdata->rdclass = rdclass; + issigzero = ISC_FALSE; +- if (rdtype == dns_rdatatype_rrsig && ++ if (rdtype == dns_rdatatype_rrsig && + rdata->flags == 0) { + covers = dns_rdata_covers(rdata); + if (covers == 0) +@@ -1577,6 +1634,19 @@ + INSIST(free_rdataset == ISC_FALSE); + } + ++ /* ++ * If any of DS, NSEC or NSEC3 appeared in the ++ * authority section of a query response without ++ * a covering RRSIG, FORMERR ++ */ ++ if (sectionid == DNS_SECTION_AUTHORITY && ++ msg->opcode == dns_opcode_query && ++ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) && ++ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && ++ !preserve_order && ++ !auth_signed(section)) ++ DO_FORMERR; ++ + if (seen_problem) + return (DNS_R_RECOVERABLE); + return (ISC_R_SUCCESS); +--- old/lib/dns/resolver.c Wed Jan 11 14:12:30 2017 ++++ new/lib/dns/resolver.c Wed Jan 11 14:12:29 2017 +@@ -4766,13 +4766,9 @@ + rdataset->type, + &noqname); + if (tresult == ISC_R_SUCCESS && +- noqname != NULL) { +- tresult = +- dns_rdataset_addnoqname( ++ noqname != NULL) ++ (void) dns_rdataset_addnoqname( + rdataset, noqname); +- RUNTIME_CHECK(tresult == +- ISC_R_SUCCESS); +- } + } + addedrdataset = ardataset; + result = dns_db_addrdataset(fctx->cache, node, +@@ -4902,11 +4898,9 @@ + tresult = findnoqname(fctx, name, + rdataset->type, &noqname); + if (tresult == ISC_R_SUCCESS && +- noqname != NULL) { +- tresult = dns_rdataset_addnoqname( +- rdataset, noqname); +- RUNTIME_CHECK(tresult == ISC_R_SUCCESS); +- } ++ noqname != NULL) ++ (void) dns_rdataset_addnoqname( ++ rdataset, noqname); + } + + /* +--- old/./version Wed Jan 11 14:12:30 2017 ++++ new/./version Wed Jan 11 14:12:29 2017 +@@ -10,4 +10,4 @@ + PATCHVER= + RELEASETYPE=-ESV + RELEASEVER=-R11 +-EXTENSIONS=-S9 ++EXTENSIONS=-S10 diff -r ba368fc828e6 -r 12dea84f307b components/bind/patches/014-RT43779.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bind/patches/014-RT43779.patch Mon Jan 23 11:25:04 2017 -0800 @@ -0,0 +1,151 @@ +This patch was derived from a source code patch provided by ISC to +resolve ISC ticket RT #43779. [9.6-ESV-R11-S10] + +--- old/./CHANGES Thu Jan 12 00:28:22 2017 ++++ new/./CHANGES Thu Jan 12 00:28:22 2017 +@@ -1,5 +1,9 @@ + --- 9.6-ESV-R11-S10 released --- + ++4530. [bug] Change 4489 broke the handling of CNAME -> DNAME ++ in responses resulting in SERVFAIL being returned. ++ [RT #43779] ++ + 4517. [security] Named could mishandle authority sections that were + missing RRSIGs triggering an assertion failure. + (CVE-2016-9444) [RT #43632] +--- old/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017 ++++ new/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017 +@@ -29,4 +29,6 @@ + short-dname DNAME short + a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2 + long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong +-; ++cname CNAME a.cnamedname ++cnamedname DNAME target ++a.target A 10.0.0.3 +--- old/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017 ++++ new/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017 +@@ -63,6 +63,24 @@ + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` + ++echo "I:checking cname to dname from authoritative" ++ret=0 ++$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname ++grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ ++echo "I:checking cname to dname from recursive" ++ret=0 ++$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname ++grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1 ++grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1 ++grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 ++grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 ++grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo "I:failed"; fi ++status=`expr $status + $ret` ++ + echo "I:exit status: $status" + + exit $status +--- old/lib/dns/resolver.c Thu Jan 12 00:28:23 2017 ++++ new/lib/dns/resolver.c Thu Jan 12 00:28:23 2017 +@@ -5776,7 +5776,7 @@ + answer_response(fetchctx_t *fctx) { + isc_result_t result; + dns_message_t *message; +- dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; ++ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; + dns_name_t *cname = NULL; + dns_rdataset_t *rdataset, *ns_rdataset; + isc_boolean_t done, external, chaining, aa, found, want_chaining; +@@ -5784,7 +5784,7 @@ + isc_boolean_t wanted_chaining; + unsigned int aflag; + dns_rdatatype_t type; +- dns_fixedname_t fdname, fqname, fqdname; ++ dns_fixedname_t fdname, fqname; + + FCTXTRACE("answer_response"); + +@@ -5807,12 +5807,11 @@ + aa = ISC_TRUE; + else + aa = ISC_FALSE; +- dqname = qname = &fctx->name; ++ qname = &fctx->name; + type = fctx->type; +- dns_fixedname_init(&fqdname); + result = dns_message_firstname(message, DNS_SECTION_ANSWER); + while (!done && result == ISC_R_SUCCESS) { +- dns_namereln_t namereln, dnamereln; ++ dns_namereln_t namereln; + + int order; + unsigned int nlabels; +@@ -5821,8 +5820,6 @@ + dns_message_currentname(message, DNS_SECTION_ANSWER, &name); + external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); +- dnamereln = dns_name_fullcompare(dqname, name, &order, +- &nlabels); + if (namereln == dns_namereln_equal) { + wanted_chaining = ISC_FALSE; + for (rdataset = ISC_LIST_HEAD(name->list); +@@ -6074,11 +6071,24 @@ + return (DNS_R_FORMERR); + } + +- if (dnamereln != dns_namereln_subdomain) { ++ /* ++ * If DNAME + synthetic CNAME then the ++ * namereln is dns_namereln_subdomain. ++ * ++ * If synthetic CNAME + DNAME then the ++ * namereln is dns_namereln_commonancestor ++ * and the number of label must match the ++ * DNAME. This order is not RFC compliant. ++ */ ++ ++ if (namereln != dns_namereln_subdomain && ++ (namereln != dns_namereln_commonancestor || ++ nlabels != dns_name_countlabels(name))) ++ { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + +- dns_name_format(dqname, qbuf, ++ dns_name_format(qname, qbuf, + sizeof(qbuf)); + dns_name_format(name, obuf, + sizeof(obuf)); +@@ -6097,7 +6107,7 @@ + want_chaining = ISC_TRUE; + POST(want_chaining); + aflag = DNS_RDATASETATTR_ANSWER; +- result = dname_target(rdataset, dqname, ++ result = dname_target(rdataset, qname, + nlabels, &fdname); + if (result == ISC_R_NOSPACE) { + /* +@@ -6113,8 +6123,6 @@ + dnameset = rdataset; + + dname = dns_fixedname_name(&fdname); +- dqname = dns_fixedname_name(&fqdname); +- dns_name_copy(dname, dqname, NULL); + } else { + /* + * We've found a signature that +@@ -6261,7 +6269,8 @@ + rdataset->trust = + dns_trust_additional; + +- if (rdataset->type == dns_rdatatype_ns) { ++ if (rdataset->type == dns_rdatatype_ns) ++ { + ns_name = name; + ns_rdataset = rdataset; + }