25371178 Upgrade Solaris to BIND 9.6-ESV-R11-S10 s11u3-sru
authorBen Chang <Benjamin.Chang@Oracle.COM>
Mon, 23 Jan 2017 11:25:04 -0800
branchs11u3-sru
changeset 7592 12dea84f307b
parent 7591 ba368fc828e6
child 7594 022a611ded2d
25371178 Upgrade Solaris to BIND 9.6-ESV-R11-S10 25360334 problem in SERVICE/DNS-SERVER 25382925 ISC's change 4489 broke the handling of CNAME -> DNAME in responses
components/bind/Makefile
components/bind/bindc.p5m
components/bind/patches/011-RT43522.patch
components/bind/patches/012-RT43548.patch
components/bind/patches/013-RT43632.patch
components/bind/patches/014-RT43779.patch
--- a/components/bind/Makefile	Fri Jan 06 01:50:42 2017 -0800
+++ b/components/bind/Makefile	Mon Jan 23 11:25:04 2017 -0800
@@ -18,14 +18,14 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		bind
 COMPONENT_VERSION=	9.6-ESV-R11
-HUMAN_VERSION=		$(COMPONENT_VERSION)-S9
-IPS_COMPONENT_VERSION=	9.6.3.11.9
+HUMAN_VERSION=		$(COMPONENT_VERSION)-S10
+IPS_COMPONENT_VERSION=	9.6.3.11.10
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_PROJECT_URL=	http://www.isc.org/software/bind/
--- a/components/bind/bindc.p5m	Fri Jan 06 01:50:42 2017 -0800
+++ b/components/bind/bindc.p5m	Mon Jan 23 11:25:04 2017 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
 #
 
 set name=pkg.fmri \
@@ -40,9 +40,9 @@
 link path=usr/lib/dns/libbind9.so target=libbind9.so.50.0.11
 link path=usr/lib/dns/libbind9.so.50 target=libbind9.so.50.0.11
 file path=usr/lib/dns/libbind9.so.50.0.11
-link path=usr/lib/dns/libdns.so target=libdns.so.113.1.4
-link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.4
-file path=usr/lib/dns/libdns.so.113.1.4
+link path=usr/lib/dns/libdns.so target=libdns.so.113.1.5
+link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.5
+file path=usr/lib/dns/libdns.so.113.1.5
 link path=usr/lib/dns/libisc.so target=libisc.so.110.0.2
 link path=usr/lib/dns/libisc.so.110 target=libisc.so.110.0.2
 file path=usr/lib/dns/libisc.so.110.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/011-RT43522.patch	Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,66 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43522. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES	Wed Jan 11 23:20:20 2017
++++ new/./CHANGES	Wed Jan 11 23:20:20 2017
[email protected]@ -1,3 +1,9 @@
++	--- 9.6-ESV-R11-S10 released ---
++
++4508.	[security]	Named incorrectly tried to cache TKEY records which
++			could trigger a assertion failure when there was
++			a class mismatch. (CVE-2016-9131) [RT #43522]
++
+ 	--- 9.6-ESV-R11-S9 released ---
+ 
+ 4489.   [security]      It was possible to trigger assertions when processing
+--- old/lib/dns/resolver.c	Wed Jan 11 23:20:20 2017
++++ new/lib/dns/resolver.c	Wed Jan 11 23:20:20 2017
[email protected]@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (C) 1999-2003  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
[email protected]@ -5848,6 +5848,25 @@
+ 					    ISC_LOG_NOTICE, "NSEC3 in answer");
+ 					return (DNS_R_FORMERR);
+ 				}
++				if (rdataset->type == dns_rdatatype_tkey) {
++					/*
++					 * TKEY is not a valid record in a
++					 * response to any query we can make.
++					 */
++					isc_log_write(dns_lctx,
++					    DNS_LOGCATEGORY_RESOLVER,
++					    DNS_LOGMODULE_RESOLVER,
++					    ISC_LOG_NOTICE, "TKEY in answer");
++					return (DNS_R_FORMERR);
++				}
++				if (rdataset->rdclass != fctx->res->rdclass) {
++					isc_log_write(dns_lctx,
++					    DNS_LOGCATEGORY_RESOLVER,
++					    DNS_LOGMODULE_RESOLVER,
++					    ISC_LOG_NOTICE, "Mismatched class "
++						    "in answer");
++					return (DNS_R_FORMERR);
++				}
+ 				if (rdataset->type == type && !found_cname) {
+ 					/*
+ 					 * We've found an ordinary answer.
[email protected]@ -6017,6 +6036,15 @@
+ 			     rdataset != NULL;
+ 			     rdataset = ISC_LIST_NEXT(rdataset, link))
+ 			{
++				if (rdataset->rdclass != fctx->res->rdclass) {
++					isc_log_write(dns_lctx,
++					    DNS_LOGCATEGORY_RESOLVER,
++					    DNS_LOGMODULE_RESOLVER,
++					    ISC_LOG_NOTICE, "Mismatched class "
++						    "in answer");
++					return (DNS_R_FORMERR);
++				}
++
+ 				/*
+ 				 * Only pass DNAME or RRSIG(DNAME).
+ 				 */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/012-RT43548.patch	Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,45 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43548. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES	Wed Jan 11 23:22:41 2017
++++ new/./CHANGES	Wed Jan 11 23:22:41 2017
[email protected]@ -1,5 +1,10 @@
+ 	--- 9.6-ESV-R11-S10 released ---
+ 
++4510.	[security]	Named mishandled some responses where covering RRSIG
++			records are returned without the requested data
++			resulting in a assertion failure. (CVE-2016-9147)
++			[RT #43548]
++
+ 4508.	[security]	Named incorrectly tried to cache TKEY records which
+ 			could trigger a assertion failure when there was
+ 			a class mismatch. (CVE-2016-9131) [RT #43522]
+--- old/lib/dns/resolver.c	Wed Jan 11 23:22:41 2017
++++ new/lib/dns/resolver.c	Wed Jan 11 23:22:41 2017
[email protected]@ -5958,15 +5958,19 @@
+ 						 * a CNAME or DNAME).
+ 						 */
+ 						INSIST(!external);
+-						if ((rdataset->type !=
+-						     dns_rdatatype_cname) ||
+-						    !found_dname ||
+-						    (aflag ==
+-						     DNS_RDATASETATTR_ANSWER))
++						/*
++						 * Don't use found_cname here
++						 * as we have just set it
++						 * above.
++						 */
++						if (cname == NULL &&
++						    !found_dname &&
++						    aflag ==
++						     DNS_RDATASETATTR_ANSWER)
+ 						{
+ 							have_answer = ISC_TRUE;
+-							if (rdataset->type ==
+-							    dns_rdatatype_cname)
++							if (found_cname &&
++							    cname == NULL)
+ 								cname = name;
+ 							name->attributes |=
+ 							    DNS_NAMEATTR_ANSWER;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/013-RT43632.patch	Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,175 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43632. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES	Wed Jan 11 14:12:28 2017
++++ new/./CHANGES	Wed Jan 11 14:12:28 2017
[email protected]@ -1,5 +1,9 @@
+ 	--- 9.6-ESV-R11-S10 released ---
+ 
++4517.	[security]	Named could mishandle authority sections that were
++			missing RRSIGs triggering an assertion failure.
++			(CVE-2016-9444) [RT #43632]
++
+ 4510.	[security]	Named mishandled some responses where covering RRSIG
+ 			records are returned without the requested data
+ 			resulting in a assertion failure. (CVE-2016-9147)
+--- old/lib/dns/api	Wed Jan 11 14:12:28 2017
++++ new/lib/dns/api	Wed Jan 11 14:12:28 2017
[email protected]@ -5,5 +5,5 @@
+ # 9.9: 90-109
+ # 9.9-sub: 130-139
+ LIBINTERFACE = 114
+-LIBREVISION = 4
++LIBREVISION = 5
+ LIBAGE = 1
+--- old/lib/dns/message.c	Wed Jan 11 14:12:28 2017
++++ new/lib/dns/message.c	Wed Jan 11 14:12:28 2017
[email protected]@ -1169,6 +1169,63 @@
+ 	return (ISC_FALSE);
+ }
+ 
++/*
++ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
++ * covering RRSIGs.
++ */
++static isc_boolean_t
++auth_signed(dns_namelist_t *section) {
++	dns_name_t *name;
++
++	for (name = ISC_LIST_HEAD(*section);
++	     name != NULL;
++	     name = ISC_LIST_NEXT(name, link))
++	{
++		int auth_dnssec = 0, auth_rrsig = 0;
++		dns_rdataset_t *rds;
++
++		for (rds = ISC_LIST_HEAD(name->list);
++		     rds != NULL;
++		     rds = ISC_LIST_NEXT(rds, link))
++		{
++			switch (rds->type) {
++			case dns_rdatatype_ds:
++				auth_dnssec |= 0x1;
++				break;
++			case dns_rdatatype_nsec:
++				auth_dnssec |= 0x2;
++				break;
++			case dns_rdatatype_nsec3:
++				auth_dnssec |= 0x4;
++				break;
++			case dns_rdatatype_rrsig:
++				break;
++			default:
++				continue;
++			}
++
++			switch (rds->covers) {
++			case dns_rdatatype_ds:
++				auth_rrsig |= 0x1;
++				break;
++			case dns_rdatatype_nsec:
++				auth_rrsig |= 0x2;
++				break;
++			case dns_rdatatype_nsec3:
++				auth_rrsig |= 0x4;
++				break;
++			default:
++				break;
++			}
++		}
++
++		if (auth_dnssec != auth_rrsig)
++			return (ISC_FALSE);
++	}
++
++	return (ISC_TRUE);
++}
++
+ static isc_result_t
+ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ 	   dns_section_t sectionid, unsigned int options)
[email protected]@ -1194,12 +1251,12 @@
+ 	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
+ 	seen_problem = ISC_FALSE;
+ 
++	section = &msg->sections[sectionid];
++
+ 	for (count = 0; count < msg->counts[sectionid]; count++) {
+ 		int recstart = source->current;
+ 		isc_boolean_t skip_name_search, skip_type_search;
+ 
+-		section = &msg->sections[sectionid];
+-
+ 		skip_name_search = ISC_FALSE;
+ 		skip_type_search = ISC_FALSE;
+ 		free_rdataset = ISC_FALSE;
[email protected]@ -1372,7 +1429,7 @@
+ 			goto cleanup;
+ 		rdata->rdclass = rdclass;
+ 		issigzero = ISC_FALSE;
+-		if (rdtype == dns_rdatatype_rrsig  &&
++		if (rdtype == dns_rdatatype_rrsig &&
+ 		    rdata->flags == 0) {
+ 			covers = dns_rdata_covers(rdata);
+ 			if (covers == 0)
[email protected]@ -1577,6 +1634,19 @@
+ 		INSIST(free_rdataset == ISC_FALSE);
+ 	}
+ 
++	/*
++	 * If any of DS, NSEC or NSEC3 appeared in the
++	 * authority section of a query response without
++	 * a covering RRSIG, FORMERR
++	 */
++	if (sectionid == DNS_SECTION_AUTHORITY &&
++	    msg->opcode == dns_opcode_query &&
++	    ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
++	    ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
++	    !preserve_order &&
++	    !auth_signed(section))
++		DO_FORMERR;
++
+ 	if (seen_problem)
+ 		return (DNS_R_RECOVERABLE);
+ 	return (ISC_R_SUCCESS);
+--- old/lib/dns/resolver.c	Wed Jan 11 14:12:30 2017
++++ new/lib/dns/resolver.c	Wed Jan 11 14:12:29 2017
[email protected]@ -4766,13 +4766,9 @@
+ 							      rdataset->type,
+ 							      &noqname);
+ 					if (tresult == ISC_R_SUCCESS &&
+-					    noqname != NULL) {
+-						tresult =
+-						     dns_rdataset_addnoqname(
++					    noqname != NULL)
++						(void) dns_rdataset_addnoqname(
+ 							    rdataset, noqname);
+-						RUNTIME_CHECK(tresult ==
+-							      ISC_R_SUCCESS);
+-					}
+ 				}
+ 				addedrdataset = ardataset;
+ 				result = dns_db_addrdataset(fctx->cache, node,
[email protected]@ -4902,11 +4898,9 @@
+ 				tresult = findnoqname(fctx, name,
+ 						      rdataset->type, &noqname);
+ 				if (tresult == ISC_R_SUCCESS &&
+-				    noqname != NULL) {
+-					tresult = dns_rdataset_addnoqname(
+-							    rdataset, noqname);
+-					RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+-				}
++				    noqname != NULL)
++					(void) dns_rdataset_addnoqname(
++						       rdataset, noqname);
+ 			}
+ 
+ 			/*
+--- old/./version	Wed Jan 11 14:12:30 2017
++++ new/./version	Wed Jan 11 14:12:29 2017
[email protected]@ -10,4 +10,4 @@
+ PATCHVER=
+ RELEASETYPE=-ESV
+ RELEASEVER=-R11
+-EXTENSIONS=-S9
++EXTENSIONS=-S10
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/014-RT43779.patch	Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,151 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43779. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES	Thu Jan 12 00:28:22 2017
++++ new/./CHANGES	Thu Jan 12 00:28:22 2017
[email protected]@ -1,5 +1,9 @@
+ 	--- 9.6-ESV-R11-S10 released ---
+ 
++4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
++			in responses resulting in SERVFAIL being returned.
++			[RT #43779]
++
+ 4517.	[security]	Named could mishandle authority sections that were
+ 			missing RRSIGs triggering an assertion failure.
+ 			(CVE-2016-9444) [RT #43632]
+--- old/bin/tests/system/dname/ns2/example.db	Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/ns2/example.db	Thu Jan 12 00:28:22 2017
[email protected]@ -29,4 +29,6 @@
+ short-dname		DNAME	short
+ a.longlonglonglonglonglonglonglonglonglonglonglonglong	A 10.0.0.2
+ long-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
+-;
++cname			CNAME	a.cnamedname
++cnamedname		DNAME	target
++a.target		A	10.0.0.3
+--- old/bin/tests/system/dname/tests.sh	Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/tests.sh	Thu Jan 12 00:28:22 2017
[email protected]@ -63,6 +63,24 @@
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ 
++echo "I:checking cname to dname from authoritative"
++ret=0
++$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
++grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:checking cname to dname from recursive"
++ret=0
++$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
++grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
++grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
+ echo "I:exit status: $status"
+ 
+ exit $status
+--- old/lib/dns/resolver.c	Thu Jan 12 00:28:23 2017
++++ new/lib/dns/resolver.c	Thu Jan 12 00:28:23 2017
[email protected]@ -5776,7 +5776,7 @@
+ answer_response(fetchctx_t *fctx) {
+ 	isc_result_t result;
+ 	dns_message_t *message;
+-	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+ 	dns_name_t *cname = NULL;
+ 	dns_rdataset_t *rdataset, *ns_rdataset;
+ 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
[email protected]@ -5784,7 +5784,7 @@
+ 	isc_boolean_t wanted_chaining;
+ 	unsigned int aflag;
+ 	dns_rdatatype_t type;
+-	dns_fixedname_t fdname, fqname, fqdname;
++	dns_fixedname_t fdname, fqname;
+ 
+ 	FCTXTRACE("answer_response");
+ 
[email protected]@ -5807,12 +5807,11 @@
+ 		aa = ISC_TRUE;
+ 	else
+ 		aa = ISC_FALSE;
+-	dqname = qname = &fctx->name;
++	qname = &fctx->name;
+ 	type = fctx->type;
+-	dns_fixedname_init(&fqdname);
+ 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ 	while (!done && result == ISC_R_SUCCESS) {
+-		dns_namereln_t namereln, dnamereln;
++		dns_namereln_t namereln;
+ 
+ 		int order;
+ 		unsigned int nlabels;
[email protected]@ -5821,8 +5820,6 @@
+ 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+-		dnamereln = dns_name_fullcompare(dqname, name, &order,
+-						     &nlabels);
+ 		if (namereln == dns_namereln_equal) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
[email protected]@ -6074,11 +6071,24 @@
+ 					return (DNS_R_FORMERR);
+ 				}
+ 
+-				if (dnamereln != dns_namereln_subdomain) {
++				/*
++				 * If DNAME + synthetic CNAME then the
++				 * namereln is dns_namereln_subdomain.
++				 *
++				 * If synthetic CNAME + DNAME then the
++				 * namereln is dns_namereln_commonancestor
++				 * and the number of label must match the
++				 * DNAME.  This order is not RFC compliant.
++				 */
++
++				if (namereln != dns_namereln_subdomain &&
++				    (namereln != dns_namereln_commonancestor ||
++				     nlabels != dns_name_countlabels(name)))
++				{
+ 					char qbuf[DNS_NAME_FORMATSIZE];
+ 					char obuf[DNS_NAME_FORMATSIZE];
+ 
+-					dns_name_format(dqname, qbuf,
++					dns_name_format(qname, qbuf,
+ 							sizeof(qbuf));
+ 					dns_name_format(name, obuf,
+ 							sizeof(obuf));
[email protected]@ -6097,7 +6107,7 @@
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+ 					aflag = DNS_RDATASETATTR_ANSWER;
+-					result = dname_target(rdataset, dqname,
++					result = dname_target(rdataset, qname,
+ 							      nlabels, &fdname);
+ 					if (result == ISC_R_NOSPACE) {
+ 						/*
[email protected]@ -6113,8 +6123,6 @@
+ 						dnameset = rdataset;
+ 
+ 					dname = dns_fixedname_name(&fdname);
+-					dqname = dns_fixedname_name(&fqdname);
+-					dns_name_copy(dname, dqname, NULL);
+ 				} else {
+ 					/*
+ 					 * We've found a signature that
[email protected]@ -6261,7 +6269,8 @@
+ 						rdataset->trust =
+ 						    dns_trust_additional;
+ 
+-					if (rdataset->type == dns_rdatatype_ns) {
++					if (rdataset->type == dns_rdatatype_ns)
++					{
+ 						ns_name = name;
+ 						ns_rdataset = rdataset;
+ 					}