From: Evan Hunt Date: Thu, 23 Feb 2017 23:34:11 +0000 (-0800) Subject: [v9_9_9_patch] remove unnecessary INSIST and prep 9.11.1rc2 X-Git-Tag: v9.9.9-P8~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a74889fe1af6e428cf9e2ab0645804231d56f3b8;p=thirdparty%2Fbind9.git [v9_9_9_patch] remove unnecessary INSIST and prep 9.11.1rc2 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] (cherry picked from commit a1365a0042db8c1cd0ee4dbd0c91ce65ae09e098) (cherry picked from commit 559cbe04e73cf601784a371e09554c20407a6c7b) (cherry picked from commit fcf18748670e43c6b11e0b6a6b8ff2f0c3960e6c) --- diff --git a/CHANGES b/CHANGES index 2c6fe7da141..82ffab5c847 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,9 @@ --- 9.9.9-P7 released --- +4578. [security] Some chaining (CNAME or DNAME) responses to upstream + queries could trigger assertion failures. + (CVE-2017-3137) [RT #44734] + 4575. [security] DNS64 with "break-dnssec yes;" can result in an assertion failure. (CVE-2017-3136) [RT #44653] diff --git a/README b/README index 31488ef50dd..c7f0a706774 100644 --- a/README +++ b/README @@ -53,8 +53,8 @@ BIND 9 BIND 9.9.9-P7 - This version contains a fix for CVE-2017-3136, and updates - the built in trusted keys for the root zone. + This version contains fixes for CVE-2017-3136 and CVE-2017-3137, + and updates the built in trusted keys for the root zone. BIND 9.9.9-P6 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 23413ab8635..e68a049d928 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -98,11 +98,18 @@
Security Fixes + + + Some chaining (i.e., type CNAME or DNAME) responses to upstream + queries could trigger assertion failures. This flaw is disclosed + in CVE-2017-3137. [RT #44734] + + dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in - CVE-2017-3136.[RT #44653] + CVE-2017-3136. [RT #44653] diff --git a/lib/dns/api b/lib/dns/api index 9b31d25d322..272e0e17979 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -7,5 +7,5 @@ # 9.10: 140-149 # 9.11: 160-169 LIBINTERFACE = 172 -LIBREVISION = 5 +LIBREVISION = 6 LIBAGE = 0 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 14fe5432f0e..40c9db06f56 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6661,15 +6661,15 @@ answer_response(fetchctx_t *fctx) { rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->trust = dns_trust_answer; - if (chaining == 0) { + if (external) { /* - * This data is "the" answer - * to our question only if - * we're not chaining (i.e. - * if we haven't followed - * a CNAME or DNAME). + * This data is outside of + * our query domain, and + * may not be cached. */ - INSIST(!external); + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; + } else if (chaining == 0) { /* * Don't use found_cname here * as we have just set it @@ -6691,14 +6691,6 @@ answer_response(fetchctx_t *fctx) { if (aa) rdataset->trust = dns_trust_authanswer; - } else if (external) { - /* - * This data is outside of - * our query domain, and - * may not be cached. - */ - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; } /* @@ -6873,15 +6865,12 @@ answer_response(fetchctx_t *fctx) { * If we are not chaining or the first CNAME * is a synthesised CNAME before the DNAME. */ - if ((chaining == 0) || - (chaining == 1U && synthcname)) + if (external) { + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; + } else if ((chaining == 0) || + (chaining == 1U && synthcname)) { - /* - * This data is "the" answer to - * our question only if we're - * not chaining. - */ - INSIST(!external); if (aflag == DNS_RDATASETATTR_ANSWER) { have_answer = ISC_TRUE; found_dname = ISC_TRUE; @@ -6898,9 +6887,6 @@ answer_response(fetchctx_t *fctx) { if (aa) rdataset->trust = dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; } }