diff options
author | Leo Famulari <leo@famulari.name> | 2018-06-14 16:49:21 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2018-06-15 16:41:16 -0400 |
commit | 12e530ba63ad848d3d3194f09e8b54b693d74896 (patch) | |
tree | 561dce8a376a665bee6a64598f2eae814210bdd4 | |
parent | a7c8716928a240ba2c36d360e4ffeb447671fa6b (diff) | |
download | guix-12e530ba63ad848d3d3194f09e8b54b693d74896.tar guix-12e530ba63ad848d3d3194f09e8b54b693d74896.tar.gz |
gnu: BIND: Fix CVE-2018-5738.
* gnu/packages/patches/bind-CVE-2018-5738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/dns.scm (isc-bind)[source]: Use it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/dns.scm | 2 | ||||
-rw-r--r-- | gnu/packages/patches/bind-CVE-2018-5738.patch | 100 |
3 files changed, 103 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 01e0718723..4d2cefdbde 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -581,6 +581,7 @@ dist_patch_DATA = \ %D%/packages/patches/azr3.patch \ %D%/packages/patches/bash-completion-directories.patch \ %D%/packages/patches/bazaar-CVE-2017-14176.patch \ + %D%/packages/patches/bind-CVE-2018-5738.patch \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blast+-fix-makefile.patch \ %D%/packages/patches/boost-fix-icu-build.patch \ diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm index 0b8d8be574..4fce4b34ba 100644 --- a/gnu/packages/dns.scm +++ b/gnu/packages/dns.scm @@ -50,6 +50,7 @@ #:use-module (gnu packages tls) #:use-module (gnu packages web) #:use-module (gnu packages xml) + #:use-module (gnu packages) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix download) @@ -104,6 +105,7 @@ and BOOTP/TFTP for network booting of diskless machines.") (uri (string-append "ftp://ftp.isc.org/isc/bind9/" version "/" name "-" version ".tar.gz")) + (patches (search-patches "bind-CVE-2018-5738.patch")) (sha256 (base32 "0a9dvyg1dk7vpqn9gz7p5jas3bz7z22bjd66b98g1qk16i2w7rqd")))) diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch new file mode 100644 index 0000000000..ddef014651 --- /dev/null +++ b/gnu/packages/patches/bind-CVE-2018-5738.patch @@ -0,0 +1,100 @@ +Fix CVE-2018-5738: + +https://kb.isc.org/article/AA-01616/0/CVE-2018-5738 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738 + +diff --git a/bin/named/server.c b/bin/named/server.c +index f63554e..847c4ff 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + CHECKM(named_config_getport(config, &port), "port"); + dns_view_setdstport(view, port); + +- CHECK(configure_view_acl(vconfig, config, named_g_config, +- "allow-query", NULL, actx, +- named_g_mctx, &view->queryacl)); +- + /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. +@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + "allow-query-cache-on", NULL, actx, + named_g_mctx, &view->cacheonacl)); + /* +- * Set "allow-query-cache", "allow-recursion", and +- * "allow-recursion-on" acls if configured in named.conf. +- * (Ignore the global defaults for now, because these ACLs +- * can inherit from each other when only some of them set at +- * the options/view level.) ++ * Set the "allow-query", "allow-query-cache", "allow-recursion", ++ * and "allow-recursion-on" ACLs if configured in named.conf, but ++ * NOT from the global defaults. This is done by leaving the third ++ * argument to configure_view_acl() NULL. ++ * ++ * We ignore the global defaults here because these ACLs ++ * can inherit from each other. If any are still unset after ++ * applying the inheritance rules, we'll look up the defaults at ++ * that time. + */ +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", +- NULL, actx, named_g_mctx, &view->cacheacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query", NULL, actx, ++ named_g_mctx, &view->queryacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query-cache", NULL, actx, ++ named_g_mctx, &view->cacheacl)); + + if (strcmp(view->name, "_bind") != 0 && + view->rdclass != dns_rdataclass_chaos) + { ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion", NULL, actx, + named_g_mctx, &view->recursionacl)); ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion-on", NULL, actx, + named_g_mctx, &view->recursiononacl)); +@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + * the global config. + */ + if (view->recursionacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion", NULL, + actx, named_g_mctx, + &view->recursionacl)); + } + if (view->recursiononacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion-on", NULL, + actx, named_g_mctx, + &view->recursiononacl)); + } + if (view->cacheacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-query-cache", NULL, + actx, named_g_mctx, +@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + CHECK(dns_acl_none(mctx, &view->cacheacl)); + } + ++ if (view->queryacl == NULL) { ++ /* global default only */ ++ CHECK(configure_view_acl(NULL, NULL, named_g_config, ++ "allow-query", NULL, ++ actx, named_g_mctx, ++ &view->queryacl)); ++ } ++ + /* + * Ignore case when compressing responses to the specified + * clients. This causes case not always to be preserved, |