aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2018-06-14 16:49:21 -0400
committerLeo Famulari <leo@famulari.name>2018-06-15 16:41:16 -0400
commit12e530ba63ad848d3d3194f09e8b54b693d74896 (patch)
tree561dce8a376a665bee6a64598f2eae814210bdd4
parenta7c8716928a240ba2c36d360e4ffeb447671fa6b (diff)
downloadguix-12e530ba63ad848d3d3194f09e8b54b693d74896.tar
guix-12e530ba63ad848d3d3194f09e8b54b693d74896.tar.gz
gnu: BIND: Fix CVE-2018-5738.
* gnu/packages/patches/bind-CVE-2018-5738.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/dns.scm (isc-bind)[source]: Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/dns.scm2
-rw-r--r--gnu/packages/patches/bind-CVE-2018-5738.patch100
3 files changed, 103 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 01e0718723..4d2cefdbde 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -581,6 +581,7 @@ dist_patch_DATA = \
%D%/packages/patches/azr3.patch \
%D%/packages/patches/bash-completion-directories.patch \
%D%/packages/patches/bazaar-CVE-2017-14176.patch \
+ %D%/packages/patches/bind-CVE-2018-5738.patch \
%D%/packages/patches/binutils-loongson-workaround.patch \
%D%/packages/patches/blast+-fix-makefile.patch \
%D%/packages/patches/boost-fix-icu-build.patch \
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 0b8d8be574..4fce4b34ba 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -50,6 +50,7 @@
#:use-module (gnu packages tls)
#:use-module (gnu packages web)
#:use-module (gnu packages xml)
+ #:use-module (gnu packages)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
@@ -104,6 +105,7 @@ and BOOTP/TFTP for network booting of diskless machines.")
(uri (string-append
"ftp://ftp.isc.org/isc/bind9/" version "/" name "-"
version ".tar.gz"))
+ (patches (search-patches "bind-CVE-2018-5738.patch"))
(sha256
(base32
"0a9dvyg1dk7vpqn9gz7p5jas3bz7z22bjd66b98g1qk16i2w7rqd"))))
diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch
new file mode 100644
index 0000000000..ddef014651
--- /dev/null
+++ b/gnu/packages/patches/bind-CVE-2018-5738.patch
@@ -0,0 +1,100 @@
+Fix CVE-2018-5738:
+
+https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index f63554e..847c4ff 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ CHECKM(named_config_getport(config, &port), "port");
+ dns_view_setdstport(view, port);
+
+- CHECK(configure_view_acl(vconfig, config, named_g_config,
+- "allow-query", NULL, actx,
+- named_g_mctx, &view->queryacl));
+-
+ /*
+ * Make the list of response policy zone names for a view that
+ * is used for real lookups and so cares about hints.
+@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ "allow-query-cache-on", NULL, actx,
+ named_g_mctx, &view->cacheonacl));
+ /*
+- * Set "allow-query-cache", "allow-recursion", and
+- * "allow-recursion-on" acls if configured in named.conf.
+- * (Ignore the global defaults for now, because these ACLs
+- * can inherit from each other when only some of them set at
+- * the options/view level.)
++ * Set the "allow-query", "allow-query-cache", "allow-recursion",
++ * and "allow-recursion-on" ACLs if configured in named.conf, but
++ * NOT from the global defaults. This is done by leaving the third
++ * argument to configure_view_acl() NULL.
++ *
++ * We ignore the global defaults here because these ACLs
++ * can inherit from each other. If any are still unset after
++ * applying the inheritance rules, we'll look up the defaults at
++ * that time.
+ */
+- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+- NULL, actx, named_g_mctx, &view->cacheacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query", NULL, actx,
++ named_g_mctx, &view->queryacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query-cache", NULL, actx,
++ named_g_mctx, &view->cacheacl));
+
+ if (strcmp(view->name, "_bind") != 0 &&
+ view->rdclass != dns_rdataclass_chaos)
+ {
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion", NULL, actx,
+ named_g_mctx, &view->recursionacl));
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion-on", NULL, actx,
+ named_g_mctx, &view->recursiononacl));
+@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ * the global config.
+ */
+ if (view->recursionacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-recursion", NULL,
+ actx, named_g_mctx,
+ &view->recursionacl));
+ }
+ if (view->recursiononacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-recursion-on", NULL,
+ actx, named_g_mctx,
+ &view->recursiononacl));
+ }
+ if (view->cacheacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ "allow-query-cache", NULL,
+ actx, named_g_mctx,
+@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ CHECK(dns_acl_none(mctx, &view->cacheacl));
+ }
+
++ if (view->queryacl == NULL) {
++ /* global default only */
++ CHECK(configure_view_acl(NULL, NULL, named_g_config,
++ "allow-query", NULL,
++ actx, named_g_mctx,
++ &view->queryacl));
++ }
++
+ /*
+ * Ignore case when compressing responses to the specified
+ * clients. This causes case not always to be preserved,