packages/dhcp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:acaf4c956fae3d85314de205b4df40713f679a02
Branches Tags
packages:main
...
compare: packages:9d57059647592373bcc1277d2379a10b00120d5e
Branches Tags
packages:main

11 Commits
acaf4c956f ... 9d57059647

Author SHA1 Message Date
openeuler-ci-bot
9d57059647
!137 fix CVE-2023-3341 CVE-2024-11187 
From: @zppzhangpan 
Reviewed-by: @xiangyu2020 
Signed-off-by: @xiangyu2020
 2025-03-21 02:59:47 +00:00
zhangpan
04d215cf2f fix CVE-2023-3341 CVE-2024-11187 2025-03-20 11:45:58 +00:00
openeuler-ci-bot
40cae76e59
!135 [sync] PR-134: Support for building with clang 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-11-13 06:13:20 +00:00
胡义臻
89486700c6 Support for building with clang 
(cherry picked from commit 5771b15de88a12f2a309a2e6730a14cb3eddb354)
 2024-11-13 11:44:32 +08:00
openeuler-ci-bot
898640e1db
!133 [sync] PR-128: [Backport] fix CVE-2024-1975 CVE-2024-1737 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-11-12 11:56:22 +00:00
胡义臻
bb13203376 [Backport] fix CVE-2024-1975 CVE-2024-1737 
CVE:CVE-2024-1975,CVE-2024-1737
Reference: https://downloads.isc.org/isc/bind9/9.18.28/patches/0003-CVE-2024-1975.patch
8ef414a7f3
5360c90612
5360c90612
b27c6bcce8
57cd34441a
Conflict:yes
Type: CVE

(cherry picked from commit 75d0d0cd7be9bf9bf6c1056060607aba674e965b)
 2024-11-12 19:36:07 +08:00
openeuler-ci-bot
e71a439861
!126 [sync] PR-120: [bugfix] cancel rebind6 timer after ipv6 expire 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-11-11 14:00:35 +00:00
胡义臻
20f92ecd2d bugfix:cancel rebind6 timer after ipv6 expire 
(cherry picked from commit 9d23b8c7dd9c20dc89e49f63d40917f94dfcb406)
 2024-11-11 20:14:52 +08:00
openeuler-ci-bot
739fddc7cb
!103 sync from 22.03-LTS-Next 
From: @renmingshuai 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2024-01-20 06:34:54 +00:00
renmingshuai
fb806861e0 rebase from 22.03-LTS-Next 2024-01-20 03:23:45 +00:00
openeuler-ci-bot
e8fa984f5b
!93 fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178 
From: @renmingshuai 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2024-01-05 01:53:51 +00:00
15 changed files with 1417 additions and 121 deletions
Show Stats Expand all files Collapse all files

46
IAID-is-output-has-hexe-if-it-contains-or.patch Normal file
View File

@ -0,0 +1,46 @@
From fb971ee6b5403c21e64fa66c8711f688f763518c Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Sat, 20 Jan 2024 02:51:53 +0000
Subject: [PATCH] IAID is output has hexe if it contains '\' or '"'
Signed-off-by: renmingshuai <renmingshuai@huawei.com>
---
client/dhclient.conf.5 | 6 +++---
common/print.c | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/client/dhclient.conf.5 b/client/dhclient.conf.5
index 566a881..2e2dc56 100644
--- a/client/dhclient.conf.5
+++ b/client/dhclient.conf.5
@@ -617,9 +617,9 @@ pairs, separated by colons.
Currently, the values written out based on lease-id-format are the default-duid
and the IAID value (DHCPv6 only). The client automatically reads the values
in either format. Note that when the format is octal, rather than as an octal
-string, IAID is output as hex if it contains no printable characters or as a
-string if contains only printable characters. This is done to maintain backward
-compatibility.
+string, IAID is output as hex if it contains special character '"', '\' or
+no printable characters, or as a string if contains only printable characters.
+This is done to maintain backward compatibility.
.PP
\fBreject \fIcidr-ip-address\fR [\fB,\fR \fI...\fB \fIcidr-ip-address\fR ] \fB;\fR
.PP
diff --git a/common/print.c b/common/print.c
index b42e7bc..6835eb1 100644
--- a/common/print.c
+++ b/common/print.c
@@ -427,7 +427,9 @@ void print_hex_or_string (len, data, limit, buf)
return;
for (i = 0; (i < (limit - 3)) && (i < len); i++) {
- if (!isascii(data[i]) || !isprint(data[i])) {
+ /* print as hex if the characters contain '"' or '\' */
+ if (!isascii(data[i]) || !isprint(data[i]) ||
+ (data[i] == '"' || data[i] == '\\')) {
print_hex_only(len, data, limit, buf);
return;
}
--
2.33.0

94
backport-0001-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,94 @@
From fdabf4b9570a60688f9f7d1e88d885f7a3718bca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:26:07 +0100
Subject: [PATCH 1/3] Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.
The fix for end-of-life branches make the limit compile-time only for
simplicity and the limit can be changed at the compile time by adding
following define to CFLAGS:
-DDNS_RDATASET_MAX_RECORDS=<limit>
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
---
bind/bind-9.11.36/configure | 2 +-
bind/bind-9.11.36/configure.ac | 2 +-
bind/bind-9.11.36/lib/dns/rdataslab.c | 12 ++++++++++++
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
index 368112f..736ff49 100755
--- a/bind/bind-9.11.36/configure
+++ b/bind/bind-9.11.36/configure
@@ -12185,7 +12185,7 @@ fi
XTARGETS=
case "$enable_developer" in
yes)
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
index 030c4d7..cc36b6c 100644
--- a/bind/bind-9.11.36/configure.ac
+++ b/bind/bind-9.11.36/configure.ac
@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
XTARGETS=
case "$enable_developer" in
yes)
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/lib/dns/rdataslab.c b/bind/bind-9.11.36/lib/dns/rdataslab.c
index b0f77b1..347b7d2 100644
--- a/bind/bind-9.11.36/lib/dns/rdataslab.c
+++ b/bind/bind-9.11.36/lib/dns/rdataslab.c
@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
}
#endif
+#ifndef DNS_RDATASET_MAX_RECORDS
+#define DNS_RDATASET_MAX_RECORDS 100
+#endif /* DNS_RDATASET_MAX_RECORDS */
+
isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen)
@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
return (ISC_R_SUCCESS);
}
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
if (nitems > 0xffff)
return (ISC_R_NOSPACE);
@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
#endif
INSIST(ocount > 0 && ncount > 0);
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
#if DNS_RDATASET_FIXED
oncount = ncount;
#endif
--
2.33.0

79
backport-0001-change-bug-url.patch
View File

@ -1,79 +0,0 @@
Reference: https://src.fedoraproject.org/rpms/dhcp/blob/rawhide/f/0001-change-bug-url.patch
From 23dfbc560028bf7429196db1a3826f8b80c19d3e Mon Sep 17 00:00:00 2001
From: Pavel Zhukov <pzhukov@redhat.com>
Date: Thu, 21 Feb 2019 10:09:57 +0100
Subject: [PATCH 01/26] change bug url
Cc: pzhukov@redhat.com
---
omapip/errwarn.c | 47 ++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 42 insertions(+), 5 deletions(-)
diff --git a/omapip/errwarn.c b/omapip/errwarn.c
index e30f8a0..09a3004 100644
--- a/omapip/errwarn.c
+++ b/omapip/errwarn.c
@@ -48,6 +48,41 @@ void (*log_cleanup) (void);
static char mbuf [CVT_BUF_MAX + 1];
static char fbuf [CVT_BUF_MAX + 1];
+// get BUG_REPORT_URL from /etc/os-release
+char * bug_report_url(void) {
+ FILE * file = fopen("/etc/os-release", "r");
+ size_t len;
+ char * line = NULL;
+ char * url = NULL;
+ size_t url_len = 256;
+
+ url = (char *) malloc(url_len * sizeof(char));
+ strcpy(url, "https://bugzilla.redhat.com/");
+
+ if (!file)
+ return url;
+
+ while ((getline(&line, &len, file)) != -1) {
+ if (strstr(line, "BUG_REPORT_URL") != NULL) {
+ char * start = strchr(line, '=');
+ char * rquotes = strrchr(line, '"');
+
+ if (rquotes != NULL) {
+ *rquotes = '\0';
+ strncpy(url, start+2, url_len);
+ } else {
+ strncpy(url, start+1, url_len);
+ }
+ url[url_len-1] = '\0';
+ fclose(file);
+ return url;
+ }
+ }
+ fclose(file);
+ return url;
+}
+
+
/* Log an error message, then exit... */
void log_fatal (const char * fmt, ... )
@@ -74,11 +109,13 @@ void log_fatal (const char * fmt, ... )
}
log_error ("%s", "");
- log_error ("If you think you have received this message due to a bug rather");
- log_error ("than a configuration issue please read the section on submitting");
- log_error ("bugs on either our web page at www.isc.org or in the README file");
- log_error ("before submitting a bug. These pages explain the proper");
- log_error ("process and the information we find helpful for debugging.");
+ log_error ("This version of ISC DHCP is based on the release available");
+ log_error ("on ftp.isc.org. Features have been added and other changes");
+ log_error ("have been made to the base software release in order to make");
+ log_error ("it work better with this distribution.");
+ log_error ("%s", "");
+ log_error ("Please report issues with this software via: ");
+ log_error ("%s", bug_report_url());
log_error ("%s", "");
log_error ("exiting.");
--
2.14.5

125
backport-0002-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,125 @@
From dfcadc2085c8844b5836aff2b5ea51fb60c34868 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 29 May 2024 08:43:39 +0200
Subject: [PATCH 2/3] Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k). As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).
Add a hard-coded limit (100) to cap the number of the RR types for a single
owner. The limit can be changed at the compile time by adding following
define to CFLAGS:
-DDNS_RBTDB_MAX_RTYPES=<limit>
Conflict:Context Adaptation
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
---
bind/bind-9.11.36/configure | 2 +-
bind/bind-9.11.36/configure.ac | 2 +-
bind/bind-9.11.36/lib/dns/rbtdb.c | 17 +++++++++++++++++
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
index 736ff49..8e881e3 100755
--- a/bind/bind-9.11.36/configure
+++ b/bind/bind-9.11.36/configure
@@ -12185,7 +12185,7 @@ fi
XTARGETS=
case "$enable_developer" in
yes)
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
index cc36b6c..0eab441 100644
--- a/bind/bind-9.11.36/configure.ac
+++ b/bind/bind-9.11.36/configure.ac
@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
XTARGETS=
case "$enable_developer" in
yes)
- STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
index 3d76ca1..0cfef36 100644
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
@@ -6190,6 +6190,10 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
+#ifndef DNS_RBTDB_MAX_RTYPES
+#define DNS_RBTDB_MAX_RTYPES 100
+#endif /* DNS_RBTDB_MAX_RTYPES */
+
/*
* write lock on rbtnode must be held.
*/
@@ -6210,6 +6214,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
+ uint32_t ntypes;
/*
* Add an rdatasetheader_t to a node.
@@ -6272,6 +6277,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
set_ttl(rbtdb, topheader, 0);
mark_stale_header(rbtdb, topheader);
}
+ ntypes = 0;
goto find_header;
}
/*
@@ -6293,9 +6299,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* check for an extant non-stale NODATA ncache
* entry which covers the same type as the RRSIG.
*/
+ ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
+ ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6339,9 +6347,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
}
+ ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
+ ntypes++;
if (prio_type(topheader->type)) {
prioheader = topheader;
}
@@ -6700,6 +6710,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
/*
* No rdatasets of the given type exist at the node.
*/
+
+ if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ free_rdataset(rbtdb, rbtdb->common.mctx,
+ newheader);
+ return (ISC_R_QUOTA);
+ }
+
newheader->down = NULL;
if (prio_type(newheader->type)) {
--
2.33.0

52
backport-0003-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,52 @@
From b27c6bcce894786a8e082eafd59eccbf6f2731cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 11:40:40 +0200
Subject: [PATCH] Expand the list of the priority types and move it to db_p.h
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/b27c6bcce894786a8e082eafd59eccbf6f2731cb
---
bind/bind-9.11.36/lib/dns/rbtdb.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
index 0cfef36..0aed13c 100644
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
@@ -1171,6 +1171,8 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
case dns_rdatatype_a:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_mx:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
case dns_rdatatype_aaaa:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
case dns_rdatatype_nsec:
@@ -1183,6 +1185,18 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
case dns_rdatatype_cname:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ case dns_rdatatype_dname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
+ case dns_rdatatype_dnskey:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
+ case dns_rdatatype_srv:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
+ case dns_rdatatype_txt:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
+ case dns_rdatatype_ptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
+ case dns_rdatatype_naptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
return (true);
}
return (false);
--
2.33.0

185
backport-0004-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,185 @@
From 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120 Mon Sep 17 00:00:00 2001
From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 11:40:40 +0200
Subject: Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:
1. If the new header type is in our priority list, we always add either
positive or negative entry at the beginning of the list.
2. If the new header type is negative entry, and we are over the limit,
we mark it as ancient immediately, so it gets evicted from the cache
as soon as possible.
3. Otherwise add the new header after the priority headers (or at the
head of the list).
4. If we are over the limit, evict the last entry on the normal header
list.
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/57cd34441a1b4ecc9874a4a106c2c95b8d7a3120
---
bind/bind-9.11.36/lib/dns/rbtdb.c | 71 +++++++++++++++++++++++++------
1 file changed, 59 insertions(+), 12 deletions(-)
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
index 0aed13c..d2c4097 100644
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
@@ -6208,6 +6208,26 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
#define DNS_RBTDB_MAX_RTYPES 100
#endif /* DNS_RBTDB_MAX_RTYPES */
+static bool
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
+ UNUSED(rbtdb);
+
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
+ return (false);
+ }
+
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+}
+
+static bool
+prio_header(rdatasetheader_t *header) {
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
+ return (true);
+ }
+
+ return (prio_type(header->type));
+}
+
/*
* write lock on rbtnode must be held.
*/
@@ -6218,7 +6238,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
{
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
- rdatasetheader_t *prioheader = NULL;
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
unsigned char *merged;
isc_result_t result;
bool header_nx;
@@ -6228,7 +6248,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
- uint32_t ntypes;
+ uint32_t ntypes = 0;
/*
* Add an rdatasetheader_t to a node.
@@ -6291,7 +6311,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
set_ttl(rbtdb, topheader, 0);
mark_stale_header(rbtdb, topheader);
}
- ntypes = 0;
goto find_header;
}
/*
@@ -6301,8 +6320,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next)
- if (topheader->type == sigtype)
+ if (topheader->type == sigtype) {
sigheader = topheader;
+ break;
+ }
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
} else {
/*
@@ -6313,11 +6334,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* check for an extant non-stale NODATA ncache
* entry which covers the same type as the RRSIG.
*/
- ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
- ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6361,12 +6380,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
}
- ntypes = 0;
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
- ntypes++;
- if (prio_type(topheader->type)) {
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
+ ++ntypes;
+ expireheader = topheader;
+ } else if (!IS_CACHE(rbtdb)) {
+ ++ntypes;
+ }
+ if (prio_header(topheader)) {
prioheader = topheader;
}
if (topheader->type == newheader->type ||
@@ -6724,8 +6747,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
/*
* No rdatasets of the given type exist at the node.
*/
-
- if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
return (ISC_R_QUOTA);
@@ -6733,7 +6755,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
newheader->down = NULL;
- if (prio_type(newheader->type)) {
+ if (prio_header(newheader)) {
/* This is a priority type, prepend it */
newheader->next = rbtnode->data;
rbtnode->data = newheader;
@@ -6746,6 +6768,31 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
newheader->next = rbtnode->data;
rbtnode->data = newheader;
}
+
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ if (expireheader == NULL) {
+ expireheader = newheader;
+ }
+ if (NEGATIVE(newheader) &&
+ !prio_header(newheader))
+ {
+ /*
+ * Add the new non-priority negative
+ * header to the database only
+ * temporarily.
+ */
+ expireheader = newheader;
+ }
+
+ set_ttl(rbtdb, expireheader, 0);
+ mark_stale_header(rbtdb, expireheader);
+ /*
+ * FIXME: In theory, we should mark the RRSIG
+ * and the header at the same time, but there is
+ * no direct link between those two header, so
+ * we would have to check the whole list again.
+ */
+ }
}
}
--
2.33.0

176
backport-0028-CVE-2023-3341.patch Normal file
View File

@ -0,0 +1,176 @@
From 820b0cceef0b67b041973da4041ea53d5e276363 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 20 Jun 2023 15:21:36 +1000
Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
Named and rndc do not need a lot of recursion so the depth is
set to 10.
Conflict: NA
Reference: https://downloads.isc.org/isc/bind9/9.16.44/patches/0001-CVE-2023-3341.patch
---
bind/bind-9.11.36/lib/isccc/cc.c | 40 ++++++++++++++-----
.../lib/isccc/include/isccc/result.h | 4 +-
bind/bind-9.11.36/lib/isccc/result.c | 5 ++-
3 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/bind/bind-9.11.36/lib/isccc/cc.c b/bind/bind-9.11.36/lib/isccc/cc.c
index e012685..e830054 100644
--- a/bind/bind-9.11.36/lib/isccc/cc.c
+++ b/bind/bind-9.11.36/lib/isccc/cc.c
@@ -53,6 +53,10 @@
#define MAX_TAGS 256
#define DUP_LIFETIME 900
+#ifndef ISCCC_MAXDEPTH
+#define ISCCC_MAXDEPTH \
+ 10 /* Big enough for rndc which just sends a string each way. */
+#endif
typedef isccc_sexpr_t *sexpr_ptr;
@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp);
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp);
static isc_result_t
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+value_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **valuep) {
unsigned int msgtype;
uint32_t len;
isccc_sexpr_t *value;
isccc_region_t active;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
if (REGION_SIZE(*source) < 1 + 4)
return (ISC_R_UNEXPECTEDEND);
GET8(msgtype, source->rstart);
@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
} else
result = ISC_R_NOMEMORY;
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
- result = table_fromwire(&active, NULL, 0, valuep);
+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
- result = list_fromwire(&active, valuep);
+ result = list_fromwire(&active, depth + 1, valuep);
else
result = ISCCC_R_SYNTAX;
@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp)
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
{
char key[256];
uint32_t len;
@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
REQUIRE(alistp != NULL && *alistp == NULL);
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
checksum_rstart = NULL;
first_tag = true;
alist = isccc_alist_create();
@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
GET_MEM(key, len, source->rstart);
key[len] = '\0'; /* Ensure NUL termination. */
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS)
goto bad;
if (isccc_alist_define(alist, key, value) == NULL) {
@@ -661,14 +675,20 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
}
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp)
+{
isccc_sexpr_t *list, *value;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
list = NULL;
while (!REGION_EMPTY(*source)) {
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS) {
isccc_sexpr_free(&list);
return (result);
@@ -699,7 +719,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
if (version != 1)
return (ISCCC_R_UNKNOWNVERSION);
- return (table_fromwire(source, secret, algorithm, alistp));
+ return (table_fromwire(source, secret, algorithm, 0, alistp));
}
static isc_result_t
diff --git a/bind/bind-9.11.36/lib/isccc/include/isccc/result.h b/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
index 6c79dd7..9e4fd7c 100644
--- a/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
+++ b/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
@@ -47,8 +47,10 @@
#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
/*% Duplicate */
#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
+/*% Maximum recursion depth */
+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
-#define ISCCC_R_NRESULTS 6 /*%< Number of results */
+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
ISC_LANG_BEGINDECLS
diff --git a/bind/bind-9.11.36/lib/isccc/result.c b/bind/bind-9.11.36/lib/isccc/result.c
index 8419bbb..60d76b5 100644
--- a/bind/bind-9.11.36/lib/isccc/result.c
+++ b/bind/bind-9.11.36/lib/isccc/result.c
@@ -40,7 +40,9 @@ static const char *text[ISCCC_R_NRESULTS] = {
"bad auth", /* 3 */
"expired", /* 4 */
"clock skew", /* 5 */
- "duplicate" /* 6 */
+ "duplicate", /* 6 */
+ "max depth" /* 7 */
+
};
static const char *ids[ISCCC_R_NRESULTS] = {
@@ -50,6 +52,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
"ISCCC_R_EXPIRED",
"ISCCC_R_CLOCKSKEW",
"ISCCC_R_DUPLICATE",
+ "ISCCC_R_MAXDEPTH"
};
#define ISCCC_RESULT_RESULTSET 2
--
2.43.0

244
backport-0029-CVE-2024-11187.patch Normal file
View File

@ -0,0 +1,244 @@
From fa7b7973e36056440dd688c7f312c89600d4f8cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 14 Nov 2024 10:37:29 +0100
Subject: [PATCH] Limit the additional processing for large RDATA sets
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.
Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.
(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
Conflict:Context adaptation
Reference:https://downloads.isc.org/isc/bind9/9.18.33/patches/0001-CVE-2024-11187.patch
---
bind/bind-9.11.36/bin/named/query.c | 7 ++++---
.../bin/tests/system/additional/tests.sh | 2 +-
.../bin/tests/system/resolver/ns4/named.noaa | 5 -----
bind/bind-9.11.36/bin/tests/system/resolver/tests.sh | 8 ++++++++
bind/bind-9.11.36/lib/dns/include/dns/rdataset.h | 10 +++++++++-
bind/bind-9.11.36/lib/dns/rdataset.c | 8 +++++++-
bind/bind-9.11.36/lib/dns/resolver.c | 12 ++++++------
7 files changed, 35 insertions(+), 17 deletions(-)
delete mode 100644 bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
diff --git a/bind/bind-9.11.36/bin/named/query.c b/bind/bind-9.11.36/bin/named/query.c
index f109805..965d104 100644
--- a/bind/bind-9.11.36/bin/named/query.c
+++ b/bind/bind-9.11.36/bin/named/query.c
@@ -1827,7 +1827,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
*/
eresult = dns_rdataset_additionaldata(trdataset,
query_addadditional,
- client);
+ client, DNS_RDATASET_MAXADDITIONAL);
}
cleanup:
@@ -2433,7 +2433,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
additionalctx.client = client;
additionalctx.rdataset = rdataset;
(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
- &additionalctx);
+ &additionalctx, DNS_RDATASET_MAXADDITIONAL);
CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
}
@@ -2770,7 +2770,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
* To the current response for 'client', add the answer RRset
* '*rdatasetp' and an optional signature set '*sigrdatasetp', with
* owner name '*namep', to section 'section', unless they are
- * already there. Also add any pertinent additional data.
+ * already there. Also add any pertinent additional data, unless
+ * the query was for type ANY.
*
* If 'dbuf' is not NULL, then '*namep' is the name whose data is
* stored in 'dbuf'. In this case, query_addrrset() guarantees that
diff --git a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
index 6400723..c82f85d 100644
--- a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
@@ -261,7 +261,7 @@ n=`expr $n + 1`
echo_i "testing with 'minimal-any no;' ($n)"
ret=0
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
+grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=`expr status + 1`
fi
diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa b/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
deleted file mode 100644
index 3b121ad..0000000
--- a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
+++ /dev/null
@@ -1,5 +0,0 @@
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
-
-Add -T noaa.
diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
index 6eb52fe..bf37467 100755
--- a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
@@ -281,6 +281,10 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+touch ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+rm ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
ret=0
diff --git a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
index ed9119a..a446673 100644
--- a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
+++ b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
@@ -53,6 +53,8 @@
#include <dns/types.h>
#include <dns/rdatastruct.h>
+#define DNS_RDATASET_MAXADDITIONAL 13
+
ISC_LANG_BEGINDECLS
typedef enum {
@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
- dns_additionaldatafunc_t add, void *arg);
+ dns_additionaldatafunc_t add, void *arg,
+ size_t limit);
/*%<
* For each rdata in rdataset, call 'add' for each name and type in the
* rdata which is subject to additional section processing.
@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
*\li If a call to dns_rdata_additionaldata() is not successful, the
* result returned will be the result of dns_rdataset_additionaldata().
*
+ *\li If 'limit' is non-zero and the number of the rdatasets is larger
+ * than 'limit', no additional data will be processed.
+ *
* Returns:
*
*\li #ISC_R_SUCCESS
*
+ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
+ *
*\li Any error that dns_rdata_additionaldata() can return.
*/
diff --git a/bind/bind-9.11.36/lib/dns/rdataset.c b/bind/bind-9.11.36/lib/dns/rdataset.c
index b42dea5..370ff09 100644
--- a/bind/bind-9.11.36/lib/dns/rdataset.c
+++ b/bind/bind-9.11.36/lib/dns/rdataset.c
@@ -28,6 +28,7 @@
#include <dns/ncache.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
+#include <dns/result.h>
static const char *trustnames[] = {
"none",
@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
- dns_additionaldatafunc_t add, void *arg)
+ dns_additionaldatafunc_t add, void *arg,
+ size_t limit)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+ return DNS_R_TOOMANYRECORDS;
+ }
+
result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS)
return (result);
diff --git a/bind/bind-9.11.36/lib/dns/resolver.c b/bind/bind-9.11.36/lib/dns/resolver.c
index 4afd2af..d58cddb 100644
--- a/bind/bind-9.11.36/lib/dns/resolver.c
+++ b/bind/bind-9.11.36/lib/dns/resolver.c
@@ -6462,7 +6462,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
(void)dns_rdataset_additionaldata(rdataset,
check_related,
- &chkarg);
+ &chkarg, 0);
rescan = true;
}
}
@@ -7097,7 +7097,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
chkarg.fctx = fctx;
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
- &chkarg);
+ &chkarg, 0);
#if CHECK_FOR_GLUE_IN_ANSWER
/*
* Look in the answer section for "glue" that is incorrectly
@@ -7113,7 +7113,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
chkarg.fcx = fctx;
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(ns_rdataset,
- check_answer, &chkarg);
+ check_answer, &chkarg, 0);
}
#endif
FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
@@ -7355,7 +7355,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(rdataset,
check_related,
- &chkarg);
+ &chkarg, 0);
}
} else if (aname != NULL) {
dns_chkarg_t chkarg;
@@ -7383,7 +7383,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
chkarg.fctx = fctx;
chkarg.rmessage = message;
(void)dns_rdataset_additionaldata(ardataset, check_related,
- &chkarg);
+ &chkarg, 0);
for (sigrdataset = ISC_LIST_HEAD(aname->list);
sigrdataset != NULL;
sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
@@ -7546,7 +7546,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
(void)dns_rdataset_additionaldata(
rdataset,
check_related,
- &chkarg);
+ &chkarg, 0);
done = true;
}
}
--
2.43.0

240
backport-CVE-2024-1975.patch Normal file
View File

@ -0,0 +1,240 @@
From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 16 May 2024 12:10:41 +0200
Subject: [PATCH] Remove support for SIG(0) message verification
Conflict:Case adaptation and some documents are not incorporated.
Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0003-CVE-2024-1975.patch
---
bind/bind-9.11.36/bin/named/client.c | 7 ++
.../bin/tests/system/tsiggss/authsock.pl | 5 +
.../bin/tests/system/tsiggss/tests.sh | 12 ++-
.../bin/tests/system/upforwd/tests.sh | 9 +-
bind/bind-9.11.36/lib/dns/message.c | 92 ++-----------------
5 files changed, 32 insertions(+), 93 deletions(-)
diff --git a/bind/bind-9.11.36/bin/named/client.c b/bind/bind-9.11.36/bin/named/client.c
index 15fcfcd..95bf8e6 100644
--- a/bind/bind-9.11.36/bin/named/client.c
+++ b/bind/bind-9.11.36/bin/named/client.c
@@ -3012,6 +3012,13 @@ client_request(isc_task_t *task, isc_event_t *event) {
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request is signed by a nonauthoritative key");
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
+ client->message->sig0 != NULL)
+ {
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ "request has a SIG(0) signature but its support "
+ "was removed (CVE-2024-1975)");
} else {
char tsigrcode[64];
isc_buffer_t b;
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
index ab3833d..0b231ee 100644
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
@@ -31,6 +31,10 @@ if (!defined($path)) {
exit(1);
}
+# Enable output autoflush so that it's not lost when the parent sends TERM.
+select STDOUT;
+$| = 1;
+
unlink($path);
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
die "unable to create socket $path";
@@ -53,6 +57,7 @@ if ($timeout != 0) {
}
while (my $client = $server->accept()) {
+ printf("accept()\n");
$client->recv(my $buf, 8, 0);
my ($version, $req_len) = unpack('N N', $buf);
diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
index 456ce61..fcd3b1f 100644
--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
@@ -116,7 +116,7 @@ status=$((status+ret))
echo_i "testing external update policy (CNAME) with auth sock ($n)"
ret=0
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > authsock.log 2>&1 &
sleep 1
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
n=$((n+1))
@@ -130,17 +130,19 @@ n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
-echo_i "testing external policy with SIG(0) key ($n)"
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
ret=0
-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
+$NSUPDATE -R $RANDFILE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
+debug
server 10.53.0.1 ${PORT}
zone example.nil
update add fred.example.nil 120 cname foo.bar.
send
END
output=`$DIG $DIGOPTS +short cname fred.example.nil.`
-[ -n "$output" ] || ret=1
-[ $ret -eq 0 ] || echo_i "failed"
+# update must have failed - SIG(0) signer is not supported
+[ -n "$output" ] && ret=1
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
diff --git a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
index 1cf8d3b..19563a1 100644
--- a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
+++ b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
@@ -177,18 +177,21 @@ n=`expr $n + 1`
if test -f keyname
then
- echo_i "checking update forwarding to with sig0 ($n)"
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
ret=0
keyname=`cat keyname`
- $NSUPDATE -k $keyname.private -- - <<EOF
+ # SIG(0) is removed, update is expected to fail.
+ {
+ $NSUPDATE -k $keyname.private -- - <<EOF
server 10.53.0.3 ${PORT}
zone example2
update add unsigned.example2. 600 A 10.10.10.1
update add unsigned.example2. 600 TXT Foo
send
EOF
+ } >nsupdate.out.$n 2>&1 && ret=1
$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
- grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+ grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
diff --git a/bind/bind-9.11.36/lib/dns/message.c b/bind/bind-9.11.36/lib/dns/message.c
index 2812ab5..0c71f79 100644
--- a/bind/bind-9.11.36/lib/dns/message.c
+++ b/bind/bind-9.11.36/lib/dns/message.c
@@ -3214,102 +3214,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
isc_result_t
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
- isc_buffer_t b, msgb;
+ isc_buffer_t msgb;
REQUIRE(DNS_MESSAGE_VALID(msg));
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
+ if (msg->tsigkey == NULL && msg->tsig == NULL) {
return (ISC_R_SUCCESS);
+ }
INSIST(msg->saved.base != NULL);
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
isc_buffer_add(&msgb, msg->saved.length);
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
#ifdef SKAN_MSG_DEBUG
- dns_message_dumpsig(msg, "dns_message_checksig#1");
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
#endif
- if (view != NULL)
- return (dns_view_checksig(view, &msgb, msg));
- else
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+ if (view != NULL) {
+ return (dns_view_checksig(view, &msgb, msg));
} else {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_sig_t sig;
- dns_rdataset_t keyset;
- isc_result_t result;
-
- result = dns_rdataset_first(msg->sig0);
- INSIST(result == ISC_R_SUCCESS);
- dns_rdataset_current(msg->sig0, &rdata);
-
- /*
- * This can occur when the message is a dynamic update, since
- * the rdata length checking is relaxed. This should not
- * happen in a well-formed message, since the SIG(0) is only
- * looked for in the additional section, and the dynamic update
- * meta-records are in the prerequisite and update sections.
- */
- if (rdata.length == 0)
- return (ISC_R_UNEXPECTEDEND);
-
- result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
- if (result != ISC_R_SUCCESS)
- return (result);
-
- dns_rdataset_init(&keyset);
- if (view == NULL)
- return (DNS_R_KEYUNAUTHORIZED);
- result = dns_view_simplefind(view, &sig.signer,
- dns_rdatatype_key /* SIG(0) */,
- 0, 0, false, &keyset, NULL);
-
- if (result != ISC_R_SUCCESS) {
- /* XXXBEW Should possibly create a fetch here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- } else if (keyset.trust < dns_trust_secure) {
- /* XXXBEW Should call a validator here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- }
- result = dns_rdataset_first(&keyset);
- INSIST(result == ISC_R_SUCCESS);
- for (;
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&keyset))
- {
- dst_key_t *key = NULL;
-
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&keyset, &rdata);
- isc_buffer_init(&b, rdata.data, rdata.length);
- isc_buffer_add(&b, rdata.length);
-
- result = dst_key_fromdns(&sig.signer, rdata.rdclass,
- &b, view->mctx, &key);
- if (result != ISC_R_SUCCESS)
- continue;
- if (dst_key_alg(key) != sig.algorithm ||
- dst_key_id(key) != sig.keyid ||
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
- {
- dst_key_free(&key);
- continue;
- }
- result = dns_dnssec_verifymessage(&msgb, msg, key);
- dst_key_free(&key);
- if (result == ISC_R_SUCCESS)
- break;
- }
- if (result == ISC_R_NOMORE)
- result = DNS_R_KEYUNAUTHORIZED;
-
- freesig:
- if (dns_rdataset_isassociated(&keyset))
- dns_rdataset_disassociate(&keyset);
- dns_rdata_freestruct(&sig);
- return (result);
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
}
}
--
2.33.0

98
backport-optimize-the-slabheader-placement-for-certain-RRtype.patch Normal file
View File

@ -0,0 +1,98 @@
From 8ef414a7f38a04cfc11df44adaedaf3126fa3878 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 29 Jan 2024 16:36:30 +0100
Subject: [PATCH] Optimize the slabheader placement for certain RRTypes
Mark the infrastructure RRTypes as "priority" types and place them at
the beginning of the rdataslab header data graph. The non-priority
types either go right after the priority types (if any).
(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
---
bind/bind-9.11.36/lib/dns/rbtdb.c | 44 +++++++++++++++++++++++++++++--
1 file changed, 42 insertions(+), 2 deletions(-)
diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
index 3ee1876..3d76ca1 100644
--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
+++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
@@ -1164,6 +1164,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
isc_heap_decreased(heap, header->heap_index);
}
+static bool
+prio_type(rbtdb_rdatatype_t type) {
+ switch (type) {
+ case dns_rdatatype_soa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
+ case dns_rdatatype_a:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_aaaa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
+ case dns_rdatatype_nsec:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
+ case dns_rdatatype_nsec3:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
+ case dns_rdatatype_ns:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
+ case dns_rdatatype_ds:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
+ case dns_rdatatype_cname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ return (true);
+ }
+ return (false);
+}
+
/*%
* These functions allow the heap code to rank the priority of each
* element. It returns true if v1 happens "sooner" than v2.
@@ -6176,6 +6200,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
{
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
+ rdatasetheader_t *prioheader = NULL;
unsigned char *merged;
isc_result_t result;
bool header_nx;
@@ -6317,6 +6342,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
+ if (prio_type(topheader->type)) {
+ prioheader = topheader;
+ }
if (topheader->type == newheader->type ||
topheader->type == negtype)
break;
@@ -6672,9 +6700,21 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
/*
* No rdatasets of the given type exist at the node.
*/
- newheader->next = rbtnode->data;
newheader->down = NULL;
- rbtnode->data = newheader;
+
+ if (prio_type(newheader->type)) {
+ /* This is a priority type, prepend it */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ } else if (prioheader != NULL) {
+ /* Append after the priority headers */
+ newheader->next = prioheader->next;
+ prioheader->next = newheader;
+ } else {
+ /* There were no priority headers */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ }
}
}
--
2.33.0

54
bugfix-cancel-rebind6-timer-after-ipv6-expire.patch Normal file
View File

@ -0,0 +1,54 @@
From 6fced85ebcd9563ceb78675d0f4ff3e3d0eea90b Mon Sep 17 00:00:00 2001
From: huyizhen <huyizhen2@huawei.com>
Date: Thu, 24 Oct 2024 21:36:06 +0800
Subject: huawei-cancel-rebind6-timer-after-ipv6-expire
Solve below question:
Oct 23 16:38:04 localhost dhclient[141133]: PRC: Address 6636::3c depreferred.
Oct 23 16:38:04 localhost dhclient[141133]: XMT: Rebind on enp4s0, interval 00ms.
Oct 23 16:38:04 localhost dhclient[141133]: Impossible condition at dhc6.c:279.
Oct 23 16:38:04 localhost dhclient[141133]:
Oct 23 16:38:04 localhost dhclient[141133]: If you think you have received this message due to a bug rather
Oct 23 16:38:04 localhost dhclient[141133]: than a configuration issue please read the section on submitting
Oct 23 16:38:04 localhost dhclient[141133]: bugs on either our web page at www.isc.org or in the README file
Oct 23 16:38:04 localhost dhclient[141133]: before submitting a bug. These pages explain the proper
Oct 23 16:38:04 localhost dhclient[141133]: process and the information we find helpful for debugging.
Oct 23 16:38:04 localhost dhclient[141133]:
Oct 23 16:38:04 localhost dhclient[141133]: exiting.
The reason is:
1. After the REBIND message is retransmitted for the second time, the REBIND timer checks whether the REBIND message
is received 5 seconds later and sets the RT field to 0. (Because the 5s timer expires when the timer expires, no next
retransmission will occur.)
2. After 5s, the DEPREFER timer is triggered first. The DEPREFER timer considers that the REBIND timer expires and set
MRD field to 0, but the previously set REBIND timer is not canceled.
3. The REBIND timer is triggered immediately. Because the MRD is set to 0, the retransmission timer considers that the
maximum retransmission duration is not limited and attempts to continue the retransmission.
4. During the retransmission process, the RT value is 0 (retransmission is performed after 0s), and the process exits.
As a result, the DHCP6 function becomes abnormal.
Solution:
Cencle REBIND timer when DEPREFER timer considers that the REBIND timer expires.
---
client/dhc6.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/client/dhc6.c b/client/dhc6.c
index 88fd07d..2dbea60 100644
--- a/client/dhc6.c
+++ b/client/dhc6.c
@@ -4656,6 +4656,10 @@ dhc6_check_times(struct client_state *client)
* depreffed an address.
*/
client->MRD = hi_expire - cur_time;
+ /* Rebind expired, cancel rebind(do_refresh6) timer. */
+ if (client->MRD == 0) {
+ cancel_timeout(do_refresh6, client);
+ }
break;
default:
--
2.33.0

12
bugfix-error-message-display.patch
View File

@ -1,12 +0,0 @@
diff -ruNa dhcp-4.4.2-org/omapip/errwarn.c dhcp-4.4.2/omapip/errwarn.c
--- dhcp-4.4.2-org/omapip/errwarn.c 16:51:13.626927174 +0800
+++ dhcp-4.4.2/omapip/errwarn.c 16:55:40.477496361 +0800
@@ -57,7 +57,7 @@
size_t url_len = 256;
url = (char *) malloc(url_len * sizeof(char));
- strcpy(url, "https://bugzilla.redhat.com/");
+ strcpy(url, "https://gitee.com/src-openeuler/dhcp/issues");
if (!file)
return url;

103
dhcp.spec
View File

@ -3,7 +3,7 @@
Name: dhcp Name: dhcp
Version: 4.4.3 Version: 4.4.3
Release: 3 Release: 10
Summary: Dynamic host configuration protocol software Summary: Dynamic host configuration protocol software
#Please don't change the epoch on this package #Please don't change the epoch on this package
Epoch: 12 Epoch: 12
@ -18,7 +18,6 @@ Source6: dhcpd.service
Source7: dhcpd6.service Source7: dhcpd6.service
Source8: dhcrelay.service Source8: dhcrelay.service
Patch1: backport-0001-change-bug-url.patch
Patch2: backport-0002-additional-dhclient-options.patch Patch2: backport-0002-additional-dhclient-options.patch
Patch3: backport-0003-Handle-releasing-interfaces-requested-by-sbin-ifup.patch Patch3: backport-0003-Handle-releasing-interfaces-requested-by-sbin-ifup.patch
Patch4: backport-0004-Support-unicast-BOOTP-for-IBM-pSeries-systems-and-ma.patch Patch4: backport-0004-Support-unicast-BOOTP-for-IBM-pSeries-systems-and-ma.patch
@ -54,7 +53,6 @@ Patch33: bugfix-dhcp-64-bit-lease-parse.patch
Patch34: fix-coredump-when-client-active-is-NULL.patch Patch34: fix-coredump-when-client-active-is-NULL.patch
Patch35: feature-lease-time-config-ipv6.patch Patch35: feature-lease-time-config-ipv6.patch
Patch36: add-a-test-case-to-parse-code93-in-option_unittest.patch Patch36: add-a-test-case-to-parse-code93-in-option_unittest.patch
Patch37: bugfix-error-message-display.patch
Patch38: backport-Fix-CVE-2021-25220.patch Patch38: backport-Fix-CVE-2021-25220.patch
Patch39: backport-Fix-CVE-2022-2928.patch Patch39: backport-Fix-CVE-2022-2928.patch
Patch40: backport-Fix-CVE-2022-2929.patch Patch40: backport-Fix-CVE-2022-2929.patch
@ -62,6 +60,17 @@ Patch41: Revert-correcting-the-logic-in-dhclient.patch
Patch42: backport-CVE-2022-2795.patch Patch42: backport-CVE-2022-2795.patch
Patch43: backport-CVE-2022-38177.patch Patch43: backport-CVE-2022-38177.patch
Patch44: backport-CVE-2022-38178.patch Patch44: backport-CVE-2022-38178.patch
Patch45: IAID-is-output-has-hexe-if-it-contains-or.patch
Patch46: support-for-building-with-clang.patch
Patch47: bugfix-cancel-rebind6-timer-after-ipv6-expire.patch
Patch48: backport-CVE-2024-1975.patch
Patch49: backport-optimize-the-slabheader-placement-for-certain-RRtype.patch
Patch50: backport-0001-CVE-2024-1737.patch
Patch51: backport-0002-CVE-2024-1737.patch
Patch52: backport-0003-CVE-2024-1737.patch
Patch53: backport-0004-CVE-2024-1737.patch
Patch54: backport-0028-CVE-2023-3341.patch
Patch55: backport-0029-CVE-2024-11187.patch
BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
BuildRequires: systemd systemd-devel BuildRequires: systemd systemd-devel
@ -310,68 +319,102 @@ exit 0
%{_mandir}/man3/omapi.3.gz %{_mandir}/man3/omapi.3.gz
%changelog %changelog
* Thu Jan 4 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-3 * Thu Mar 20 2025 zhangpan <zhangpan103@h-partners.com> - 12:4.4.3-10
- Type:CVE
- ID:NA
- SUG:restart
- DESC:fix CVE-2023-3341 CVE-2024-11187
* Wed Nov 13 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-9
- Type:enhancement
- ID:NA
- SUG:build with clang
- DESC:Support for building with clang
* Mon Nov 11 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-8
- Type:CVE
- ID:NA
- SUG:restart
- DESC:fix CVE-2024-1975,CVE-2024-1737
* Tue Nov 05 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-7
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:cancel rebind6 timer after ipv6 expire
* Sat Jan 20 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-6
- Type:bugfix
- ID:
- SUG:restart
- DESC:IAID is output has hexe if it contains '\' or '"'
* Thu Jan 4 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-5
- Type:CVE - Type:CVE
- ID:CVE-2022-2795,CVE-2022-38177,CVE-2022-38178 - ID:CVE-2022-2795,CVE-2022-38177,CVE-2022-38178
- SUG:restart - SUG:restart
- DESC:fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178 - DESC:fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178
* Thu Jun 29 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-2 * Fri Nov 24 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-4
- Type:bugfix
- ID:
- SUG:restart
- DESC:delete report url added by other upstream patch to keep pace with DHCP
* Thu Jun 29 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-3
- Type:bugfix - Type:bugfix
- ID: - ID:
- SUG:restart - SUG:restart
- DESC:revert the correction about the logic in dhclient - DESC:revert the correction about the logic in dhclient
* Tue Oct 25 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-1 * Sat May 27 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-2
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:add Restart in dhcpd.service
* Tue Nov 1 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-1
- Type:requirement - Type:requirement
- ID: - ID:NA
- SUG:restart - SUG:restart
- DESC:update to 4.4.3 - DESC:update to 4.4.3
* Mon Oct 17 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-15 * Thu Aug 25 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-13
- Type:cves
- ID:CVE-2022-2928,CVE-2022-2929
- SUG:restart
- DESC:Fix CVE-2022-2928 and CVE-2022-2929
* Tue Sep 27 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-14
- Type:cves
- ID:CVE-2021-25214, CVE-2021-25215, CVE-2021-25219, CVE-2021-25220
- SUG:restart
- DESC:Fix CVE-2021-25214 CVE-2021-25215 CVE-2021-25219 CVE-2021-25220
* Sat Jul 30 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-13
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA
- SUG:restart - SUG:restart
- DESC:add dhX.conf.example in doc - DESC:add dhX.conf.example in doc
* Tue Feb 22 2022 zengwefeng <zwfeng@huawei.com> - 4.4.2-12 * Wed Aug 24 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-12
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:add a test case for PXE to support ipv6
support lease time config for ipv6
* Tue Feb 8 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-11
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA
- SUG:restart - SUG:restart
- DESC:fix error message display - DESC:fix error message display
* Wed Jan 12 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-11 * Mon Feb 7 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-10
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA
- SUG:restart - SUG:restart
- DESC:rename upstream patches and add reference - DESC:fix coredump when client active is NULL
* Fri Jan 07 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-10 * Wed Jan 12 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-9
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA
- SUG:restart - SUG:restart
- DESC:remove buildrequires bind-export-devel and buildin bind - DESC:modofy upstream patches name and add reference
* Fri Nov 26 2021 renmingshuai <renmingshuai@huawei.com> - 4.4.2-9 * Wed Jan 05 2022 renmingshuai <renmingshuai@huawei.com> - 4.4.2-8
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA
- SUG:restart - SUG:restart
- DESC:fix coredump when client active is NULL, add lease time config ipv6 and add a unittest - DESC:remove build require bind-export-devel and add buildin bind
* Tue Sep 14 2021 panchenbo<panchenbo@uniontech.com.com> - 4.4.2-8
- DESC: install dhcpd.conf.example
* Fri Jul 30 2021 renmingshuai <renmingshuai@huawei.com> - 4.4.2-7 * Fri Jul 30 2021 renmingshuai <renmingshuai@huawei.com> - 4.4.2-7
- Type:bugfix - Type:bugfix

1
dhcpd.service
View File

@ -10,6 +10,7 @@ Type=notify
EnvironmentFile=-/etc/sysconfig/dhcpd EnvironmentFile=-/etc/sysconfig/dhcpd
ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid $DHCPDARGS ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid $DHCPDARGS
StandardError=null StandardError=null
Restart=on-failure
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

29
support-for-building-with-clang.patch Normal file
View File

@ -0,0 +1,29 @@
From eb6f6bd959c2f496e4db1a90ea0629bbf9b12185 Mon Sep 17 00:00:00 2001
From: cf-zhao <zhaochuanfeng@huawei.com>
Date: Thu, 21 Mar 2024 13:04:26 +0800
Subject: [PATCH] Support for building with clang
---
client/dhclient.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/client/dhclient.c b/client/dhclient.c
index 3e31dbf..a1f8849 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -48,7 +48,12 @@
/*
* Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define
* that when building ISC code.
+ * When build with clang, there is also a macro defined in stdio2.h,
+ * undefine it so that we still use the prototype in stdio.h.
*/
+#ifdef asprintf
+#undef asprintf
+#endif
extern int asprintf(char **strp, const char *fmt, ...);
TIME default_lease_time = 43200; /* 12 hours... */
--
2.33.0