Commit 337f9dd0 authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge branch 'security-complete-dname-fix' into 'master'

Merge CVE-2018-5740 fix

See merge request !607
parents fa03f941 b4b4277f
Pipeline #3511 passed with stages
in 8 minutes and 54 seconds
......@@ -30,7 +30,9 @@
 
4998. [test] Make resolver and cacheclean tests more civilized.
 
4997. [placeholder]
4997. [security] named could crash during recursive processing
of DNAME records when "deny-answer-aliases" was
in use. (CVE-2018-5740) [GL #387]
 
4996. [bug] dig: Handle malformed +ednsopt option. [GL #403]
 
......
......@@ -21,6 +21,11 @@ options {
recursion yes;
allow-recursion { any; };
dnssec-validation yes;
deny-answer-aliases {
"example";
} except-from {
"example";
};
};
key rndc_key {
......
......@@ -248,5 +248,22 @@ $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking explicit DNAME query ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking DNAME via ANY query ($n)"
ret=0
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -204,6 +204,7 @@ n=`expr $n + 1`
echo_i "checking DNAME target filtering (deny) ($n)"
ret=0
$DIG $DIGOPTS +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1
grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......
......@@ -72,6 +72,13 @@
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash during recursive processing
of DNAME records when <command>deny-answer-aliases</command> was
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -6608,6 +6608,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
unsigned int nlabels;
dns_fixedname_t fixed;
dns_name_t prefix;
int order;
REQUIRE(rdataset != NULL);
REQUIRE(rdataset->type == dns_rdatatype_cname ||
......@@ -6630,17 +6631,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
tname = &cname.cname;
break;
case dns_rdatatype_dname:
if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
dns_namereln_subdomain)
{
return (true);
}
result = dns_rdata_tostruct(&rdata, &dname, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_name_init(&prefix, NULL);
tname = dns_fixedname_initname(&fixed);
nlabels = dns_name_countlabels(qname) -
dns_name_countlabels(rname);
nlabels = dns_name_countlabels(rname);
dns_name_split(qname, nlabels, &prefix, NULL);
result = dns_name_concatenate(&prefix, &dname.dname, tname,
NULL);
if (result == DNS_R_NAMETOOLONG)
if (result == DNS_R_NAMETOOLONG) {
if (chainingp != NULL) {
*chainingp = true;
}
return (true);
}
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
default:
......@@ -8172,6 +8181,8 @@ rctx_answer_match(respctx_t *rctx) {
}
if ((rctx->ardataset->type == dns_rdatatype_cname ||
rctx->ardataset->type == dns_rdatatype_dname) &&
rctx->type != rctx->ardataset->type &&
rctx->type != dns_rdatatype_any &&
!is_answertarget_allowed(fctx, &fctx->name, rctx->aname,
rctx->ardataset, NULL))
{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment