Commit 911a4589 authored by Ondřej Surý's avatar Ondřej Surý
Browse files

Merge branch '880-secure-asdfasdfasdf-abacadabra-crash-v9_12_4_patch-v9_12' into 'v9_12'

Resolve "CVE-2019-6467: lib/ns/query.c:9176: INSIST(!qctx->is_zone) failed, back trace"

See merge request !1869
parents aeae941a 47ca855b
Pipeline #13894 passed with stages
in 1 minute and 16 seconds
5199. [security] In certain configurations, named could crash
if nxdomain-redirect was in use and a redirected
query resulted in an NXDOMAIN from the cache.
(CVE-2019-6467) [GL #880]
5192. [bug] configure --fips-mode failed. [GL #946]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
......
......@@ -27,4 +27,9 @@ rm -f ns3/dsset-signed.
rm -f ns3/nsec3.db*
rm -f ns3/signed.db*
rm -f ns4/*.db
rm -f ns5/dsset-*
rm -f ns5/K* ns5/sign.ns5.*
rm -f ns5/root.db ns5/root.db.signed
rm -f ns5/signed.db ns5/signed.db.signed
rm -f ns6/signed.db.signed
rm -f rndc.out
......@@ -11,7 +11,7 @@ $TTL 3600
@ SOA a.root-servers.nil. marka.isc.org. 0 0 0 0 0
@ NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example NS ns1.example.
example NS ns1.example.
ns1.example. A 10.53.0.1
signed NS ns1.example.
ns1.signed. A 10.53.0.1
......@@ -16,7 +16,7 @@ controls { /* empty */ };
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
options {
query-source address 10.53.0.2; /* note this is not 10.53.0.3 */
query-source address 10.53.0.2; /* note this is not 10.53.0.4 */
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
......@@ -28,7 +28,6 @@ options {
dnssec-enable yes;
dnssec-validation yes;
nxdomain-redirect "redirect";
};
key rndc_key {
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS5
options {
port @PORT@;
listen-on port @PORT@ { 10.53.0.5; };
pid-file "named.pid";
nxdomain-redirect signed;
};
zone "." {
type master;
file "root.db.signed";
};
// An unsigned zone that ns6 has a delegation for.
zone "unsigned." {
type master;
file "unsigned.db";
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 86400 IN SOA a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
. 518400 IN NS a.root-servers.nil.
a.root-servers.nil. 518400 IN A 10.53.0.5
signed. 172800 IN NS ns.signed.
ns.signed. 172800 IN A 10.53.0.6
unsigned. 172800 IN NS ns.unsigned.
ns.unsigned. 172800 IN A 10.53.0.5
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
# We sign the zone here and move the signed zone to ns6.
# The ns5 server actually does not serve this zone but
# the DS and NS records are in the test root zone, and
# delegate to ns6.
zone=signed.
infile=signed.db.in
zonefile=signed.db
key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null`
key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out 2>&1
cp signed.db.signed ../ns6
# Root zone.
zone=.
infile=root.db.in
zonefile=root.db
key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null`
key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
# cat $infile $key1.key $key2.key > $zonefile
cat $infile dsset-signed. $key1.key $key2.key > $zonefile
$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out 2>&1
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA ns.signed. hostmaster.signed. 0 0 0 0 0
@ IN NS ns.signed.
ns.signed. IN A 10.0.53.6
domain.signed. IN A 10.0.53.1
* IN A 100.100.100.1
* IN AAAA 2001:ffff:ffff::100.100.100.1
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA ns.unsigned. hostmaster.unsigned. 0 0 0 0 0
@ IN NS ns.unsigned.
ns.unsigned. IN A 10.53.0.6
domain.unsigned. IN A 10.0.53.1
* IN A 100.100.100.1
* IN AAAA 2001:ffff:ffff::100.100.100.1
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS6
options {
port @PORT@;
listen-on port @PORT@ { 10.53.0.6; };
pid-file "named.pid";
nxdomain-redirect unsigned;
};
zone "." {
type master;
file "root.db";
};
// A signed zone that ns5 has a delegation for.
zone "signed." {
type master;
file "signed.db.signed";
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 86400 IN SOA a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
. 518400 IN NS a.root-servers.nil.
a.root-servers.nil. 518400 IN A 10.53.0.6
signed. 172800 IN NS ns.signed.
ns.signed. 172800 IN A 10.53.0.6
unsigned. 172800 IN NS ns.unsigned.
ns.unsigned. 172800 IN A 10.53.0.5
......@@ -20,6 +20,8 @@ copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
cp ns2/redirect.db.in ns2/redirect.db
cp ns2/example.db.in ns2/example.db
......@@ -27,3 +29,4 @@ cp ns2/example.db.in ns2/example.db
cp ns4/example.db.in ns4/example.db
( cd ns3 && $SHELL sign.sh )
( cd ns5 && $SHELL sign.sh )
......@@ -518,5 +518,21 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking tld nxdomain-redirect against signed root zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -41,76 +41,11 @@
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
<command>named</command> could crash during recursive processing
of DNAME records when <command>deny-answer-aliases</command> was
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</para>
</listitem>
<listitem>
<para>
When recursion is enabled but the <command>allow-recursion</command>
and <command>allow-query-cache</command> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <command>allow-query</command>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</para>
</listitem>
<listitem>
<para>
The serve-stale feature could cause an assertion failure in
rbtdb.c even when stale-answer-enable was false. The
simultaneous use of stale cache records and NSEC aggressive
negative caching could trigger a recursion loop in the
<command>named</command> process. This flaw is disclosed in
CVE-2018-5737. [GL #185]
</para>
</listitem>
<listitem>
<para>
A bug in zone database reference counting could lead to a crash
when multiple versions of a slave zone were transferred from a
master in close succession. This flaw is disclosed in
CVE-2018-5736. [GL #134]
</para>
</listitem>
<listitem>
<para>
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash if it managed a DNSSEC
security root with <command>managed-keys</command> and the
authoritative zone rolled the key to an algorithm not supported
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
<listitem>
<para>
<command>named</command> leaked memory when processing a
request with multiple Key Tag EDNS options present. ISC
would like to thank Toshifumi Sakaguchi for bringing this
to our attention. This flaw is disclosed in CVE-2018-5744.
[GL #772]
</para>
</listitem>
<listitem>
<para>
Zone transfer controls for writable DLZ zones were not
effective as the <command>allowzonexfr</command> method was
not being called for such zones. This flaw is disclosed in
CVE-2019-6465. [GL #790]
<para>
In certain configurations, <command>named</command> could crash
with an assertion failure if <command>nxdomain-redirect</command>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</para>
</listitem>
</itemizedlist>
......@@ -120,60 +55,7 @@
<itemizedlist>
<listitem>
<para>
<command>update-policy</command> rules that otherwise ignore the
name field now require that it be set to "." to ensure that any
type list present is properly interpreted. Previously, if the
name field was omitted from the rule declaration but a type list
was present, it wouldn't be interpreted as expected.
</para>
</listitem>
<listitem>
<para>
<command>named</command> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<command>root-key-sentinel no;</command> to
<filename>named.conf</filename>. [GL #37]
</para>
</listitem>
<listitem>
<para>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
add <command>answer-cookie no;</command> to
<filename>named.conf</filename>. [GL #173]
</para>
<para>
<command>answer-cookie no</command> is only intended as a
temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the
same address is not expected to cause operational problems,
but the option to disable COOKIE responses so that all
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
mechanism, and should not be disabled unless absolutely
necessary.
</para>
</listitem>
<listitem>
<para>
Two new update policy rule types have been added
<command>krb5-selfsub</command> and <command>ms-selfsub</command>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</para>
</listitem>
<listitem>
<para>
The new configure option <command>--enable-fips-mode</command>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
None.
</para>
</listitem>
</itemizedlist>
......@@ -183,34 +65,7 @@
<itemizedlist>
<listitem>
<para>
BIND now can be compiled against libidn2 library to add
IDNA2008 support. Previously BIND only supported IDNA2003
using (now obsolete) idnkit-1 library.
</para>
</listitem>
<listitem>
<para>
<command>dig +noidnin</command> can be used to disable IDN
processing on the input domain name, when BIND is compiled
with IDN support.
</para>
</listitem>
<listitem>
<para>
The <command>rndc nta</command> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <command>-class</command>
option. [GL #105]
</para>
</listitem>
<listitem>
<para>
When compiled with IDN support, the <command>dig</command> and the
<command>nslookup</command> commands now disable IDN processing when
the standard output is not a tty (e.g. not used by human). The command
line options +idnin and +idnout need to be used to enable IDN
processing when <command>dig</command> or <command>nslookup</command>
is used from the shell scripts.
None.
</para>
</listitem>
</itemizedlist>
......@@ -220,19 +75,7 @@
<itemizedlist>
<listitem>
<para>
When a negative trust anchor was added to multiple views
using <command>rndc nta</command>, the text returned via
<command>rndc</command> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
</para>
</listitem>
<listitem>
<para>
<command>named</command> now rejects excessively large
incremental (IXFR) zone transfers in order to prevent
possible corruption of journal files which could cause
<command>named</command> to abort when loading zones. [GL #339]
None.
</para>
</listitem>
</itemizedlist>
......
......@@ -1472,7 +1472,6 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
dns_dbversion_t **versionp, bool *is_zonep)
{
isc_result_t result;
isc_result_t tresult;
unsigned int namelabels;
unsigned int zonelabels;
......@@ -1489,8 +1488,9 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
dbp, versionp);
/* See how many labels are in the zone's name. */
if (result == ISC_R_SUCCESS && zone != NULL)
if (result == ISC_R_SUCCESS && zone != NULL) {
zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
}
/*
* If # zone labels < # name labels, try to find an even better match
......@@ -1557,8 +1557,11 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
* If neither attempt above succeeded, return the cache instead
*/
*is_zonep = true;
} else if (result == ISC_R_NOTFOUND) {
result = query_getcachedb(client, name, qtype, dbp, options);
} else {
if (result == ISC_R_NOTFOUND) {
result = query_getcachedb(client, name, qtype, dbp,
options);
}
*is_zonep = false;
}
return (result);
......@@ -4792,11 +4795,13 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
CTRACE(ISC_LOG_DEBUG(3), "redirect2");
if (client->view->redirectzone == NULL)
if (client->view->redirectzone == NULL) {
return (ISC_R_NOTFOUND);
}
if (dns_name_issubdomain(name, client->view->redirectzone))
if (dns_name_issubdomain(name, client->view->redirectzone)) {
return (ISC_R_NOTFOUND);
}
found = dns_fixedname_initname(&fixed);
dns_rdataset_init(&trdataset);
......@@ -4804,8 +4809,9 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client, NULL);
if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) {
return (ISC_R_NOTFOUND);
}
if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
if (rdataset->trust == dns_trust_secure)
......@@ -4842,16 +4848,19 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
redirectname, NULL);
if (result != ISC_R_SUCCESS)
return (ISC_R_NOTFOUND);
} else
} else {
dns_name_copy(redirectname, client->view->redirectzone, NULL);
}
options = 0;
result = query_getdb(client, redirectname, qtype, options, &zone,
&db, &version, &is_zone);
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
return (ISC_R_NOTFOUND);
if (zone != NULL)
}
if (zone != NULL) {
dns_zone_detach(&zone);
}
/*
* Lookup the requested data in the redirect zone.
......@@ -5500,7 +5509,6 @@ query_lookup(query_ctx_t *qctx) {
return (query_done(qctx));
}
}
return (query_gotanswer(qctx, result));
}
......@@ -5890,7 +5898,6 @@ query_resume(query_ctx_t *qctx) {
RESTORE(qctx->zone, qctx->client->query.redirect.zone);
qctx->authoritative =
qctx->client->query.redirect.authoritative;
qctx->is_zone = qctx->client->query.redirect.is_zone;
/*
* Free resources used while recursing.
......@@ -5997,7 +6004,6 @@ query_resume(query_ctx_t *qctx) {
ISC_EVENT_PTR(&qctx->event), &qctx->event);
} else if (REDIRECT(qctx->client)) {
result = qctx->client->query.redirect.result;
qctx->is_zone = qctx->client->query.redirect.is_zone;
} else {
result = qctx->event->result;
}
......
......@@ -1800,6 +1800,13 @@
./bin/tests/system/redirect/ns4/example.db.in ZONE 2015,2016,2018,2019
./bin/tests/system/redirect/ns4/named.conf.in CONF-C 2015,2016,2018,2019
./bin/tests/system/redirect/ns4/root.hint ZONE 2015,2016,2018,2019
./bin/tests/system/redirect/ns5/named.conf.in CONF-C 2019
./bin/tests/system/redirect/ns5/root.db.in ZONE 2019
./bin/tests/system/redirect/ns5/sign.sh SH 2019
./bin/tests/system/redirect/ns5/signed.db.in ZONE 2019
./bin/tests/system/redirect/ns5/unsigned.db ZONE 2019
./bin/tests/system/redirect/ns6/named.conf.in CONF-C 2019
./bin/tests/system/redirect/ns6/root.db ZONE 2019
./bin/tests/system/redirect/prereq.sh SH 2014,2016,2018,2019
./bin/tests/system/redirect/setup.sh SH 2011,2012,2013,2014,2015,2016,2017,2018,2019
./bin/tests/system/redirect/tests.sh SH 2011,2012,2013,2014,2015,2016,2018,2019
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment