Date: Wed, 2 Sep 2015 21:00:39 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47340 - in head/share: security/advisories security/patches/SA-15:23 xml Message-ID: <201509022100.t82L0dvt025492@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Sep 2 21:00:38 2015 New Revision: 47340 URL: https://svnweb.freebsd.org/changeset/doc/47340 Log: Add advisory and patches for SA-15:23.bind. Added: head/share/security/advisories/FreeBSD-SA-15:23.bind.asc (contents, props changed) head/share/security/patches/SA-15:23/ head/share/security/patches/SA-15:23/bind.patch (contents, props changed) head/share/security/patches/SA-15:23/bind.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:23.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:23.bind.asc Wed Sep 2 21:00:38 2015 (r47340) @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:23.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service vulnerability + +Category: contrib +Module: bind +Announced: 2015-09-02 +Credits: ISC +Affects: FreeBSD 9.x +Corrected: 2015-09-02 20:06:46 UTC (stable/9, 9.3-STABLE) + 2015-09-02 20:07:03 UTC (releng/9.3, 9.3-RELEASE-p25) +CVE Name: CVE-2015-5722 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. The libdns +library is a library of DNS protocol support functions. + +II. Problem Description + +Parsing a malformed DNSSEC key can cause a validating resolver to exit +due to a failed assertion in buffer.c. + +III. Impact + +A remote attacker can deliberately trigger the failed assertion which +will cause an affected server to terminate, by using a query that +requires a response from a zone containing a malformed key, resulting +in a denial of service condition. + +Recursive servers are at greatest risk, however, an authoritative server +could also be affected, if an attacker controls a zone that the server +must query against to perform its zone service. + +IV. Workaround + +No workaround is available, but hosts not running named(8) are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch +# fetch https://security.FreeBSD.org/patches/SA-15:23/bind.patch.asc +# gpg --verify bind.patch.asc + +Please note that FreeBSD 9.3-STABLE is also affected by another issue +(CVE-2015-5986), and a different patch should be used. + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the named(8) daemon, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r287409 +releng/9.3/ r287410 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://kb.isc.org/article/AA-01287> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722> + +CVE-2015-5986 is listed here for completeness and affects FreeBSD +9.3-STABLE but not FreeBSD 9.3-RELEASE: + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:23.bind.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.7 (FreeBSD) + +iQIcBAEBCgAGBQJV52K9AAoJEO1n7NZdz2rnYQEP/1MY+pxPVMWT86qNKZ8upUpH +LadLmtYAERrT9SMBrEFNCgylRdwNabTPKU0ZtxW8I57rks+j4bci053qo9Z7Hyo0 +tbK3hTtxJZHNBO1G+NFfQxx9U+R+86Korx3NvDiB78XkJaab5On3dSgIMJYPEIL+ +h0NEfYqe+X+LYg3W46faPdIuOsgxWSYN1T6mcZ5B5lucbT+LXjA5sRj+rUcE+a4O +2lIdM1oesWOZrEZo9FjK3UPvBbiEZkspr5IBd0zA825+BZNOpk06SOS/f3N0Pz8u +S2vGlxcT37CzC9fPgjQpcNBmB+76xLgz74Inj4uPDSvCz+wmmcr95YOgheZb2N6K +Bqakzy9TyRNk1aa8VXb8XpfyfMzroWG/vNjV6trI5wry7U0zRSl4dz+XAoz0A/eO +9ue88iWsVh97HBWKH94K8ZCA49G3NLgkbDkJ3awS4TfIKwwh9bGDiDepu1KMqnC1 +EzyRk2fnr9JIreLj5zR1ctL1xGUvBIzWvHeT72PjgdZ/hqDoXTHKSVnDoR0c6T+U +bJBJSLi3KUqaMkKRJez84r7G8RKtudLT292l4UQ3qgbiuaXagY6m1W0WBpLvw/zv +RQOsG3HPpDrrV/LiSWKybEX2hIqIHd3tssfjQqvMa4WLO3h8wVONjw74YgRzZaYb +t/1F4r4UYtfIJ7omydxx +=B0u1 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:23/bind.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:23/bind.patch Wed Sep 2 21:00:38 2015 (r47340) @@ -0,0 +1,485 @@ +Index: contrib/bind9/lib/dns/hmac_link.c +=================================================================== +--- contrib/bind9/lib/dns/hmac_link.c (revision 287393) ++++ contrib/bind9/lib/dns/hmac_link.c (working copy) +@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *d + hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); + if (hmacmd5ctx == NULL) + return (ISC_R_NOMEMORY); +- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH); ++ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH); + dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; + return (ISC_R_SUCCESS); + } +@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_k + else if (hkey1 == NULL || hkey2 == NULL) + return (ISC_FALSE); + +- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) ++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) + return (ISC_TRUE); + else + return (ISC_FALSE); +@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ + isc_buffer_t b; + isc_result_t ret; + unsigned int bytes; +- unsigned char data[ISC_SHA1_BLOCK_LENGTH]; ++ unsigned char data[ISC_MD5_BLOCK_LENGTH]; + + UNUSED(callback); + + bytes = (key->key_size + 7) / 8; +- if (bytes > ISC_SHA1_BLOCK_LENGTH) { +- bytes = ISC_SHA1_BLOCK_LENGTH; +- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8; ++ if (bytes > ISC_MD5_BLOCK_LENGTH) { ++ bytes = ISC_MD5_BLOCK_LENGTH; ++ key->key_size = ISC_MD5_BLOCK_LENGTH * 8; + } + +- memset(data, 0, ISC_SHA1_BLOCK_LENGTH); ++ memset(data, 0, ISC_MD5_BLOCK_LENGTH); + ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); + + if (ret != ISC_R_SUCCESS) +@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ + isc_buffer_init(&b, data, bytes); + isc_buffer_add(&b, bytes); + ret = hmacmd5_fromdns(key, &b); +- memset(data, 0, ISC_SHA1_BLOCK_LENGTH); ++ memset(data, 0, ISC_MD5_BLOCK_LENGTH); + + return (ret); + } +@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data + + memset(hkey->key, 0, sizeof(hkey->key)); + +- if (r.length > ISC_SHA1_BLOCK_LENGTH) { ++ if (r.length > ISC_MD5_BLOCK_LENGTH) { + isc_md5_init(&md5ctx); + isc_md5_update(&md5ctx, r.base, r.length); + isc_md5_final(&md5ctx, hkey->key); +@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data + key->key_size = keylen * 8; + key->keydata.hmacmd5 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *dat + key->key_size = keylen * 8; + key->keydata.hmacsha1 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *d + key->key_size = keylen * 8; + key->keydata.hmacsha224 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *d + key->key_size = keylen * 8; + key->keydata.hmacsha256 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *d + key->key_size = keylen * 8; + key->keydata.hmacsha384 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *d + key->key_size = keylen * 8; + key->keydata.hmacsha512 = hkey; + ++ isc_buffer_forward(data, r.length); ++ + return (ISC_R_SUCCESS); + } + +Index: contrib/bind9/lib/dns/include/dst/dst.h +=================================================================== +--- contrib/bind9/lib/dns/include/dst/dst.h (revision 287393) ++++ contrib/bind9/lib/dns/include/dst/dst.h (working copy) +@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t; + #define DST_ALG_HMACSHA256 163 /* XXXMPA */ + #define DST_ALG_HMACSHA384 164 /* XXXMPA */ + #define DST_ALG_HMACSHA512 165 /* XXXMPA */ ++#define DST_ALG_INDIRECT 252 + #define DST_ALG_PRIVATE 254 + #define DST_ALG_EXPAND 255 + #define DST_MAX_ALGS 255 +Index: contrib/bind9/lib/dns/ncache.c +=================================================================== +--- contrib/bind9/lib/dns/ncache.c (revision 287393) ++++ contrib/bind9/lib/dns/ncache.c (working copy) +@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd + dns_name_fromregion(&tname, &remaining); + INSIST(remaining.length >= tname.length); + isc_buffer_forward(&source, tname.length); +- remaining.length -= tname.length; +- remaining.base += tname.length; ++ isc_region_consume(&remaining, tname.length); + + INSIST(remaining.length >= 2); + type = isc_buffer_getuint16(&source); +- remaining.length -= 2; +- remaining.base += 2; ++ isc_region_consume(&remaining, 2); + + if (type != dns_rdatatype_rrsig || + !dns_name_equal(&tname, name)) { +@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherd + INSIST(remaining.length >= 1); + trust = isc_buffer_getuint8(&source); + INSIST(trust <= dns_trust_ultimate); +- remaining.length -= 1; +- remaining.base += 1; ++ isc_region_consume(&remaining, 1); + + raw = remaining.base; + count = raw[0] * 256 + raw[1]; +Index: contrib/bind9/lib/dns/openssldh_link.c +=================================================================== +--- contrib/bind9/lib/dns/openssldh_link.c (revision 287393) ++++ contrib/bind9/lib/dns/openssldh_link.c (working copy) +@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) { + + static void + uint16_toregion(isc_uint16_t val, isc_region_t *region) { +- *region->base++ = (val & 0xff00) >> 8; +- *region->base++ = (val & 0x00ff); ++ *region->base = (val & 0xff00) >> 8; ++ isc_region_consume(region, 1); ++ *region->base = (val & 0x00ff); ++ isc_region_consume(region, 1); + } + + static isc_uint16_t +@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) { + val = ((unsigned int)(cp[0])) << 8; + val |= ((unsigned int)(cp[1])); + +- region->base += 2; ++ isc_region_consume(region, 2); ++ + return (val); + } + +@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t + } + else + BN_bn2bin(dh->p, r.base); +- r.base += plen; ++ isc_region_consume(&r, plen); + + uint16_toregion(glen, &r); + if (glen > 0) + BN_bn2bin(dh->g, r.base); +- r.base += glen; ++ isc_region_consume(&r, glen); + + uint16_toregion(publen, &r); + BN_bn2bin(dh->pub_key, r.base); +- r.base += publen; ++ isc_region_consume(&r, publen); + + isc_buffer_add(data, dnslen); + +@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da + return (DST_R_INVALIDPUBLICKEY); + } + if (plen == 1 || plen == 2) { +- if (plen == 1) +- special = *r.base++; +- else ++ if (plen == 1) { ++ special = *r.base; ++ isc_region_consume(&r, 1); ++ } else { + special = uint16_fromregion(&r); ++ } + switch (special) { + case 1: + dh->p = &bn768; +@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); + } +- } +- else { ++ } else { + dh->p = BN_bin2bn(r.base, plen, NULL); +- r.base += plen; ++ isc_region_consume(&r, plen); + } + + /* +@@ -421,8 +425,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da + return (DST_R_INVALIDPUBLICKEY); + } + } +- } +- else { ++ } else { + if (glen == 0) { + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); +@@ -429,7 +432,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da + } + dh->g = BN_bin2bn(r.base, glen, NULL); + } +- r.base += glen; ++ isc_region_consume(&r, glen); + + if (r.length < 2) { + DH_free(dh); +@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *da + return (DST_R_INVALIDPUBLICKEY); + } + dh->pub_key = BN_bin2bn(r.base, publen, NULL); +- r.base += publen; ++ isc_region_consume(&r, publen); + + key->key_size = BN_num_bits(dh->p); + +Index: contrib/bind9/lib/dns/openssldsa_link.c +=================================================================== +--- contrib/bind9/lib/dns/openssldsa_link.c (revision 287393) ++++ contrib/bind9/lib/dns/openssldsa_link.c (working copy) +@@ -29,8 +29,6 @@ + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +-/* $Id$ */ +- + #ifdef OPENSSL + #ifndef USE_EVP + #define USE_EVP 1 +@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t + DSA *dsa = key->keydata.dsa; + isc_region_t r; + DSA_SIG *dsasig; ++ unsigned int klen; + #if USE_EVP + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + EVP_PKEY *pkey; +@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t + ISC_R_FAILURE)); + } + free(sigbuf); ++ + #elif 0 + /* Only use EVP for the Digest */ + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { +@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t + "DSA_do_sign", + DST_R_SIGNFAILURE)); + #endif +- *r.base++ = (key->key_size - 512)/64; ++ ++ klen = (key->key_size - 512)/64; ++ if (klen > 255) ++ return (ISC_R_FAILURE); ++ *r.base = klen; ++ isc_region_consume(&r, 1); ++ + BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + DSA_SIG_free(dsasig); + isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); + +@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_ + if (r.length < (unsigned int) dnslen) + return (ISC_R_NOSPACE); + +- *r.base++ = t; ++ *r.base = t; ++ isc_region_consume(&r, 1); + BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + isc_buffer_add(data, dnslen); + +@@ -479,7 +486,8 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *d + return (ISC_R_NOMEMORY); + dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; + +- t = (unsigned int) *r.base++; ++ t = (unsigned int) *r.base; ++ isc_region_consume(&r, 1); + if (t > 8) { + DSA_free(dsa); + return (DST_R_INVALIDPUBLICKEY); +@@ -486,22 +494,22 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *d + } + p_bytes = 64 + 8 * t; + +- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { ++ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { + DSA_free(dsa); + return (DST_R_INVALIDPUBLICKEY); + } + + dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); +- r.base += ISC_SHA1_DIGESTLENGTH; ++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); + + dsa->p = BN_bin2bn(r.base, p_bytes, NULL); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + dsa->g = BN_bin2bn(r.base, p_bytes, NULL); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); +- r.base += p_bytes; ++ isc_region_consume(&r, p_bytes); + + key->key_size = p_bytes * 8; + +Index: contrib/bind9/lib/dns/opensslecdsa_link.c +=================================================================== +--- contrib/bind9/lib/dns/opensslecdsa_link.c (revision 287393) ++++ contrib/bind9/lib/dns/opensslecdsa_link.c (working copy) +@@ -14,8 +14,6 @@ + * PERFORMANCE OF THIS SOFTWARE. + */ + +-/* $Id$ */ +- + #include <config.h> + + #ifdef HAVE_OPENSSL_ECDSA +@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_ + "ECDSA_do_sign", + DST_R_SIGNFAILURE)); + BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); +- r.base += siglen / 2; ++ isc_region_consume(&r, siglen / 2); + BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); +- r.base += siglen / 2; ++ isc_region_consume(&r, siglen / 2); + ECDSA_SIG_free(ecdsasig); + isc_buffer_add(sig, siglen); + ret = ISC_R_SUCCESS; +Index: contrib/bind9/lib/dns/opensslrsa_link.c +=================================================================== +--- contrib/bind9/lib/dns/opensslrsa_link.c (revision 287393) ++++ contrib/bind9/lib/dns/opensslrsa_link.c (working copy) +@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d + RSA *rsa; + isc_region_t r; + unsigned int e_bytes; ++ unsigned int length; + #if USE_EVP + EVP_PKEY *pkey; + #endif +@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d + isc_buffer_remainingregion(data, &r); + if (r.length == 0) + return (ISC_R_SUCCESS); ++ length = r.length; + + rsa = RSA_new(); + if (rsa == NULL) +@@ -982,8 +984,8 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d + RSA_free(rsa); + return (DST_R_INVALIDPUBLICKEY); + } +- e_bytes = *r.base++; +- r.length--; ++ e_bytes = *r.base; ++ isc_region_consume(&r, 1); + + if (e_bytes == 0) { + if (r.length < 2) { +@@ -990,9 +992,10 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d + RSA_free(rsa); + return (DST_R_INVALIDPUBLICKEY); + } +- e_bytes = ((*r.base++) << 8); +- e_bytes += *r.base++; +- r.length -= 2; ++ e_bytes = (*r.base) << 8; ++ isc_region_consume(&r, 1); ++ e_bytes += *r.base; ++ isc_region_consume(&r, 1); + } + + if (r.length < e_bytes) { +@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *d + return (DST_R_INVALIDPUBLICKEY); + } + rsa->e = BN_bin2bn(r.base, e_bytes, NULL); +- r.base += e_bytes; +- r.length -= e_bytes; ++ isc_region_consume(&r, e_bytes); + + rsa->n = BN_bin2bn(r.base, r.length, NULL); + + key->key_size = BN_num_bits(rsa->n); + +- isc_buffer_forward(data, r.length); ++ isc_buffer_forward(data, length); + + #if USE_EVP + pkey = EVP_PKEY_new(); +Index: contrib/bind9/lib/dns/resolver.c +=================================================================== +--- contrib/bind9/lib/dns/resolver.c (revision 287393) ++++ contrib/bind9/lib/dns/resolver.c (working copy) +@@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *r + + REQUIRE(VALID_RESOLVER(resolver)); + ++ /* ++ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. ++ */ ++ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) ++ return (ISC_FALSE); ++ + #if USE_ALGLOCK + RWLOCK(&resolver->alglock, isc_rwlocktype_read); + #endif +@@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_resolver_t *r + #endif + if (found) + return (ISC_FALSE); ++ + return (dst_algorithm_supported(alg)); + } + Added: head/share/security/patches/SA-15:23/bind.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:23/bind.patch.asc Wed Sep 2 21:00:38 2015 (r47340) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.7 (FreeBSD) + +iQIcBAABCgAGBQJV52LHAAoJEO1n7NZdz2rnLHcP/iRhghnkzM4yzEQeluR2nQG9 +VBdJfaJStqcnBWGh7YOCEDc8O53WG/UvghNJp195ElnRqI2U8fcbV/5SkL+4b0LQ +vmBVG91IA8wqXc+XohaRUj5Lh3pMyVbo9jrjIO2r1uZlAwEiJxIoRvI6iwaCmNT3 +Sz1gHj+Q1ejf4iQMQzvtORkySU2lV/oHGmrLq3HJwY9RJhhaSULCg9vTeHy5UDZ0 +hOhPhcjZxWBLwI91ucM1h3ds3Xg006SE/DCpzgG18QzOUUQJBrRv9AMX22Lh/ZTY +v4AZvdtcRXIG/+LBo2rFTMF/dxCOMlRXk3ROoZiF0QhdWDnSpcZ68FjcBQMzX+bs +ic6o3PJ+92HLBUlfIkuz2ebPPuKPQgXwUCfNnmwzmT3b6PSQmlmE6xyg/hKqxGyP +nZTym/TyK6fTcJ8QsZGY94eF0mXfojk3Rcwkp5Gll2uLhLU70So1iugPfooJ2BJV +UVUfLuKpr0NWq8nQ1EhlP/5ebsvk5uvm7p47WIul3cgoCnCplGxsiW4T9mc5MbOM +6Zlr8UsPNz9oMFqQAtz0Ixjr4cQdVT65JEER/nQrl5GWPJjFMDCfH4tBeUUYwU9u +EylrAcQrZ/UD2z+PmDsqC14CSZLe5UpHKT4TP6gQS8B+TAvyZc70LsUzR++UH6CK +cONDnF8JJVo1Zmv1UcF5 +=9I73 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Sep 2 20:30:53 2015 (r47339) +++ head/share/xml/advisories.xml Wed Sep 2 21:00:38 2015 (r47340) @@ -8,6 +8,18 @@ <name>2015</name> <month> + <name>9</name> + + <day> + <name>2</name> + + <advisory> + <name>FreeBSD-SA-15:23.bind</name> + </advisory> + </day> + </month> + + <month> <name>8</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509022100.t82L0dvt025492>