Control: tag -1 + patch

On Wed, Jun 19, 2019 at 09:40:19PM +0200, Salvatore Bonaccorso wrote:
> Source: bind9
> Version: 1:9.11.5.P4+dfsg-5
> Severity: grave
> Tags: security upstream
> Control: clone -1 -2
> Control: reassign -2 src:bind 1:9.13.3-1
> Control: retitle -2 bind: CVE-2019-6471: A race condition when discarding 
> malformed packets can cause BIND to exit with an assertion failure
> 
> Hi,
> 
> The following vulnerability was published for bind9.
> 
> CVE-2019-6471[0]:
> |A race condition when discarding malformed packets can cause BIND to
> |exit with an assertion failure
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-6471
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6471
> [1] https://kb.isc.org/docs/cve-2019-6471
> 
> Please adjust the affected versions in the BTS as needed, I think the
> version back in stretch is not affected but this needs
> double-checking.

Attached the proposed debdiff.

Regards,
Salvatore
diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog 
bind9-9.11.5.P4+dfsg/debian/changelog
--- bind9-9.11.5.P4+dfsg/debian/changelog       2019-05-03 19:44:57.000000000 
+0200
+++ bind9-9.11.5.P4+dfsg/debian/changelog       2019-06-21 11:24:31.000000000 
+0200
@@ -1,3 +1,11 @@
+bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471)
+    (Closes: #930746)
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 21 Jun 2019 11:24:31 +0200
+
 bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
 
   * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
diff -Nru 
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
 
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
--- 
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
 2019-06-21 11:24:31.000000000 +0200
@@ -0,0 +1,56 @@
+From: Mark Andrews <[email protected]>
+Date: Tue, 19 Mar 2019 14:14:21 +1100
+Subject: move item_out test inside lock in dns_dispatch_getnext()
+Origin: 
https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb80d4a609b86427406d9dd783199920b5b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6471
+Bug-Debian: https://bugs.debian.org/930746
+
+(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
+---
+ lib/dns/dispatch.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
+index 408beda3679d..3278db4a07c2 100644
+--- a/lib/dns/dispatch.c
++++ b/lib/dns/dispatch.c
+@@ -134,7 +134,7 @@ struct dns_dispentry {
+       isc_task_t                     *task;
+       isc_taskaction_t                action;
+       void                           *arg;
+-      bool                    item_out;
++      bool                            item_out;
+       dispsocket_t                    *dispsocket;
+       ISC_LIST(dns_dispatchevent_t)   items;
+       ISC_LINK(dns_dispentry_t)       link;
+@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, 
dns_dispatchevent_t **sockevent) {
+       disp = resp->disp;
+       REQUIRE(VALID_DISPATCH(disp));
+ 
+-      REQUIRE(resp->item_out == true);
+-      resp->item_out = false;
+-
+       ev = *sockevent;
+       *sockevent = NULL;
+ 
+       LOCK(&disp->lock);
++
++      REQUIRE(resp->item_out == true);
++      resp->item_out = false;
++
+       if (ev->buffer.base != NULL)
+               free_buffer(disp, ev->buffer.base, ev->buffer.length);
+       free_devent(disp, ev);
+@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
+               isc_task_send(disp->task[0], &disp->ctlevent);
+ }
+ 
++/*
++ * disp must be locked.
++ */
+ static void
+ do_cancel(dns_dispatch_t *disp) {
+       dns_dispatchevent_t *ev;
+-- 
+2.20.1
+
diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/series 
bind9-9.11.5.P4+dfsg/debian/patches/series
--- bind9-9.11.5.P4+dfsg/debian/patches/series  2019-05-03 19:44:57.000000000 
+0200
+++ bind9-9.11.5.P4+dfsg/debian/patches/series  2019-06-21 11:24:31.000000000 
+0200
@@ -12,3 +12,4 @@
 0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
 0014-Disable-broken-Ed448-support.patch
+0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch

Reply via email to