Bug#930864: unblock: bind9/1:9.11.5.P4+dfsg-5.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi
Please unblock package bind9 (it builds udeb's so would need an ack
from kibi as well). It fixes CVE-2019-6471, #930746 ("A race condition
when discarding malformed packets can cause BIND to exit with an
assertion failure").
I realize this is very short before the last date possible for unblock
requests.
unblock bind9/1:9.11.5.P4+dfsg-5.1
Regards,
Salvatore
diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog bind9-9.11.5.P4+dfsg/debian/changelog
--- bind9-9.11.5.P4+dfsg/debian/changelog 2019-05-03 19:44:57.000000000 +0200
+++ bind9-9.11.5.P4+dfsg/debian/changelog 2019-06-21 11:24:31.000000000 +0200
@@ -1,3 +1,11 @@
+bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471)
+ (Closes: #930746)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jun 2019 11:24:31 +0200
+
bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
* AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
--- bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch 1970-01-01 01:00:00.000000000 +0100
+++ bind9-9.11.5.P4+dfsg/debian/patches/0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch 2019-06-21 11:24:31.000000000 +0200
@@ -0,0 +1,56 @@
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 19 Mar 2019 14:14:21 +1100
+Subject: move item_out test inside lock in dns_dispatch_getnext()
+Origin: https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb80d4a609b86427406d9dd783199920b5b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6471
+Bug-Debian: https://bugs.debian.org/930746
+
+(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
+---
+ lib/dns/dispatch.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
+index 408beda3679d..3278db4a07c2 100644
+--- a/lib/dns/dispatch.c
++++ b/lib/dns/dispatch.c
+@@ -134,7 +134,7 @@ struct dns_dispentry {
+ isc_task_t *task;
+ isc_taskaction_t action;
+ void *arg;
+- bool item_out;
++ bool item_out;
+ dispsocket_t *dispsocket;
+ ISC_LIST(dns_dispatchevent_t) items;
+ ISC_LINK(dns_dispentry_t) link;
+@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
+ disp = resp->disp;
+ REQUIRE(VALID_DISPATCH(disp));
+
+- REQUIRE(resp->item_out == true);
+- resp->item_out = false;
+-
+ ev = *sockevent;
+ *sockevent = NULL;
+
+ LOCK(&disp->lock);
++
++ REQUIRE(resp->item_out == true);
++ resp->item_out = false;
++
+ if (ev->buffer.base != NULL)
+ free_buffer(disp, ev->buffer.base, ev->buffer.length);
+ free_devent(disp, ev);
+@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
+ isc_task_send(disp->task[0], &disp->ctlevent);
+ }
+
++/*
++ * disp must be locked.
++ */
+ static void
+ do_cancel(dns_dispatch_t *disp) {
+ dns_dispatchevent_t *ev;
+--
+2.20.1
+
diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/series bind9-9.11.5.P4+dfsg/debian/patches/series
--- bind9-9.11.5.P4+dfsg/debian/patches/series 2019-05-03 19:44:57.000000000 +0200
+++ bind9-9.11.5.P4+dfsg/debian/patches/series 2019-06-21 11:24:31.000000000 +0200
@@ -12,3 +12,4 @@
0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
0014-Disable-broken-Ed448-support.patch
+0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
Reply to: