diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2006-09-06 21:23:16 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2006-09-06 21:23:16 +0000 |
commit | 518f8407ec5b300f1aa94ba045e454fb614bcf6f (patch) | |
tree | 67271fd914fb97023d1fc5d57d4ef40e7fabcca7 | |
parent | 86fcd2acb8b81dcfce7e0876c0c7e603e1e50886 (diff) | |
download | src-test2-518f8407ec5b300f1aa94ba045e454fb614bcf6f.tar.gz src-test2-518f8407ec5b300f1aa94ba045e454fb614bcf6f.zip |
Notes
-rw-r--r-- | UPDATING | 7 | ||||
-rw-r--r-- | contrib/bind9/bin/named/query.c | 4 | ||||
-rw-r--r-- | contrib/bind9/lib/dns/resolver.c | 49 | ||||
-rw-r--r-- | crypto/openssl/crypto/rsa/rsa_sign.c | 17 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
5 files changed, 55 insertions, 24 deletions
@@ -8,6 +8,13 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. Important recent entries: 20040724 (default X changes). +20060906: p33 FreeBSD-SA-06:19.openssl, FreeBSD-SA-06:20.bind + Correct incorrect PKCS#1 v1.5 padding validation in + crypto(3). [06:19] + + Correct multiple denial-of-service vulnerabilities in BIND related to + SIG Query Processing and Excessive Recursive Queries. [06:20] + 20060823: p32 FreeBSD-SA-06:18.ppp Correct buffer overflow in the handling of LCP options in ppp(4). diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index a5411af3433f..0630373ccace 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -2389,7 +2389,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) is_zone = ISC_FALSE; qtype = event->qtype; - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; @@ -2430,7 +2430,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If it's a SIG query, we'll iterate the node. */ - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c index c76631a2bbf1..ca6eb14c95b1 100644 --- a/contrib/bind9/lib/dns/resolver.c +++ b/contrib/bind9/lib/dns/resolver.c @@ -728,7 +728,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) { INSIST(result != ISC_R_SUCCESS || dns_rdataset_isassociated(event->rdataset) || fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); } @@ -3085,7 +3086,8 @@ validated(isc_task_t *task, isc_event_t *event) { if (hevent != NULL) { if (!negative && !chaining && (fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig)) { + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig)) { /* * Don't bind rdatasets; the caller * will iterate the node. @@ -3197,7 +3199,8 @@ validated(isc_task_t *task, isc_event_t *event) { if (!ISC_LIST_EMPTY(fctx->validators)) { INSIST(!negative); INSIST(fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); /* * Don't send a response yet - we have * more rdatasets that still need to @@ -3343,14 +3346,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { return (result); anodep = &event->node; /* - * If this is an ANY or SIG query, we're not going - * to return any rdatasets, unless we encountered + * If this is an ANY, SIG or RRSIG query, we're not + * going to return any rdatasets, unless we encountered * a CNAME or DNAME as "the answer". In this case, * we're going to return DNS_R_CNAME or DNS_R_DNAME * and we must set up the rdatasets. */ if ((fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) || + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) || (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { ardataset = event->rdataset; asigrdataset = event->sigrdataset; @@ -3409,7 +3413,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { */ if (secure_domain && rdataset->trust != dns_trust_glue) { /* - * SIGs are validated as part of validating the + * RRSIGs are validated as part of validating the * type they cover. */ if (rdataset->type == dns_rdatatype_rrsig) @@ -3479,7 +3483,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { if (ANSWER(rdataset) && need_validation) { if (fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) { + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) { /* * This is The Answer. We will * validate it, but first we cache @@ -3666,23 +3671,28 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, isc_result_t *eresultp) { isc_result_t result; + dns_rdataset_t rdataset; + + if (ardataset == NULL) { + dns_rdataset_init(&rdataset); + ardataset = &rdataset; + } result = dns_ncache_add(message, cache, node, covers, now, maxttl, ardataset); - if (result == DNS_R_UNCHANGED) { + if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* - * The data in the cache are better than the negative cache - * entry we're trying to add. + * If the cache now contains a negative entry and we + * care about whether it is DNS_R_NCACHENXDOMAIN or + * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset->type == 0) { /* - * The cache data is also a negative cache - * entry. + * The cache data is a negative cache entry. */ if (NXDOMAIN(ardataset)) *eresultp = DNS_R_NCACHENXDOMAIN; else *eresultp = DNS_R_NCACHENXRRSET; - result = ISC_R_SUCCESS; } else { /* * Either we don't care about the nature of the @@ -3694,14 +3704,11 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, * XXXRTH There's a CNAME/DNAME problem here. */ *eresultp = ISC_R_SUCCESS; - result = ISC_R_SUCCESS; } - } else if (result == ISC_R_SUCCESS) { - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; + result = ISC_R_SUCCESS; } + if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) + dns_rdataset_disassociate(ardataset); return (result); } diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c index 8a1e642183c4..f26a348e2ee6 100644 --- a/crypto/openssl/crypto/rsa/rsa_sign.c +++ b/crypto/openssl/crypto/rsa/rsa_sign.c @@ -185,6 +185,23 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; + + /* Excess data can be used to create forgeries */ + if(p != s+i) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + /* Parameters to the signature algorithm can also be used to + create forgeries */ + if(sig->algor->parameter + && sig->algor->parameter->type != V_ASN1_NULL) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + sigtype=OBJ_obj2nid(sig->algor->algorithm); diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 5c4655fa44c1..2f8950969f53 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="5.3" -BRANCH="RELEASE-p32" +BRANCH="RELEASE-p33" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" |