1 files changed, 29 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
new file mode 100644
index 0000000000..d8769c45cc
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
+CVE: CVE-2020-8617
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index b597a18d49..6357a3a486 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 			goto cleanup_context;
+ 		}
+ 		msg->verified_sig = 1;
+-	} else if (tsig.error != dns_tsigerror_badsig &&
+-		   tsig.error != dns_tsigerror_badkey) {
++	} else if (!response || (tsig.error != dns_tsigerror_badsig &&
++				 tsig.error != dns_tsigerror_badkey))
++	{
+ 		tsig_log(msg->tsigkey, 2, "signature was empty");
+ 		return (DNS_R_TSIGVERIFYFAILURE);
+ 	}
+@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 		}
+ 	}
+ 
+-	if (tsig.error != dns_rcode_noerror) {
++	if (response && tsig.error != dns_rcode_noerror) {
+ 		msg->tsigstatus = tsig.error;
+ 		if (tsig.error == dns_tsigerror_badtime)
+ 			ret = DNS_R_CLOCKSKEW;