diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch new file mode 100644 index 0000000000..d8769c45cc --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch @@ -0,0 +1,29 @@ +Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch] +CVE: CVE-2020-8617 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index b597a18d49..6357a3a486 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + goto cleanup_context; + } + msg->verified_sig = 1; +- } else if (tsig.error != dns_tsigerror_badsig && +- tsig.error != dns_tsigerror_badkey) { ++ } else if (!response || (tsig.error != dns_tsigerror_badsig && ++ tsig.error != dns_tsigerror_badkey)) ++ { + tsig_log(msg->tsigkey, 2, "signature was empty"); + return (DNS_R_TSIGVERIFYFAILURE); + } +@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + } + } + +- if (tsig.error != dns_rcode_noerror) { ++ if (response && tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) + ret = DNS_R_CLOCKSKEW; |