[AUTO-CHERRYPICK] dhcp: fix CVE-2022-38177, CVE-2022-38178, CVE-2022-2795 for bind - branch main (#9094)

Co-authored-by: elainezhao96 <102555676+elainezhao96@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/dhcp/CVE-2022-2795.patch

@@ -0,0 +1,67 @@
+From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH 1/3] Bound the amount of work performed for delegations
+
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+
+Upstream-Status: Backport
+CVE: CVE-2022-2795
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ bind_ln/lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/bind_ln/lib/dns/resolver.c b/bind_ln/lib/dns/resolver.c
+index 8ae9a993bbd7..ac9a9ef5d009 100644
+--- a/bind_ln/lib/dns/resolver.c
++++ b/bind_ln/lib/dns/resolver.c
+@@ -180,6 +180,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);
+-- 
+2.34.1
+

SPECS/dhcp/CVE-2022-38177.patch

@@ -0,0 +1,31 @@
+From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:15:34 +1000
+Subject: [PATCH 2/3] Free eckey on siglen mismatch
+
+Upstream-Status: Backport
+CVE: CVE-2022-38177
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ bind_ln/lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind_ln/lib/dns/opensslecdsa_link.c b/bind_ln/lib/dns/opensslecdsa_link.c
+index 83b5b51cd78c..7576e04ac635 100644
+--- a/bind_ln/lib/dns/opensslecdsa_link.c
++++ b/bind_ln/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.34.1
+

SPECS/dhcp/CVE-2022-38178.patch

@@ -0,0 +1,33 @@
+From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:28:13 +1000
+Subject: [PATCH 3/3] Free ctx on invalid siglen
+
+(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
+
+Upstream-Status: Backport
+CVE: CVE-2022-38178
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ bind_ln/lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind_ln/lib/dns/openssleddsa_link.c b/bind_ln/lib/dns/openssleddsa_link.c
+index 8b115ec283f0..b4fcd607c131 100644
+--- a/bind_ln/lib/dns/openssleddsa_link.c
++++ b/bind_ln/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(ISC_R_NOTIMPLEMENTED);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.34.1
+

SPECS/dhcp/dhcp.spec

@@ -1,10 +1,13 @@
 Summary:        Dynamic host configuration protocol
 Name:           dhcp
 Version:        4.4.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MPLv2.0
 Url:            https://www.isc.org/dhcp/
 Source0:        ftp://ftp.isc.org/isc/dhcp/%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2022-38177.patch
+Patch1:         CVE-2022-38178.patch
+Patch2:         CVE-2022-2795.patch
 Group:          System Environment/Base
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,7 +41,13 @@ The ISC DHCP Client, dhclient, provides a means for configuring one or more netw
 
 
 %prep
-%autosetup -p1
+%setup -q -n dhcp-%{version}
+
+# Extracting bundled 'bind' to allow some of the patches to modify it.
+tar -C bind -xf bind/bind.tar.gz
+ln -s bind/bind-9* bind_ln
+
+%autopatch -p1
 
 %build
 CFLAGS="$CFLAGS \
@@ -169,6 +178,9 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/
 %{_mandir}/man8/dhclient.8.gz
 
 %changelog
+* Tue Apr 30 2024 Elaine Zhao <elainezhao@microsoft.com> - 4.4.3-2
+- Fix CVE-2022-38177, CVE-2022-38178, CVE-2022-2795 for bundled bind
+
 * Tue Apr 23 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.4.3-1
 - Auto-upgrade to 4.4.3 - Fix for CVE-2022-2928 and CVE-2022-2929