From ac50574b430c1f2fdda5a9b21a9843770f9b9717 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik@redhat.com>
Date: Jun 27 2018 16:18:57 +0000
Subject: CVE-2018-5738


---

diff --git a/bind-9.11-CVE-2018-5738.patch b/bind-9.11-CVE-2018-5738.patch
new file mode 100644
index 0000000..e5555aa
--- /dev/null
+++ b/bind-9.11-CVE-2018-5738.patch
@@ -0,0 +1,176 @@
+From 7983015dfa58be21526a01300b9e13a84278266a Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Mon, 4 Jun 2018 21:55:41 -0700
+Subject: [PATCH] allow-recursion could incorrectly inherit from the default
+ allow-query
+
+---
+ bin/named/server.c | 50 ++++++++++++++++++++++++++++++++++++--------------
+ doc/arm/notes.xml  | 41 +++++------------------------------------
+ 2 files changed, 41 insertions(+), 50 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 64a5180..41a1826 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3376,10 +3376,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		dns_acache_setcachesize(view->acache, max_acache_size);
+ 	}
+ 
+-	CHECK(configure_view_acl(vconfig, config, ns_g_config,
+-				 "allow-query", NULL, actx,
+-				 ns_g_mctx, &view->queryacl));
+-
+ 	/*
+ 	 * Make the list of response policy zone names for a view that
+ 	 * is used for real lookups and so cares about hints.
+@@ -4258,9 +4254,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
+ 
+-	CHECK(configure_view_acl(vconfig, config, ns_g_config,
+-				 "allow-query-cache-on", NULL, actx,
+-				 ns_g_mctx, &view->cacheonacl));
+ 	/*
+ 	 * Set sources where additional data and CNAME/DNAME
+ 	 * targets for authoritative answers may be found.
+@@ -4287,22 +4280,40 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		view->additionalfromcache = ISC_TRUE;
+ 	}
+ 
++	CHECK(configure_view_acl(vconfig, config, ns_g_config,
++				 "allow-query-cache-on", NULL, actx,
++				 ns_g_mctx, &view->cacheonacl));
++
+ 	/*
+-	 * Set "allow-query-cache", "allow-recursion", and
+-	 * "allow-recursion-on" acls if configured in named.conf.
+-	 * (Ignore the global defaults for now, because these ACLs
+-	 * can inherit from each other when only some of them set at
+-	 * the options/view level.)
++	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
++	 * and "allow-recursion-on" ACLs if configured in named.conf, but
++	 * NOT from the global defaults. This is done by leaving the third
++	 * argument to configure_view_acl() NULL.
++	 *
++	 * We ignore the global defaults here because these ACLs
++	 * can inherit from each other.  If any are still unset after
++	 * applying the inheritance rules, we'll look up the defaults at
++	 * that time.
+ 	 */
+-	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+-				 NULL, actx, ns_g_mctx, &view->cacheacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query", NULL, actx,
++				 ns_g_mctx, &view->queryacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query-cache", NULL, actx,
++				 ns_g_mctx, &view->cacheacl));
+ 
+ 	if (strcmp(view->name, "_bind") != 0 &&
+ 	    view->rdclass != dns_rdataclass_chaos)
+ 	{
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion", NULL, actx,
+ 					 ns_g_mctx, &view->recursionacl));
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion-on", NULL, actx,
+ 					 ns_g_mctx, &view->recursiononacl));
+@@ -4340,18 +4351,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		 * the global config.
+ 		 */
+ 		if (view->recursionacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ 						 "allow-recursion", NULL,
+ 						 actx, ns_g_mctx,
+ 						 &view->recursionacl));
+ 		}
+ 		if (view->recursiononacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ 						 "allow-recursion-on", NULL,
+ 						 actx, ns_g_mctx,
+ 						 &view->recursiononacl));
+ 		}
+ 		if (view->cacheacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ 						 "allow-query-cache", NULL,
+ 						 actx, ns_g_mctx,
+@@ -4365,6 +4379,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		CHECK(dns_acl_none(mctx, &view->cacheacl));
+ 	}
+ 
++	if (view->queryacl == NULL) {
++		/* global default only */
++		CHECK(configure_view_acl(NULL, NULL, ns_g_config,
++					 "allow-query", NULL,
++					 actx, ns_g_mctx,
++					 &view->queryacl));
++	}
++
+ 	/*
+ 	 * Ignore case when compressing responses to the specified
+ 	 * clients. This causes case not always to be preserved,
+diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
+index ea9b61f..9a1832d 100644
+--- a/doc/arm/notes.xml
++++ b/doc/arm/notes.xml
+@@ -103,42 +103,11 @@
+     <itemizedlist>
+       <listitem>
+ 	<para>
+-	  An error in TSIG handling could permit unauthorized zone
+-	  transfers or zone updates. These flaws are disclosed in
+-	  CVE-2017-3142 and CVE-2017-3143. [RT #45383]
+-	</para>
+-      </listitem>
+-      <listitem>
+-	<para>
+-	  The BIND installer on Windows used an unquoted service path,
+-	  which can enable privilege escalation. This flaw is disclosed
+-	  in CVE-2017-3141. [RT #45229]
+-	</para>
+-      </listitem>
+-      <listitem>
+-	<para>
+-	  With certain RPZ configurations, a response with TTL 0
+-	  could cause <command>named</command> to go into an infinite
+-	  query loop. This flaw is disclosed in CVE-2017-3140.
+-	  [RT #45181]
+-	</para>
+-      </listitem>
+-      <listitem>
+-	<para>
+-	  Addresses could be referenced after being freed during resolver
+-	  processing, causing an assertion failure. The chances of this
+-	  happening were remote, but the introduction of a delay in
+-	  resolution increased them. This bug is disclosed in
+-	  CVE-2017-3145. [RT #46839]
+-	</para>
+-      </listitem>
+-      <listitem>
+-	<para>
+-	  update-policy rules that otherwise ignore the name field now
+-	  require that it be set to "." to ensure that any type list
+-	  present is properly interpreted.  If the name field was omitted
+-	  from the rule declaration and a type list was present it wouldn't
+-	  be interpreted as expected.
++	  When recursion is enabled but the <command>allow-recursion</command>
++	  and <command>allow-query-cache</command> ACLs are not specified, they
++	  should be limited to local networks, but they were inadvertently set
++	  to match the default <command>allow-query</command>, thus allowing
++	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
+ 	</para>
+       </listitem>
+     </itemizedlist>
+-- 
+2.14.4
+
diff --git a/bind.spec b/bind.spec
index 86cb564..2ed2051 100644
--- a/bind.spec
+++ b/bind.spec
@@ -103,6 +103,7 @@ Patch145:bind-9.11-rh1205168.patch
 Patch149:bind-9.11-kyua-pkcs11.patch
 Patch152:bind-9.11-kyua-unit-oot.patch
 Patch153:bind-9.11-export-suffix.patch
+Patch154:bind-9.11-CVE-2018-5738.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -443,6 +444,7 @@ are used for building ISC DHCP.
 %patch145 -p1 -b .rh1205168
 %patch152 -p1 -b .kyua-unit-oot
 %patch153 -p1 -b .export_suffix
+%patch154 -p1 -b .CVE-2018-5738
 
 %if %{with PKCS11}
 cp -r bin/named{,-pkcs11}
@@ -1412,6 +1414,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-11
 - Remove named.iscdlv.key file (#1595782)
+- Fix CVE-2018-5738
 
 * Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.3-10
 - Rebuilt for Python 3.7