From d1c919da25db6a3035b96cd21d0008ccea26f34a Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Jul 09 2015 10:41:22 +0000
Subject: Include fix for CVE-2015-4620


Signed-off-by: Tomas Hozza <thozza@redhat.com>

---

diff --git a/bind.spec b/bind.spec
index 774c2fb..cdc5602 100644
--- a/bind.spec
+++ b/bind.spec
@@ -24,7 +24,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.6
-Release:  8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -84,6 +84,7 @@ Patch136:bind-9.9-native-pkcs11.patch
 Patch137:bind-9.9-dist-native-pkcs11.patch
 Patch138:bind99-rh1184151.patch
 Patch139:bind99-CVE-2015-1349.patch
+Patch140:bind99-CVE-2015-4620.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -323,6 +324,7 @@ popd
 %patch136 -p1 -b .native_pkcs11
 %patch138 -p1 -b .nsupdate
 %patch139 -p1 -b .CVE-2015-1349
+%patch140 -p1 -b .CVE-2015-4620
 
 %if %{PKCS11}
 cp -r bin/named{,-pkcs11}
@@ -1026,6 +1028,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Thu Jul 09 2015 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-9.P1
+- Include fix for CVE-2015-4620
+
 * Mon Feb 23 2015 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-8.P1
 - Include fix for CVE-2015-1349
 
diff --git a/bind99-CVE-2015-4620.patch b/bind99-CVE-2015-4620.patch
new file mode 100644
index 0000000..b0468be
--- /dev/null
+++ b/bind99-CVE-2015-4620.patch
@@ -0,0 +1,21 @@
+diff --git a/lib/dns/validator.c b/lib/dns/validator.c
+--- a/lib/dns/validator.c
++++ b/lib/dns/validator.c
+@@ -1422,7 +1422,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
+  */
+ static isc_boolean_t
+ isselfsigned(dns_validator_t *val) {
+-	dns_fixedname_t fixed;
+ 	dns_rdataset_t *rdataset, *sigrdataset;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+@@ -1478,8 +1477,7 @@ isselfsigned(dns_validator_t *val) {
+ 			result = dns_dnssec_verify3(name, rdataset, dstkey,
+ 						    ISC_TRUE,
+ 						    val->view->maxbits,
+-						    mctx, &sigrdata,
+-						    dns_fixedname_name(&fixed));
++						    mctx, &sigrdata, NULL);
+ 			dst_key_free(&dstkey);
+ 			if (result != ISC_R_SUCCESS)
+ 				continue;