diff options
Diffstat (limited to 'bind-9.16-CVE-2022-3094-test.patch')
| -rw-r--r-- | bind-9.16-CVE-2022-3094-test.patch | 272 |
1 files changed, 272 insertions, 0 deletions
diff --git a/bind-9.16-CVE-2022-3094-test.patch b/bind-9.16-CVE-2022-3094-test.patch new file mode 100644 index 0000000..37b64de --- /dev/null +++ b/bind-9.16-CVE-2022-3094-test.patch @@ -0,0 +1,272 @@ +From 630529ea7d4587703008de1465021bdde2a3a971 Mon Sep 17 00:00:00 2001 +From: Evan Hunt <each@isc.org> +Date: Wed, 9 Nov 2022 21:56:16 -0800 +Subject: [PATCH] test failure conditions + +verify that updates are refused when the client is disallowed by +allow-query, and update forwarding is refused when the client is +is disallowed by update-forwarding. + +verify that "too many DNS UPDATEs" appears in the log file when too +many simultaneous updates are processing. + +(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0) +--- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 + + bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++ + bin/tests/system/upforwd/clean.sh | 2 + + .../ns3/{named.conf.in => named1.conf.in} | 13 ++++-- + bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++ + bin/tests/system/upforwd/setup.sh | 2 +- + bin/tests/system/upforwd/tests.sh | 39 ++++++++++++++++++ + 7 files changed, 123 insertions(+), 4 deletions(-) + rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%) + create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in + +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 436c97d..83fe884 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -21,6 +21,7 @@ options { + recursion no; + notify yes; + minimal-responses no; ++ update-quota 1; + }; + + acl named-acl { +@@ -81,6 +82,7 @@ zone "other.nil" { + check-integrity no; + check-mx warn; + update-policy local; ++ allow-query { !10.53.0.2; any; }; + allow-query-on { 10.53.0.1; 127.0.0.1; }; + allow-transfer { any; }; + }; +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index b5f562f..13ba577 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -1268,6 +1268,34 @@ END + grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + ++n=$((n + 1)) ++ret=0 ++echo_i "check that update is rejected if query is not allowed ($n)" ++{ ++ $NSUPDATE -d <<END ++ local 10.53.0.2 ++ server 10.53.0.1 ${PORT} ++ update add reject.other.nil 3600 IN TXT Whatever ++ send ++END ++} > nsupdate.out.test$n 2>&1 ++grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check that update is rejected if quota is exceeded ($n)" ++for loop in 1 2 3 4 5 6 7 8 9 10; do ++{ ++ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END ++ update add txt-$loop.other.nil 3600 IN TXT Whatever ++ send ++END ++} & ++done ++wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ + if ! $FEATURETEST --gssapi ; then + echo_i "SKIPPED: GSSAPI tests" + else +diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh +index 2025252..12311df 100644 +--- a/bin/tests/system/upforwd/clean.sh ++++ b/bin/tests/system/upforwd/clean.sh +@@ -29,3 +29,5 @@ rm -f keyname keyname.err + rm -f ns*/named.lock + rm -f ns1/example2.db + rm -f ns*/managed-keys.bind* ++rm -f nsupdate.out.* ++rm -f ns*/named.run.prev +diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in +similarity index 78% +rename from bin/tests/system/upforwd/ns3/named.conf.in +rename to bin/tests/system/upforwd/ns3/named1.conf.in +index 7bd13d3..2f690ff 100644 +--- a/bin/tests/system/upforwd/ns3/named.conf.in ++++ b/bin/tests/system/upforwd/ns3/named1.conf.in +@@ -28,20 +28,27 @@ key rndc_key { + }; + + controls { +- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; + }; + + zone "example" { + type secondary; + file "example.bk"; +- allow-update-forwarding { any; }; ++ allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; + }; + + zone "example2" { + type secondary; + file "example2.bk"; +- allow-update-forwarding { any; }; ++ allow-update-forwarding { 10.53.0.1; }; ++ primaries { 10.53.0.1; }; ++}; ++ ++zone "example3" { ++ type secondary; ++ file "example3.bk"; ++ allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; + }; + +diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in +new file mode 100644 +index 0000000..86d7469 +--- /dev/null ++++ b/bin/tests/system/upforwd/ns3/named2.conf.in +@@ -0,0 +1,41 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.3; ++ notify-source 10.53.0.3; ++ transfer-source 10.53.0.3; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.3; }; ++ listen-on-v6 { none; }; ++ recursion no; ++ notify yes; ++ update-quota 1; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm @DEFAULT_HMAC@; ++}; ++ ++controls { ++ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++zone "example" { ++ type secondary; ++ file "example.bk"; ++ allow-update-forwarding { any; }; ++ primaries { 10.53.0.1; }; ++}; +diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh +index e748078..88ab28d 100644 +--- a/bin/tests/system/upforwd/setup.sh ++++ b/bin/tests/system/upforwd/setup.sh +@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db + + copy_setports ns1/named.conf.in ns1/named.conf + copy_setports ns2/named.conf.in ns2/named.conf +-copy_setports ns3/named.conf.in ns3/named.conf ++copy_setports ns3/named1.conf.in ns3/named.conf + + if $FEATURETEST --enable-dnstap + then +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index 8062d68..20fc46f 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + echo_i "updating zone (signed) ($n)" + ret=0 + $NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 ++local 10.53.0.1 + server 10.53.0.3 ${PORT} + update add updated.example. 600 A 10.10.10.1 + update add updated.example. 600 TXT Foo +@@ -138,6 +139,7 @@ fi + echo_i "updating zone (unsigned) ($n)" + ret=0 + $NSUPDATE -- - <<EOF || ret=1 ++local 10.53.0.1 + server 10.53.0.3 ${PORT} + update add unsigned.example. 600 A 10.10.10.1 + update add unsigned.example. 600 TXT Foo +@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ] + do + ( + $NSUPDATE -- - <<EOF ++local 10.53.0.1 + server 10.53.0.3 ${PORT} + zone nomaster + update add unsigned.nomaster. 600 A 10.10.10.1 +@@ -225,6 +228,7 @@ then + ret=0 + keyname=`cat keyname` + $NSUPDATE -k $keyname.private -- - <<EOF ++ local 10.53.0.1 + server 10.53.0.3 ${PORT} + zone example2 + update add unsigned.example2. 600 A 10.10.10.1 +@@ -249,5 +253,40 @@ EOF + fi + fi + ++echo_i "attempting an update that should be rejected by ACL ($n)" ++ret=0 ++{ ++ $NSUPDATE -- - << EOF ++ local 10.53.0.2 ++ server 10.53.0.3 ${PORT} ++ update add another.unsigned.example. 600 A 10.10.10.2 ++ update add another.unsigned.example. 600 TXT Bar ++ send ++EOF ++} > nsupdate.out.$n 2>&1 ++grep REFUSED nsupdate.out.$n > /dev/null || ret=1 ++if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi ++n=`expr $n + 1` ++ ++n=$((n + 1)) ++ret=0 ++echo_i "attempting updates that should exceed quota ($n)" ++# lower the update quota to 1. ++copy_setports ns3/named2.conf.in ns3/named.conf ++rndc_reconfig ns3 10.53.0.3 ++nextpart ns3/named.run > /dev/null ++for loop in 1 2 3 4 5 6 7 8 9 10; do ++{ ++ $NSUPDATE -- - > /dev/null 2>&1 <<END ++ local 10.53.0.1 ++ server 10.53.0.3 ${PORT} ++ update add txt-$loop.unsigned.example 300 IN TXT Whatever ++ send ++END ++} & ++done ++wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +-- +2.39.1 + |