From 8ba7101d95316782edadc1bd75c1ba3f7539b201 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 21 May 2026 16:06:26 +0800 Subject: [PATCH 1/4] fix(bind9): CVE-2026-3593 Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. Upstream: https://kb.isc.org/docs/cve-2026-3593 Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf Co-Authored-By: hudeng --- lib/isc/netmgr/http.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c index 32d632bb..82742df5 100644 --- a/lib/isc/netmgr/http.c +++ b/lib/isc/netmgr/http.c @@ -644,13 +644,11 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data, &h2->rbuf, isc_mem_allocate(mctx, h2->content_length), - MAX_DNS_MESSAGE_SIZE); + h2->content_length); } size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) + len; - if (new_bufsize <= MAX_DNS_MESSAGE_SIZE && - new_bufsize <= h2->content_length) - { + if (new_bufsize <= h2->content_length) { session->processed_useful_data += len; isc_buffer_putmem(&h2->rbuf, data, len); break; @@ -2755,6 +2753,8 @@ server_httpsend(isc_nmhandle_t *handle, isc_nmsocket_t *sock, } else { cb(handle, result, cbarg); } + + isc_buffer_initnull(&sock->h2->wbuf); isc__nm_uvreq_put(&req); } From 19bc66cb9bdbaa485b6ca94d7f4abf9dec160425 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 21 May 2026 16:06:37 +0800 Subject: [PATCH 2/4] fix(bind9): CVE-2026-5946 Disable recursion, UPDATE, and NOTIFY for non-IN views. Upstream: https://kb.isc.org/docs/cve-2026-5946 Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf Co-Authored-By: hudeng --- lib/dns/message.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/dns/message.c b/lib/dns/message.c index 19bb6a85..dce9c2d6 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1073,6 +1073,17 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t dctx, rdtype = isc_buffer_getuint16(source); rdclass = isc_buffer_getuint16(source); + /* + * Notify and update messages need to specify the data class. + */ + if ((msg->opcode == dns_opcode_update || + msg->opcode == dns_opcode_notify) && + (rdclass == dns_rdataclass_none || + rdclass == dns_rdataclass_any)) + { + DO_ERROR(DNS_R_FORMERR); + } + /* * If this class is different than the one we already read, * this is an error. From b7b6bd9183e14132e946433a7b82b854762f3d22 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 21 May 2026 16:08:20 +0800 Subject: [PATCH 3/4] fix(bind9): CVE-2026-5947 Fix crash in resolver when SIG(0)-signed responses are received under load. Upstream: https://kb.isc.org/docs/cve-2026-5947 Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf Co-Authored-By: hudeng --- lib/dns/gssapictx.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index 3cd0fbba..78c8038b 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -607,7 +607,14 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, GSS_SPNEGO_MECHANISM, flags, 0, NULL, gintokenp, NULL, &gouttoken, &ret_flags, NULL); - if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) { + switch (gret) { + case GSS_S_COMPLETE: + result = ISC_R_SUCCESS; + break; + case GSS_S_CONTINUE_NEEDED: + result = DNS_R_CONTINUE; + break; + default: gss_err_message(mctx, gret, minor, err_message); if (err_message != NULL && *err_message != NULL) { gss_log(3, "Failure initiating security context: %s", @@ -632,12 +639,6 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, CHECK(isc_buffer_copyregion(outtoken, &r)); } - if (gret == GSS_S_COMPLETE) { - result = ISC_R_SUCCESS; - } else { - result = DNS_R_CONTINUE; - } - cleanup: if (gouttoken.length != 0U) { (void)gss_release_buffer(&minor, &gouttoken); From 9b94d0f778809c4b8c7000375aa511498f7bcf2b Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 21 May 2026 16:08:48 +0800 Subject: [PATCH 4/4] fix(bind9): CVE-2026-3039 Fix GSS-API resource leak when receiving maliciously-constructed packets. Upstream: https://kb.isc.org/docs/cve-2026-3039 Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf Co-Authored-By: hudeng --- lib/dns/gssapictx.c | 78 ++++++++++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 33 deletions(-) diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index 78c8038b..55127d43 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -716,8 +716,15 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, switch (gret) { case GSS_S_COMPLETE: - case GSS_S_CONTINUE_NEEDED: break; + /* + * RFC 3645 4.1.3: we don't handle GSS_S_CONTINUE_NEEDED + * Multi-round GSS-API negotiation is not supported. + */ + case GSS_S_CONTINUE_NEEDED: + gss_log(3, "multi-round GSS-API negotiation not supported"); + (void)gss_delete_sec_context(&minor, &context, NULL); + FALLTHROUGH; case GSS_S_DEFECTIVE_TOKEN: case GSS_S_DEFECTIVE_CREDENTIAL: case GSS_S_BAD_SIG: @@ -730,7 +737,7 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, case GSS_S_BAD_MECH: case GSS_S_FAILURE: result = DNS_R_INVALIDTKEY; - /* fall through */ + FALLTHROUGH; default: gss_log(3, "failed gss_accept_sec_context: %s", gss_error_tostring(gret, minor, buf, sizeof(buf))); @@ -741,50 +748,55 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, } if (gouttoken.length > 0U) { - isc_buffer_allocate(mctx, outtoken, + isc_buffer_allocate(mctx, outtokenp, (unsigned int)gouttoken.length); GBUFFER_TO_REGION(gouttoken, r); - CHECK(isc_buffer_copyregion(*outtoken, &r)); + CHECK(isc_buffer_copyregion(*outtokenp, &r)); (void)gss_release_buffer(&minor, &gouttoken); } - if (gret == GSS_S_COMPLETE) { - gret = gss_display_name(&minor, gname, &gnamebuf, NULL); - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed gss_display_name: %s", - gss_error_tostring(gret, minor, buf, - sizeof(buf))); - CHECK(ISC_R_FAILURE); - } + INSIST(gret == GSS_S_COMPLETE); - /* - * Compensate for a bug in Solaris8's implementation - * of gss_display_name(). Should be harmless in any - * case, since principal names really should not - * contain null characters. - */ - if (gnamebuf.length > 0U && - ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0') - { - gnamebuf.length--; - } + gret = gss_display_name(&minor, gname, &gnamebuf, NULL); + if (gret != GSS_S_COMPLETE) { + gss_log(3, "failed gss_display_name: %s", + gss_error_tostring(gret, minor, buf, sizeof(buf))); + result = ISC_R_FAILURE; + goto cleanup; + } - gss_log(3, "gss-api source name (accept) is %.*s", - (int)gnamebuf.length, (char *)gnamebuf.value); + /* + * Compensate for a bug in Solaris8's implementation + * of gss_display_name(). Should be harmless in any + * case, since principal names really should not + * contain null characters. + */ + if (gnamebuf.length > 0U && + ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0') + { + gnamebuf.length--; + } - GBUFFER_TO_REGION(gnamebuf, r); - isc_buffer_init(&namebuf, r.base, r.length); - isc_buffer_add(&namebuf, r.length); + gss_log(3, "gss-api source name (accept) is %.*s", (int)gnamebuf.length, + (char *)gnamebuf.value); - CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0, - NULL)); - } else { - result = DNS_R_CONTINUE; - } + GBUFFER_TO_REGION(gnamebuf, r); + isc_buffer_init(&namebuf, r.base, r.length); + isc_buffer_add(&namebuf, r.length); + + CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0, NULL)); *ctxout = context; cleanup: + if (result != ISC_R_SUCCESS && *outtokenp != NULL) { + isc_buffer_free(outtokenp); + } + + if (result != ISC_R_SUCCESS && context != GSS_C_NO_CONTEXT) { + (void)gss_delete_sec_context(&minor, &context, NULL); + } + if (gnamebuf.length != 0U) { gret = gss_release_buffer(&minor, &gnamebuf); if (gret != GSS_S_COMPLETE) {