Merge PR "[AUTO-CHERRYPICK] [High] Patch dhcp for CVE-2024-11187 - branch main" microsoft#15081

Co-authored-by: jykanase <[email protected]>
Co-authored-by: jslobodzian <[email protected]>

Author: 3 people

SPECS/dhcp/CVE-2024-11187.patch

@@ -0,0 +1,207 @@
+From 965e9d69716e3ec8a9366eafe9c34da8d2ba4483 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Thu, 13 Nov 2025 04:12:51 +0000
+Subject: [PATCH] CVE-2024-11187
+
+Upstream Patch Reference:https://git.rockylinux.org/staging/rpms/bind/-/blob/r8/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
+https://git.rockylinux.org/staging/rpms/bind/-/blob/r8/SOURCES/bind-9.18-CVE-2024-11187.patch
+---
+ bind/bind-9.11.36/bin/named/query.c                | 14 ++++++++------
+ .../bin/tests/system/additional/tests.sh           |  2 +-
+ bind/bind-9.11.36/bin/tests/system/conf.sh.in      | 12 ++++++++++++
+ .../bin/tests/system/resolver/ns4/named.noaa       |  5 -----
+ .../bin/tests/system/resolver/tests.sh             |  8 ++++++++
+ bind/bind-9.11.36/lib/dns/include/dns/rdataset.h   | 12 ++++++++++++
+ bind/bind-9.11.36/lib/dns/rdataset.c               | 12 ++++++++++++
+ 7 files changed, 53 insertions(+), 12 deletions(-)
+ delete mode 100644 bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
+
+diff --git a/bind/bind-9.11.36/bin/named/query.c b/bind/bind-9.11.36/bin/named/query.c
+index f109805..512a669 100644
+--- a/bind/bind-9.11.36/bin/named/query.c
++++ b/bind/bind-9.11.36/bin/named/query.c
+@@ -1825,9 +1825,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
+ 		 * section, it's helpful if we add the SRV additional data
+ 		 * as well.
+ 		 */
+-		eresult = dns_rdataset_additionaldata(trdataset,
+-						      query_addadditional,
+-						      client);
++		eresult = dns_rdataset_additionaldata2(trdataset,
++						       query_addadditional,
++						       client,
++						       DNS_RDATASET_MAXADDITIONAL);
+ 	}
+ 
+  cleanup:
+@@ -2422,7 +2423,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
+ 						       rdataset->rdclass);
+ 	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+ 
+-	if (NOADDITIONAL(client))
++	if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
+ 		return;
+ 
+ 	/*
+@@ -2432,8 +2433,9 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
+ 	 */
+ 	additionalctx.client = client;
+ 	additionalctx.rdataset = rdataset;
+-	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
+-					  &additionalctx);
++	(void)dns_rdataset_additionaldata2(rdataset, query_addadditional2,
++					   &additionalctx,
++					   DNS_RDATASET_MAXADDITIONAL);
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
+ }
+ 
+diff --git a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
+index 6400723..a33cc8a 100644
+--- a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
+@@ -261,7 +261,7 @@ n=`expr $n + 1`
+ echo_i "testing with 'minimal-any no;' ($n)"
+ ret=0
+ $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
++grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+     echo_i "failed"; status=`expr status + 1`
+ fi
+diff --git a/bind/bind-9.11.36/bin/tests/system/conf.sh.in b/bind/bind-9.11.36/bin/tests/system/conf.sh.in
+index 85792a9..d5a1024 100644
+--- a/bind/bind-9.11.36/bin/tests/system/conf.sh.in
++++ b/bind/bind-9.11.36/bin/tests/system/conf.sh.in
+@@ -305,6 +305,18 @@ digcomp() {
+     return $result
+ }
+ 
++start_server() {
++    $PERL "$SYSTEMTESTTOP/start.pl" "$SYSTESTDIR" "$@"
++}
++
++stop_server() {
++    $PERL "$SYSTEMTESTTOP/stop.pl" "$SYSTESTDIR" "$@"
++}
++
++send() {
++    $PERL "$SYSTEMTESTTOP/send.pl" "$@"
++}
++
+ #
+ # Useful functions in test scripts
+ #
+diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa b/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
+deleted file mode 100644
+index 3b121ad..0000000
+--- a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
++++ /dev/null
+@@ -1,5 +0,0 @@
+-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+-
+-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+-
+-Add -T noaa.
+diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
+index 6eb52fe..bf37467 100755
+--- a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
+@@ -281,6 +281,10 @@ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server ns4
++touch ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server ns4
++rm ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
+ ret=0
+diff --git a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
+index ed9119a..162118a 100644
+--- a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
++++ b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
+@@ -53,6 +53,8 @@
+ #include <dns/types.h>
+ #include <dns/rdatastruct.h>
+ 
++#define DNS_RDATASET_MAXADDITIONAL 13
++
+ ISC_LANG_BEGINDECLS
+ 
+ typedef enum {
+@@ -490,13 +492,23 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+  *\li	If a call to dns_rdata_additionaldata() is not successful, the
+  *	result returned will be the result of dns_rdataset_additionaldata().
+  *
++ *\li	If 'limit' is non-zero and the number of the rdatasets is larger
++ *	than 'limit', no additional data will be processed.
++ *
+  * Returns:
+  *
+  *\li	#ISC_R_SUCCESS
+  *
++ *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
++ *
+  *\li	Any error that dns_rdata_additionaldata() can return.
+  */
+ 
++isc_result_t
++dns_rdataset_additionaldata2(dns_rdataset_t	   *rdataset,
++			     dns_additionaldatafunc_t add, void *arg,
++			     size_t limit);
++
+ isc_result_t
+ dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+ 			dns_rdataset_t *neg, dns_rdataset_t *negsig);
+diff --git a/bind/bind-9.11.36/lib/dns/rdataset.c b/bind/bind-9.11.36/lib/dns/rdataset.c
+index b42dea5..5160acf 100644
+--- a/bind/bind-9.11.36/lib/dns/rdataset.c
++++ b/bind/bind-9.11.36/lib/dns/rdataset.c
+@@ -28,6 +28,7 @@
+ #include <dns/ncache.h>
+ #include <dns/rdata.h>
+ #include <dns/rdataset.h>
++#include <dns/result.h>
+ 
+ static const char *trustnames[] = {
+ 	"none",
+@@ -608,6 +609,13 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 			    dns_additionaldatafunc_t add, void *arg)
++{
++	return dns_rdataset_additionaldata2(rdataset, add, arg, 0);
++}
++
++isc_result_t
++dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
++			    dns_additionaldatafunc_t add, void *arg, size_t limit)
+ {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
+@@ -620,6 +628,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
++	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
++		return DNS_R_TOOMANYRECORDS;
++	}
++
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS)
+ 		return (result);
+-- 
+2.45.4
+

SPECS/dhcp/dhcp.spec

@@ -1,7 +1,7 @@
 Summary:        Dynamic host configuration protocol
 Name:           dhcp
 Version:        4.4.3.P1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MPLv2.0
 Url:            https://www.isc.org/dhcp/
 Source0:        https://downloads.isc.org/isc/dhcp/4.4.3-P1/dhcp-4.4.3-P1.tar.gz
@@ -15,6 +15,7 @@ Patch2:         CVE-2022-2795.patch
 Patch3:         CVE-2023-2828.patch
 Patch4:         CVE-2024-1737.patch
 Patch5:         CVE-2024-1975.patch
+Patch6:         CVE-2024-11187.patch
 
 %description
 The ISC DHCP package contains both the client and server programs for DHCP. dhclient (the client) is used for connecting to a network which uses DHCP to assign network addresses. dhcpd (the server) is used for assigning network addresses on private networks
@@ -182,6 +183,9 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/
 %{_mandir}/man8/dhclient.8.gz
 
 %changelog
+* Thu Nov 13 2025 Jyoti Kanase <[email protected]> - 4.4.3-p1-3
+- Patch for CVE-2024-11187
+
 * Mon Jul 29 2024 Sumedh Sharma <[email protected]> - 4.4.3-P1-2
 - Add patch for CVE-2024-1737 & CVE-2024-1975 in bundled bind-9
 - Apply old patches meant for bundled bind-9