From cd8e084d9f7bb118f3d87a943852eef0f1a263d9 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Wed, 27 Sep 2017 11:02:15 +0200
Subject: bind: CVE-2017-3136

Incorrect error handling causes assertion failure when using DNS64
with "break-dnssec yes;"

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3136

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 recipes-connectivity/bind/bind/CVE-2017-3136.patch | 47 ++++++++++++++++++++++
 recipes-connectivity/bind/bind_%.bbappend          |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 recipes-connectivity/bind/bind/CVE-2017-3136.patch

diff --git a/recipes-connectivity/bind/bind/CVE-2017-3136.patch b/recipes-connectivity/bind/bind/CVE-2017-3136.patch
new file mode 100644
index 0000000..c47a6f7
--- /dev/null
+++ b/recipes-connectivity/bind/bind/CVE-2017-3136.patch
@@ -0,0 +1,47 @@
+From cdb44bbabefa96fceb9bca540f5112493756d593 Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Wed, 27 Sep 2017 09:45:10 +0200
+Subject: [PATCH] Dns64 with break-dnssec yes; can result in a assertion
+ failure.
+
+From 764240ca07ab1b796226d5402ccd9fbfa77ec32a Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 15 Feb 2017 12:18:51 +1100
+
+(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac)
+
+CVE: CVE-2017-3136
+Upstream-Status: Backport [backport from remotes/origin/v9_10]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGES           | 3 +++
+ bin/named/query.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/CHANGES b/CHANGES
+index ec11967..ba27df0 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,6 @@
++4575.  [security]      Dns64 with break-dnssec yes; can result in a
++                       assertion failure. (CVE-2017-3136) [RT #44653]
++
+ 4517.  [security]      Named could mishandle authority sections that were
+                        missing RRSIGs triggering an assertion failure.
+                        (CVE-2016-9444) [RT # 43632]
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 1398776..48822ff 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -8149,6 +8149,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
+ 			result = query_dns64(client, &fname, rdataset,
+ 					     sigrdataset, dbuf,
+ 					     DNS_SECTION_ANSWER);
++			noqname = NULL;
+ 			dns_rdataset_disassociate(rdataset);
+ 			dns_message_puttemprdataset(client->message, &rdataset);
+ 			if (result == ISC_R_NOMORE) {
+-- 
+1.9.1
+
diff --git a/recipes-connectivity/bind/bind_%.bbappend b/recipes-connectivity/bind/bind_%.bbappend
index 5730d2f..0461313 100644
--- a/recipes-connectivity/bind/bind_%.bbappend
+++ b/recipes-connectivity/bind/bind_%.bbappend
@@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://CVE-2016-9444.patch \
             file://0001-fix-back-port-issue.patch \
             file://CVE-2017-3135.patch \
+            file://CVE-2017-3136.patch \
            "
-- 
cgit v1.2.3-54-g00ecf