gnu: BIND: Fix CVE-2018-5738.

* gnu/packages/patches/bind-CVE-2018-5738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/dns.scm (isc-bind)[source]: Use it.

3 files changed, 103 insertions, 0 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index 01e0718723..4d2cefdbde 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -581,6 +581,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/azr3.patch				\
   %D%/packages/patches/bash-completion-directories.patch	\
   %D%/packages/patches/bazaar-CVE-2017-14176.patch		\
+  %D%/packages/patches/bind-CVE-2018-5738.patch			\
   %D%/packages/patches/binutils-loongson-workaround.patch	\
   %D%/packages/patches/blast+-fix-makefile.patch		\
   %D%/packages/patches/boost-fix-icu-build.patch		\
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 0b8d8be574..4fce4b34ba 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -50,6 +50,7 @@
   #:use-module (gnu packages tls)
   #:use-module (gnu packages web)
   #:use-module (gnu packages xml)
+  #:use-module (gnu packages)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
@@ -104,6 +105,7 @@ and BOOTP/TFTP for network booting of diskless machines.")
               (uri (string-append
                     "ftp://ftp.isc.org/isc/bind9/" version "/" name "-"
                     version ".tar.gz"))
+              (patches (search-patches "bind-CVE-2018-5738.patch"))
               (sha256
                (base32
                 "0a9dvyg1dk7vpqn9gz7p5jas3bz7z22bjd66b98g1qk16i2w7rqd"))))
diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch
new file mode 100644
index 0000000000..ddef014651
--- /dev/null
+++ b/gnu/packages/patches/bind-CVE-2018-5738.patch
@@ -0,0 +1,100 @@
+Fix CVE-2018-5738:
+
+https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index f63554e..847c4ff 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 	CHECKM(named_config_getport(config, &port), "port");
+ 	dns_view_setdstport(view, port);
+ 
+-	CHECK(configure_view_acl(vconfig, config, named_g_config,
+-				 "allow-query", NULL, actx,
+-				 named_g_mctx, &view->queryacl));
+-
+ 	/*
+ 	 * Make the list of response policy zone names for a view that
+ 	 * is used for real lookups and so cares about hints.
+@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 				 "allow-query-cache-on", NULL, actx,
+ 				 named_g_mctx, &view->cacheonacl));
+ 	/*
+-	 * Set "allow-query-cache", "allow-recursion", and
+-	 * "allow-recursion-on" acls if configured in named.conf.
+-	 * (Ignore the global defaults for now, because these ACLs
+-	 * can inherit from each other when only some of them set at
+-	 * the options/view level.)
++	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
++	 * and "allow-recursion-on" ACLs if configured in named.conf, but
++	 * NOT from the global defaults. This is done by leaving the third
++	 * argument to configure_view_acl() NULL.
++	 *
++	 * We ignore the global defaults here because these ACLs
++	 * can inherit from each other.  If any are still unset after
++	 * applying the inheritance rules, we'll look up the defaults at
++	 * that time.
+ 	 */
+-	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+-				 NULL, actx, named_g_mctx, &view->cacheacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query", NULL, actx,
++				 named_g_mctx, &view->queryacl));
++
++	/* named.conf only */
++	CHECK(configure_view_acl(vconfig, config, NULL,
++				 "allow-query-cache", NULL, actx,
++				 named_g_mctx, &view->cacheacl));
+ 
+ 	if (strcmp(view->name, "_bind") != 0 &&
+ 	    view->rdclass != dns_rdataclass_chaos)
+ 	{
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion", NULL, actx,
+ 					 named_g_mctx, &view->recursionacl));
++		/* named.conf only */
+ 		CHECK(configure_view_acl(vconfig, config, NULL,
+ 					 "allow-recursion-on", NULL, actx,
+ 					 named_g_mctx, &view->recursiononacl));
+@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		 * the global config.
+ 		 */
+ 		if (view->recursionacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-recursion", NULL,
+ 						 actx, named_g_mctx,
+ 						 &view->recursionacl));
+ 		}
+ 		if (view->recursiononacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-recursion-on", NULL,
+ 						 actx, named_g_mctx,
+ 						 &view->recursiononacl));
+ 		}
+ 		if (view->cacheacl == NULL) {
++			/* global default only */
+ 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+ 						 "allow-query-cache", NULL,
+ 						 actx, named_g_mctx,
+@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 		CHECK(dns_acl_none(mctx, &view->cacheacl));
+ 	}
+ 
++	if (view->queryacl == NULL) {
++		/* global default only */
++		CHECK(configure_view_acl(NULL, NULL, named_g_config,
++					 "allow-query", NULL,
++					 actx, named_g_mctx,
++					 &view->queryacl));
++	}
++
+ 	/*
+ 	 * Ignore case when compressing responses to the specified
+ 	 * clients. This causes case not always to be preserved,