bind: CVE-2015-1349 CVE-2015-4620 CVE-2015-5722

three security fixes. (From OE-Core rev: d3af844b05e566c2188fc3145e66a9826fed0ec8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-01 13:58:04 +00:00 · 2015-09-12 15:17:26 -07:00 · 2015-09-12 15:17:26 -07:00 · 85f6cf736b
commit 85f6cf736b
parent a01280b7ab
4 changed files with 589 additions and 0 deletions
--- a/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
@ -0,0 +1,60 @@
+CVE-2015-1349 bind: issue in trust anchor management can cause named to crash
+
+commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892
+Author: Evan Hunt <each@isc.org>
+Date:   Tue Feb 3 18:30:38 2015 -0800
+
+    [v9_9_6_patch] avoid crash due to managed-key rollover
+    
+    4053.	[security]	Revoking a managed trust anchor and supplying
+    			an untrusted replacement could cause named
+    			to crash with an assertion failure.
+    			(CVE-2015-1349) [RT #38344]
+
+Upstream Status: Backport from Redhat
+
+https://bugzilla.redhat.com/attachment.cgi?id=993045
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: bind-9.9.5/CHANGES
+===================================================================
+--- bind-9.9.5.orig/CHANGES
+++ bind-9.9.5/CHANGES
+@@ -1,3 +1,10 @@
+	--- 9.9.6-P2 released ---
+
+4053.	[security]	Revoking a managed trust anchor and supplying
+			an untrusted replacement could cause named
+			to crash with an assertion failure.
+			(CVE-2015-1349) [RT #38344]
+
+ 	--- 9.9.5 released ---
+ 
+ 	--- 9.9.5rc2 released ---
+Index: bind-9.9.5/lib/dns/zone.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/zone.c
+++ bind-9.9.5/lib/dns/zone.c
+@@ -8496,6 +8496,12 @@ keyfetch_done(isc_task_t *task, isc_even
+ 					     namebuf, tag);
+ 				trustkey = ISC_TRUE;
+ 			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
+ 		}
+ 
+ 		/* Delete old version */
+@@ -8544,7 +8550,7 @@ keyfetch_done(isc_task_t *task, isc_even
+ 			trust_key(zone, keyname, &dnskey, mctx);
+ 		}
+ 
+-		if (!deletekey)
+		if (secure && !deletekey) 
+ 			set_refreshkeytimer(zone, &keydata, now);
+ 	}
+ 
--- a/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
@ -0,0 +1,36 @@
+CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned()
+
+issue introduced by git commit
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=44f175a90a855326725439b2f1178f0dcca8f67d
+
+which is in this version of bind.
+
+Upstream Status: Backport from Redhat
+
+https://bugzilla.redhat.com/attachment.cgi?id=1044719
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: bind-9.9.5/lib/dns/validator.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/validator.c
+++ bind-9.9.5/lib/dns/validator.c
+@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
+  */
+ static isc_boolean_t
+ isselfsigned(dns_validator_t *val) {
+-	dns_fixedname_t fixed;
+ 	dns_rdataset_t *rdataset, *sigrdataset;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+@@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) {
+ 			result = dns_dnssec_verify3(name, rdataset, dstkey,
+ 						    ISC_TRUE,
+ 						    val->view->maxbits,
+-						    mctx, &sigrdata,
+-						    dns_fixedname_name(&fixed));
+						    mctx, &sigrdata, NULL);
+ 			dst_key_free(&dstkey);
+ 			if (result != ISC_R_SUCCESS)
+ 				continue;
--- a/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-5722.patch
@ -0,0 +1,490 @@
+CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service
+
+Upstream Status: Backport from Redhat
+
+https://bugzilla.redhat.com/attachment.cgi?id=1069245
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: bind-9.9.5/lib/dns/hmac_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/hmac_link.c
+++ bind-9.9.5/lib/dns/hmac_link.c
+@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co
+ 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+ 	if (hmacmd5ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
+	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+ 	return (ISC_R_SUCCESS);
+ }
+@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
+	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
+@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+ 	unsigned int bytes;
+-	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+	unsigned char data[ISC_MD5_BLOCK_LENGTH];
+ 
+ 	UNUSED(callback);
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+-		bytes = ISC_SHA1_BLOCK_LENGTH;
+-		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
+	if (bytes > ISC_MD5_BLOCK_LENGTH) {
+		bytes = ISC_MD5_BLOCK_LENGTH;
+		key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
+@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacmd5_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
+@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
+	if (r.length > ISC_MD5_BLOCK_LENGTH) {
+ 		isc_md5_init(&md5ctx);
+ 		isc_md5_update(&md5ctx, r.base, r.length);
+ 		isc_md5_final(&md5ctx, hkey->key);
+@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacmd5 = hkey;
+ 
+	isc_buffer_forward(data, r.length);
+
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha1 = hkey;
+ 
+	isc_buffer_forward(data, r.length);
+
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha224 = hkey;
+ 
+	isc_buffer_forward(data, r.length);
+
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha256 = hkey;
+ 
+	isc_buffer_forward(data, r.length);
+
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha384 = hkey;
+ 
+	isc_buffer_forward(data, r.length);
+
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha512 = hkey;
+ 
+	isc_buffer_forward(data, r.length);
+
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+Index: bind-9.9.5/lib/dns/include/dst/dst.h
+===================================================================
+--- bind-9.9.5.orig/lib/dns/include/dst/dst.h
+++ bind-9.9.5/lib/dns/include/dst/dst.h
+@@ -69,6 +69,7 @@ typedef struct dst_context 	dst_context_
+ #define DST_ALG_HMACSHA256	163	/* XXXMPA */
+ #define DST_ALG_HMACSHA384	164	/* XXXMPA */
+ #define DST_ALG_HMACSHA512	165	/* XXXMPA */
+#define DST_ALG_INDIRECT	252
+ #define DST_ALG_PRIVATE		254
+ #define DST_ALG_EXPAND		255
+ #define DST_MAX_ALGS		255
+Index: bind-9.9.5/lib/dns/ncache.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/ncache.c
+++ bind-9.9.5/lib/dns/ncache.c
+@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+ 		dns_name_fromregion(&tname, &remaining);
+ 		INSIST(remaining.length >= tname.length);
+ 		isc_buffer_forward(&source, tname.length);
+-		remaining.length -= tname.length;
+-		remaining.base += tname.length;
+		isc_region_consume(&remaining, tname.length);
+ 
+ 		INSIST(remaining.length >= 2);
+ 		type = isc_buffer_getuint16(&source);
+-		remaining.length -= 2;
+-		remaining.base += 2;
+		isc_region_consume(&remaining, 2);
+ 
+ 		if (type != dns_rdatatype_rrsig ||
+ 		    !dns_name_equal(&tname, name)) {
+@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+ 		INSIST(remaining.length >= 1);
+ 		trust = isc_buffer_getuint8(&source);
+ 		INSIST(trust <= dns_trust_ultimate);
+-		remaining.length -= 1;
+-		remaining.base += 1;
+		isc_region_consume(&remaining, 1);
+ 
+ 		raw = remaining.base;
+ 		count = raw[0] * 256 + raw[1];
+Index: bind-9.9.5/lib/dns/openssldh_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/openssldh_link.c
+++ bind-9.9.5/lib/dns/openssldh_link.c
+@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
+ 
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+-	*region->base++ = (val & 0xff00) >> 8;
+-	*region->base++ = (val & 0x00ff);
+	*region->base = (val & 0xff00) >> 8;
+	isc_region_consume(region, 1);
+	*region->base = (val & 0x00ff);
+	isc_region_consume(region, 1);
+ }
+ 
+ static isc_uint16_t
+@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region)
+ 	val = ((unsigned int)(cp[0])) << 8;
+ 	val |= ((unsigned int)(cp[1]));
+ 
+-	region->base += 2;
+	isc_region_consume(region, 2);
+
+ 	return (val);
+ }
+ 
+@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is
+ 	}
+ 	else
+ 		BN_bn2bin(dh->p, r.base);
+-	r.base += plen;
+	isc_region_consume(&r, plen);
+ 
+ 	uint16_toregion(glen, &r);
+ 	if (glen > 0)
+ 		BN_bn2bin(dh->g, r.base);
+-	r.base += glen;
+	isc_region_consume(&r, glen);
+ 
+ 	uint16_toregion(publen, &r);
+ 	BN_bn2bin(dh->pub_key, r.base);
+-	r.base += publen;
+	isc_region_consume(&r, publen);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	if (plen == 1 || plen == 2) {
+-		if (plen == 1)
+-			special = *r.base++;
+-		else
+		if (plen == 1) {
+			special = *r.base;
+			isc_region_consume(&r, 1);
+		} else {
+ 			special = uint16_fromregion(&r);
+		}
+ 		switch (special) {
+ 			case 1:
+ 				dh->p = &bn768;
+@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 				DH_free(dh);
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-	}
+-	else {
+	} else {
+ 		dh->p = BN_bin2bn(r.base, plen, NULL);
+-		r.base += plen;
+		isc_region_consume(&r, plen);
+ 	}
+ 
+ 	/*
+@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 			}
+ 		}
+-	}
+-	else {
+	} else {
+ 		if (glen == 0) {
+ 			DH_free(dh);
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+ 		dh->g = BN_bin2bn(r.base, glen, NULL);
+ 	}
+-	r.base += glen;
+	isc_region_consume(&r, glen);
+ 
+ 	if (r.length < 2) {
+ 		DH_free(dh);
+@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+-	r.base += publen;
+	isc_region_consume(&r, publen);
+ 
+ 	key->key_size = BN_num_bits(dh->p);
+ 
+Index: bind-9.9.5/lib/dns/openssldsa_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/openssldsa_link.c
+++ bind-9.9.5/lib/dns/openssldsa_link.c
+@@ -29,8 +29,6 @@
+  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id$ */
+-
+ #ifdef OPENSSL
+ #ifndef USE_EVP
+ #define USE_EVP 1
+@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 	DSA *dsa = key->keydata.dsa;
+ 	isc_region_t r;
+ 	DSA_SIG *dsasig;
+	unsigned int klen;
+ #if USE_EVP
+ 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+ 	EVP_PKEY *pkey;
+@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 					       ISC_R_FAILURE));
+ 	}
+ 	free(sigbuf);
+
+ #elif 0
+ 	/* Only use EVP for the Digest */
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 					       "DSA_do_sign",
+ 					       DST_R_SIGNFAILURE));
+ #endif
+-	*r.base++ = (key->key_size - 512)/64;
+
+	klen = (key->key_size - 512)/64;
+	if (klen > 255)
+		return (ISC_R_FAILURE);
+	*r.base = klen;
+	isc_region_consume(&r, 1);
+
+ 	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	DSA_SIG_free(dsasig);
+ 	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+ 
+@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, i
+ 	if (r.length < (unsigned int) dnslen)
+ 		return (ISC_R_NOSPACE);
+ 
+-	*r.base++ = t;
+	*r.base = t;
+	isc_region_consume(&r, 1);
+ 	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+-	r.base += p_bytes;
+	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+-	r.base += p_bytes;
+	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+-	r.base += p_bytes;
+	isc_region_consume(&r, p_bytes);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b
+ 		return (ISC_R_NOMEMORY);
+ 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+ 
+-	t = (unsigned int) *r.base++;
+	t = (unsigned int) *r.base;
+	isc_region_consume(&r, 1);
+ 	if (t > 8) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	p_bytes = 64 + 8 * t;
+ 
+-	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 
+ 	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 
+ 	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
+	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
+	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
+	isc_region_consume(&r, p_bytes);
+ 
+ 	key->key_size = p_bytes * 8;
+ 
+Index: bind-9.9.5/lib/dns/opensslecdsa_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/opensslecdsa_link.c
+++ bind-9.9.5/lib/dns/opensslecdsa_link.c
+@@ -14,8 +14,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id$ */
+-
+ #include <config.h>
+ 
+ #ifdef HAVE_OPENSSL_ECDSA
+@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, i
+ 					       "ECDSA_do_sign",
+ 					       DST_R_SIGNFAILURE));
+ 	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
+-	r.base += siglen / 2;
+	isc_region_consume(&r, siglen / 2);
+ 	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
+-	r.base += siglen / 2;
+	isc_region_consume(&r, siglen / 2);
+ 	ECDSA_SIG_free(ecdsasig);
+ 	isc_buffer_add(sig, siglen);
+ 	ret = ISC_R_SUCCESS;
+Index: bind-9.9.5/lib/dns/opensslrsa_link.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/opensslrsa_link.c
+++ bind-9.9.5/lib/dns/opensslrsa_link.c
+@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 	RSA *rsa;
+ 	isc_region_t r;
+ 	unsigned int e_bytes;
+	unsigned int length;
+ #if USE_EVP
+ 	EVP_PKEY *pkey;
+ #endif
+@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 	isc_buffer_remainingregion(data, &r);
+ 	if (r.length == 0)
+ 		return (ISC_R_SUCCESS);
+	length = r.length;
+ 
+ 	rsa = RSA_new();
+ 	if (rsa == NULL)
+@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 		RSA_free(rsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+-	e_bytes = *r.base++;
+-	r.length--;
+	e_bytes = *r.base;
+	isc_region_consume(&r, 1);
+ 
+ 	if (e_bytes == 0) {
+ 		if (r.length < 2) {
+ 			RSA_free(rsa);
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-		e_bytes = ((*r.base++) << 8);
+-		e_bytes += *r.base++;
+-		r.length -= 2;
+		e_bytes = (*r.base) << 8;
+		isc_region_consume(&r, 1);
+		e_bytes += *r.base;
+		isc_region_consume(&r, 1);
+ 	}
+ 
+ 	if (r.length < e_bytes) {
+@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+-	r.base += e_bytes;
+-	r.length -= e_bytes;
+	isc_region_consume(&r, e_bytes);
+ 
+ 	rsa->n = BN_bin2bn(r.base, r.length, NULL);
+ 
+ 	key->key_size = BN_num_bits(rsa->n);
+ 
+-	isc_buffer_forward(data, r.length);
+	isc_buffer_forward(data, length);
+ 
+ #if USE_EVP
+ 	pkey = EVP_PKEY_new();
+Index: bind-9.9.5/lib/dns/resolver.c
+===================================================================
+--- bind-9.9.5.orig/lib/dns/resolver.c
+++ bind-9.9.5/lib/dns/resolver.c
+@@ -8937,6 +8937,12 @@ dns_resolver_algorithm_supported(dns_res
+ 
+ 	REQUIRE(VALID_RESOLVER(resolver));
+ 
+	/*
+	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
+	 */
+	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
+		return (ISC_FALSE);
+
+ #if USE_ALGLOCK
+ 	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+ #endif
+@@ -8956,6 +8962,7 @@ dns_resolver_algorithm_supported(dns_res
+ #endif
+ 	if (found)
+ 		return (ISC_FALSE);
+
+ 	return (dst_algorithm_supported(alg));
+ }
+ 
--- a/meta/recipes-connectivity/bind/bind_9.9.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb
@ -19,6 +19,9 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://init.d-add-support-for-read-only-rootfs.patch \
           file://bind9_9_5-CVE-2014-8500.patch \
           file://bind9_9_5-CVE-2015-5477.patch \
+	   file://CVE-2015-1349.patch \ 
+	   file://CVE-2015-4620.patch \
+	   file://CVE-2015-5722.patch \
 	   "

 SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"