Fix CVE-2026-1519 and CVE-2026-3104

* Fix CVE-2026-1519: Fix unbounded NSEC3 iterations when validating
  referrals to unsigned delegations.
  Upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/ef01ff31db4be0d737949fd785fa52c491041eb4
* Fix CVE-2026-3104: Fix memory leaks in code preparing DNSSEC proofs
  of non-existence.
  Upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/5f15df5c53a445846083c46a9437910f8f6c3127

Co-Authored-By: hudeng <hudeng@deepin.org>
Signed-off-by: Security Team <security@deepin.org>

Author: 2 people

debian/changelog

@@ -1,3 +1,14 @@
+bind9 (1:9.20.18-1~deb13u1deepin2) unstable; urgency=high
+
+  * Fix CVE-2026-1519: Fix unbounded NSEC3 iterations when validating
+    referrals to unsigned delegations.
+    Upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/ef01ff31db4be0d737949fd785fa52c491041eb4
+  * Fix CVE-2026-3104: Fix memory leaks in code preparing DNSSEC proofs
+    of non-existence.
+    Upstream: https://gitlab.isc.org/isc-projects/bind9/-/commit/5f15df5c53a445846083c46a9437910f8f6c3127
+
+ -- Security Team <security@deepin.org>  Mon, 13 Apr 2026 11:16:00 +0800
+
 bind9 (1:9.20.18-1~deb13u1deepin1) unstable; urgency=medium
 
   * Disable Build-Dep xindy for sunway.

debian/patches/CVE-2026-1519.patch

@@ -0,0 +1,41 @@
+Description: Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations
+Origin: upstream, https://gitlab.isc.org/isc-projects/bind9/-/commit/ef01ff31db4be0d737949fd785fa52c491041eb4
+Bug: CVE-2026-1519
+Last-Update: 2026-04-13
+
+--- a/lib/dns/validator.c
++++ b/lib/dns/validator.c
+@@ -2804,7 +2804,19 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
+ 		}
+ 	}
+ 
++	if (rdataset->type != dns_rdatatype_nsec &&
++	    DNS_TRUST_SECURE(rdataset->trust))
++	{
++		/*
++		 * The negative response data is already verified.
++		 * We skip NSEC records, because they require special
++		 * processing in validator_callback_nsec().
++		 */
++		return DNS_R_CONTINUE;
++	}
++
+ 	val->nxset = rdataset;
++
+ 	result = create_validator(val, name, rdataset->type, rdataset,
+ 				  sigrdataset, validator_callback_nsec,
+ 				  "validate_neg_rrset");
+@@ -2914,11 +2926,9 @@ validate_ncache(dns_validator_t *val, bool resume) {
+ 		}
+ 
+ 		result = validate_neg_rrset(val, name, rdataset, sigrdataset);
+-		if (result == DNS_R_CONTINUE) {
+-			continue;
++		if (result != DNS_R_CONTINUE) {
++			return result;
+ 		}
+-
+-		return result;
+ 	}
+ 	if (result == ISC_R_NOMORE) {
+ 		result = ISC_R_SUCCESS;

debian/patches/CVE-2026-3104.patch

@@ -0,0 +1,105 @@
+Description: Fix memory leaks in code preparing DNSSEC proofs of non-existence
+Origin: upstream, https://gitlab.isc.org/isc-projects/bind9/-/commit/5f15df5c53a445846083c46a9437910f8f6c3127
+Bug: CVE-2026-3104
+Last-Update: 2026-04-13
+
+--- a/lib/dns/qpcache.c
++++ b/lib/dns/qpcache.c
+@@ -3279,7 +3279,7 @@ addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	dns_slabheader_proof_t *noqname = NULL;
+ 	dns_name_t name = DNS_NAME_INITEMPTY;
+ 	dns_rdataset_t neg = DNS_RDATASET_INIT, negsig = DNS_RDATASET_INIT;
+-	isc_region_t r1, r2;
++	isc_region_t r1 = { .base = NULL }, r2 = { .base = NULL };
+ 
+ 	result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig);
+ 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+@@ -3305,6 +3305,14 @@ addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	newheader->noqname = noqname;
+ 
+ cleanup:
++	if (result != ISC_R_SUCCESS) {
++		if (r1.base != NULL) {
++			isc_mem_put(mctx, r1.base, r1.length);
++		}
++		if (r2.base != NULL) {
++			isc_mem_put(mctx, r2.base, r2.length);
++		}
++	}
+ 	dns_rdataset_disassociate(&neg);
+ 	dns_rdataset_disassociate(&negsig);
+ 
+@@ -3318,7 +3326,7 @@ addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	dns_slabheader_proof_t *closest = NULL;
+ 	dns_name_t name = DNS_NAME_INITEMPTY;
+ 	dns_rdataset_t neg = DNS_RDATASET_INIT, negsig = DNS_RDATASET_INIT;
+-	isc_region_t r1, r2;
++	isc_region_t r1 = { .base = NULL }, r2 = { .base = NULL };
+ 
+ 	result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig);
+ 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+@@ -3344,6 +3352,14 @@ addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	newheader->closest = closest;
+ 
+ cleanup:
++	if (result != ISC_R_SUCCESS) {
++		if (r1.base != NULL) {
++			isc_mem_put(mctx, r1.base, r1.length);
++		}
++		if (r2.base != NULL) {
++			isc_mem_put(mctx, r2.base, r2.length);
++		}
++	}
+ 	dns_rdataset_disassociate(&neg);
+ 	dns_rdataset_disassociate(&negsig);
+ 	return result;
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -3180,7 +3180,7 @@ addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	dns_slabheader_proof_t *noqname = NULL;
+ 	dns_name_t name = DNS_NAME_INITEMPTY;
+ 	dns_rdataset_t neg = DNS_RDATASET_INIT, negsig = DNS_RDATASET_INIT;
+-	isc_region_t r1, r2;
++	isc_region_t r1 = { .base = NULL }, r2 = { .base = NULL };
+ 
+ 	result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig);
+ 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+@@ -3206,6 +3206,14 @@ addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	newheader->noqname = noqname;
+ 
+ cleanup:
++	if (result != ISC_R_SUCCESS) {
++		if (r1.base != NULL) {
++			isc_mem_put(mctx, r1.base, r1.length);
++		}
++		if (r2.base != NULL) {
++			isc_mem_put(mctx, r2.base, r2.length);
++		}
++	}
+ 	dns_rdataset_disassociate(&neg);
+ 	dns_rdataset_disassociate(&negsig);
+ 
+@@ -3219,7 +3227,7 @@ addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	dns_slabheader_proof_t *closest = NULL;
+ 	dns_name_t name = DNS_NAME_INITEMPTY;
+ 	dns_rdataset_t neg = DNS_RDATASET_INIT, negsig = DNS_RDATASET_INIT;
+-	isc_region_t r1, r2;
++	isc_region_t r1 = { .base = NULL }, r2 = { .base = NULL };
+ 
+ 	result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig);
+ 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+@@ -3245,6 +3253,14 @@ addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset,
+ 	newheader->closest = closest;
+ 
+ cleanup:
++	if (result != ISC_R_SUCCESS) {
++		if (r1.base != NULL) {
++			isc_mem_put(mctx, r1.base, r1.length);
++		}
++		if (r2.base != NULL) {
++			isc_mem_put(mctx, r2.base, r2.length);
++		}
++	}
+ 	dns_rdataset_disassociate(&neg);
+ 	dns_rdataset_disassociate(&negsig);
+ 	return result;

debian/patches/series

@@ -1,2 +1,4 @@
 0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch
 0002-Disable-RTLD_DEEPBIND-in-Samba-DLZ-module.patch
+CVE-2026-1519.patch
+CVE-2026-3104.patch