From d372472f604d45f85b3bbae5d6f523fb561a8823 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 29 Dec 2016 11:07:40 +1100
Subject: [PATCH]     4508.   [security]      Named incorrectly tried to cache
 TKEY records which                             could trigger a assertion
 failure when there was                             a class mismatch.
 (CVE-2016-9131) [RT #43522]

(cherry picked from commit 2c1c4b99a127a0f34e10fe27324d552ccbc54e04)
---
 CHANGES            |  4 ++++
 README             |  7 ++++++-
 doc/arm/notes.xml  |  7 +++++++
 lib/dns/resolver.c | 19 +++++++++++++++++++
 4 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index f15a29760e..0a25c5e6f7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -70,6 +70,10 @@
 4509.	[test]		Make the rrl system test more reliable on slower
 			machines by using mdig instead of dig. [RT #43280]
 
+4508.	[security]	Named incorrectly tried to cache TKEY records which
+			could trigger a assertion failure when there was
+			a class mismatch. (CVE-2016-9131) [RT #43522]
+
 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 			address, which is insecure' [RT #43432]
 
diff --git a/README b/README
index d59d9172ba..1e425eea6f 100644
--- a/README
+++ b/README
@@ -51,7 +51,12 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
-BIND 9.9.9
+BIND 9.9.10
+	
+	BIND 9.9.10 is a maintenance release and addresses the security
+	flaws disclosed in CVE-2016-6170, CVE-2016-8864 and CVE-2016-9131.
+
+BIND 9.9.91
 
 	BIND 9.9.9 is a maintenance release and addresses bugs found
 	in BIND 9.9.8 and earlier, as well as the security flaws
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 0014a71d29..b217203482 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -74,6 +74,13 @@
 	 CVE-2016-2775. [RT #42694]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  Named incorrectly tried to cache TKEY records which could
+	  trigger a assertion failure when there was a class mismatch.
+	  This flaw is disclosed in CVE-2016-9131.  [RT #43522]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 3b842a75cc..cf3f663686 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6524,6 +6524,19 @@ answer_response(fetchctx_t *fctx) {
 					log_formerr(fctx, "NSEC3 in answer");
 					return (DNS_R_FORMERR);
 				}
+				if (rdataset->type == dns_rdatatype_tkey) {
+					/*
+					 * TKEY is not a valid record in a
+					 * response to any query we can make.
+					 */
+					log_formerr(fctx, "TKEY in answer");
+					return (DNS_R_FORMERR);
+				}
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}
 
 				/*
 				 * Apply filters, if given, on answers to reject
@@ -6710,6 +6723,12 @@ answer_response(fetchctx_t *fctx) {
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link))
 			{
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}
+
 				/*
 				 * Only pass DNAME or RRSIG(DNAME).
 				 */