Patch CVE-2015-5722 & CVE-2015-5986

Bump rev

CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
assertion in buffer.c
https://kb.isc.org/article/AA-01287/0

CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
failure in openpgpkey_61.c
https://kb.isc.org/article/AA-01291/0

Reviewed by wiz@

25 files changed, 1292 insertions, 4 deletions

diff --git a/net/bind910/Makefile b/net/bind910/Makefile
index 7eddfaede41..bb3052163e6 100644
--- a/net/bind910/Makefile
+++ b/net/bind910/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.10 2015/07/28 22:36:38 taca Exp $
+# $NetBSD: Makefile,v 1.11 2015/09/02 19:46:44 sevan Exp $
 
 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ \
 		http://ftp.belnet.be/pub/mirror/ftp.isc.org/isc/bind9/${BIND_VERSION}/
diff --git a/net/bind910/distinfo b/net/bind910/distinfo
index 79ee2390aae..e5b58afa2b5 100644
--- a/net/bind910/distinfo
+++ b/net/bind910/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2015/07/28 22:36:38 taca Exp $
+$NetBSD: distinfo,v 1.9 2015/09/02 19:46:44 sevan Exp $
 
 SHA1 (bind-9.10.2-P3.tar.gz) = ab362f2632db923accd1b29e37b8fffa66d21d8d
 RMD160 (bind-9.10.2-P3.tar.gz) = 1cd59e605ab723a1e051dfd6727f4534f3368efa
@@ -8,6 +8,18 @@ SHA1 (patch-bin_tests_system_Makefile.in) = 8bb6130981a6ff2ac736cf53a061115782bb
 SHA1 (patch-config.threads.in) = 227b83efe9cb3e301aaac9b97cf42f1fb8ad06b2
 SHA1 (patch-configure) = 3ea12f60b26064679e086ef5e637420b95d165be
 SHA1 (patch-contrib_dlz_config.dlz.in) = f18bec63fbfce7cb2cd72929058ce3770fce458f
+SHA1 (patch-lib_dns_hmac_link.c) = 4ed376d95d5588b0b4fd408f7e889b6ec2c23f1f
+SHA1 (patch-lib_dns_include_dst_dst.h) = 574b8c74cfc5e48c535716be0dc4adc38078ad18
+SHA1 (patch-lib_dns_ncache.c) = 95b50b3a89f7f7988ff15a16746e73500e85b321
+SHA1 (patch-lib_dns_openssldh_link.c) = 4f357bff84a822326833de7c132395c1cc252a94
+SHA1 (patch-lib_dns_openssldsa_link.c) = a21c32975643c939f4090db60c9066adac6a3800
+SHA1 (patch-lib_dns_opensslecdsa_link.c) = 6e33e77c40b64c887057a18e0f6d8406db55920a
+SHA1 (patch-lib_dns_opensslrsa_link.c) = e1f3a1f1d96ba56b877fd6123221ba8a54cef427
+SHA1 (patch-lib_dns_pkcs11dh_link.c) = 8a2fc71462a21bd17dab8e9221c00ce05694f4e2
+SHA1 (patch-lib_dns_pkcs11dsa_link.c) = 2ade7fe1e629e4d3ab4c486286105989f39f2b91
+SHA1 (patch-lib_dns_pkcs11rsa_link.c) = c59c26fec43a2193eee016be0c4169492395c351
 SHA1 (patch-lib_dns_rbt.c) = 510dfc72bc7764e548a46e9c48b58b2543490d7a
+SHA1 (patch-lib_dns_rdata_generic_openpgpkey_61.c) = 8b323bae83dc9bf508b4c6765462eac4271b8761
+SHA1 (patch-lib_dns_resolver.c) = b922349bb5e4f4c70aad67976fec41c642735d04
 SHA1 (patch-lib_lwres_getaddrinfo.c) = 69e9c8049fedcb93bd219c6053163f21ce3b2535
 SHA1 (patch-lib_lwres_getnameinfo.c) = 418ad349cf52925c9e8051b5c71d9d51ea8d2fb1
diff --git a/net/bind910/patches/patch-lib_dns_hmac_link.c b/net/bind910/patches/patch-lib_dns_hmac_link.c
new file mode 100644
index 00000000000..0827fbf25a7
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_hmac_link.c
@@ -0,0 +1,120 @@
+$NetBSD: patch-lib_dns_hmac_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/hmac_link.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/hmac_link.c
+@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co
+ 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+ 	if (hmacmd5ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
++	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+ 	return (ISC_R_SUCCESS);
+ }
+@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
+@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+ 	unsigned int bytes;
+-	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
++	unsigned char data[ISC_MD5_BLOCK_LENGTH];
+ 
+ 	UNUSED(callback);
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+-		bytes = ISC_SHA1_BLOCK_LENGTH;
+-		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
++	if (bytes > ISC_MD5_BLOCK_LENGTH) {
++		bytes = ISC_MD5_BLOCK_LENGTH;
++		key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
+@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacmd5_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
+@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
++	if (r.length > ISC_MD5_BLOCK_LENGTH) {
+ 		isc_md5_init(&md5ctx);
+ 		isc_md5_update(&md5ctx, r.base, r.length);
+ 		isc_md5_final(&md5ctx, hkey->key);
+@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacmd5 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -519,6 +521,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha1 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -804,6 +808,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha224 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1089,6 +1095,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha256 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1374,6 +1382,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha384 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1659,6 +1669,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha512 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
diff --git a/net/bind910/patches/patch-lib_dns_include_dst_dst.h b/net/bind910/patches/patch-lib_dns_include_dst_dst.h
new file mode 100644
index 00000000000..d17686bd54e
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_include_dst_dst.h
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_include_dst_dst.h,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/include/dst/dst.h.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/include/dst/dst.h
+@@ -71,6 +71,7 @@ typedef struct dst_context 	dst_context_
+ #define DST_ALG_HMACSHA256	163	/* XXXMPA */
+ #define DST_ALG_HMACSHA384	164	/* XXXMPA */
+ #define DST_ALG_HMACSHA512	165	/* XXXMPA */
++#define DST_ALG_INDIRECT	252
+ #define DST_ALG_PRIVATE		254
+ #define DST_ALG_EXPAND		255
+ #define DST_MAX_ALGS		255
diff --git a/net/bind910/patches/patch-lib_dns_ncache.c b/net/bind910/patches/patch-lib_dns_ncache.c
new file mode 100644
index 00000000000..cfcbddbadb1
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_ncache.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-lib_dns_ncache.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/ncache.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/ncache.c
+@@ -615,13 +615,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+ 		dns_name_fromregion(&tname, &remaining);
+ 		INSIST(remaining.length >= tname.length);
+ 		isc_buffer_forward(&source, tname.length);
+-		remaining.length -= tname.length;
+-		remaining.base += tname.length;
++		isc_region_consume(&remaining, tname.length);
+ 
+ 		INSIST(remaining.length >= 2);
+ 		type = isc_buffer_getuint16(&source);
+-		remaining.length -= 2;
+-		remaining.base += 2;
++		isc_region_consume(&remaining, 2);
+ 
+ 		if (type != dns_rdatatype_rrsig ||
+ 		    !dns_name_equal(&tname, name)) {
+@@ -633,8 +631,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+ 		INSIST(remaining.length >= 1);
+ 		trust = isc_buffer_getuint8(&source);
+ 		INSIST(trust <= dns_trust_ultimate);
+-		remaining.length -= 1;
+-		remaining.base += 1;
++		isc_region_consume(&remaining, 1);
+ 
+ 		raw = remaining.base;
+ 		count = raw[0] * 256 + raw[1];
diff --git a/net/bind910/patches/patch-lib_dns_openssldh_link.c b/net/bind910/patches/patch-lib_dns_openssldh_link.c
new file mode 100644
index 00000000000..51094da3b13
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_openssldh_link.c
@@ -0,0 +1,106 @@
+$NetBSD: patch-lib_dns_openssldh_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/openssldh_link.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/openssldh_link.c
+@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
+ 
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+-	*region->base++ = (val & 0xff00) >> 8;
+-	*region->base++ = (val & 0x00ff);
++	*region->base = (val & 0xff00) >> 8;
++	isc_region_consume(region, 1);
++	*region->base = (val & 0x00ff);
++	isc_region_consume(region, 1);
+ }
+ 
+ static isc_uint16_t
+@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) 
+ 	val = ((unsigned int)(cp[0])) << 8;
+ 	val |= ((unsigned int)(cp[1]));
+ 
+-	region->base += 2;
++	isc_region_consume(region, 2);
++
+ 	return (val);
+ }
+ 
+@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is
+ 	}
+ 	else
+ 		BN_bn2bin(dh->p, r.base);
+-	r.base += plen;
++	isc_region_consume(&r, plen);
+ 
+ 	uint16_toregion(glen, &r);
+ 	if (glen > 0)
+ 		BN_bn2bin(dh->g, r.base);
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	uint16_toregion(publen, &r);
+ 	BN_bn2bin(dh->pub_key, r.base);
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	if (plen == 1 || plen == 2) {
+-		if (plen == 1)
+-			special = *r.base++;
+-		else
++		if (plen == 1) {
++			special = *r.base;
++			isc_region_consume(&r, 1);
++		} else {
+ 			special = uint16_fromregion(&r);
++		}
+ 		switch (special) {
+ 			case 1:
+ 				dh->p = &bn768;
+@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 				DH_free(dh);
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-	}
+-	else {
++	} else {
+ 		dh->p = BN_bin2bn(r.base, plen, NULL);
+-		r.base += plen;
++		isc_region_consume(&r, plen);
+ 	}
+ 
+ 	/*
+@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 			}
+ 		}
+-	}
+-	else {
++	} else {
+ 		if (glen == 0) {
+ 			DH_free(dh);
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+ 		dh->g = BN_bin2bn(r.base, glen, NULL);
+ 	}
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	if (r.length < 2) {
+ 		DH_free(dh);
+@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	key->key_size = BN_num_bits(dh->p);
+ 
diff --git a/net/bind910/patches/patch-lib_dns_openssldsa_link.c b/net/bind910/patches/patch-lib_dns_openssldsa_link.c
new file mode 100644
index 00000000000..50b1d39df8b
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_openssldsa_link.c
@@ -0,0 +1,103 @@
+$NetBSD: patch-lib_dns_openssldsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/openssldsa_link.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/openssldsa_link.c
+@@ -137,6 +137,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 	DSA *dsa = key->keydata.dsa;
+ 	isc_region_t r;
+ 	DSA_SIG *dsasig;
++	unsigned int klen;
+ #if USE_EVP
+ 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+ 	EVP_PKEY *pkey;
+@@ -188,6 +189,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 					       ISC_R_FAILURE));
+ 	}
+ 	free(sigbuf);
++
+ #elif 0
+ 	/* Only use EVP for the Digest */
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+@@ -209,11 +211,17 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 					       "DSA_do_sign",
+ 					       DST_R_SIGNFAILURE));
+ #endif
+-	*r.base++ = (key->key_size - 512)/64;
++
++	klen = (key->key_size - 512)/64;
++	if (klen > 255)
++		return (ISC_R_FAILURE);
++	*r.base = klen;
++	isc_region_consume(&r, 1);
++
+ 	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	DSA_SIG_free(dsasig);
+ 	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+ 
+@@ -446,15 +454,16 @@ openssldsa_todns(const dst_key_t *key, i
+ 	if (r.length < (unsigned int) dnslen)
+ 		return (ISC_R_NOSPACE);
+ 
+-	*r.base++ = t;
++	*r.base = t;
++	isc_region_consume(&r, 1);
+ 	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -479,29 +488,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b
+ 		return (ISC_R_NOMEMORY);
+ 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+ 
+-	t = (unsigned int) *r.base++;
++	t = (unsigned int) *r.base;
++	isc_region_consume(&r, 1);
+ 	if (t > 8) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	p_bytes = 64 + 8 * t;
+ 
+-	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
++	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 
+ 	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 
+ 	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	key->key_size = p_bytes * 8;
+ 
diff --git a/net/bind910/patches/patch-lib_dns_opensslecdsa_link.c b/net/bind910/patches/patch-lib_dns_opensslecdsa_link.c
new file mode 100644
index 00000000000..4b00806e31f
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_opensslecdsa_link.c
@@ -0,0 +1,19 @@
+$NetBSD: patch-lib_dns_opensslecdsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/opensslecdsa_link.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/opensslecdsa_link.c
+@@ -159,9 +159,9 @@ opensslecdsa_sign(dst_context_t *dctx, i
+ 					       "ECDSA_do_sign",
+ 					       DST_R_SIGNFAILURE));
+ 	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
+-	r.base += siglen / 2;
++	isc_region_consume(&r, siglen / 2);
+ 	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
+-	r.base += siglen / 2;
++	isc_region_consume(&r, siglen / 2);
+ 	ECDSA_SIG_free(ecdsasig);
+ 	isc_buffer_add(sig, siglen);
+ 	ret = ISC_R_SUCCESS;
diff --git a/net/bind910/patches/patch-lib_dns_opensslrsa_link.c b/net/bind910/patches/patch-lib_dns_opensslrsa_link.c
new file mode 100644
index 00000000000..a087bd8979e
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_opensslrsa_link.c
@@ -0,0 +1,64 @@
+$NetBSD: patch-lib_dns_opensslrsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/opensslrsa_link.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/opensslrsa_link.c
+@@ -964,6 +964,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 	RSA *rsa;
+ 	isc_region_t r;
+ 	unsigned int e_bytes;
++	unsigned int length;
+ #if USE_EVP
+ 	EVP_PKEY *pkey;
+ #endif
+@@ -971,6 +972,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 	isc_buffer_remainingregion(data, &r);
+ 	if (r.length == 0)
+ 		return (ISC_R_SUCCESS);
++	length = r.length;
+ 
+ 	rsa = RSA_new();
+ 	if (rsa == NULL)
+@@ -981,17 +983,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 		RSA_free(rsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+-	e_bytes = *r.base++;
+-	r.length--;
++	e_bytes = *r.base;
++	isc_region_consume(&r, 1);
+ 
+ 	if (e_bytes == 0) {
+ 		if (r.length < 2) {
+ 			RSA_free(rsa);
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-		e_bytes = ((*r.base++) << 8);
+-		e_bytes += *r.base++;
+-		r.length -= 2;
++		e_bytes = (*r.base) << 8;
++		isc_region_consume(&r, 1);
++		e_bytes += *r.base;
++		isc_region_consume(&r, 1);
+ 	}
+ 
+ 	if (r.length < e_bytes) {
+@@ -999,14 +1002,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+-	r.base += e_bytes;
+-	r.length -= e_bytes;
++	isc_region_consume(&r, e_bytes);
+ 
+ 	rsa->n = BN_bin2bn(r.base, r.length, NULL);
+ 
+ 	key->key_size = BN_num_bits(rsa->n);
+ 
+-	isc_buffer_forward(data, r.length);
++	isc_buffer_forward(data, length);
+ 
+ #if USE_EVP
+ 	pkey = EVP_PKEY_new();
diff --git a/net/bind910/patches/patch-lib_dns_pkcs11dh_link.c b/net/bind910/patches/patch-lib_dns_pkcs11dh_link.c
new file mode 100644
index 00000000000..9f93dd9d408
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_pkcs11dh_link.c
@@ -0,0 +1,93 @@
+$NetBSD: patch-lib_dns_pkcs11dh_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/pkcs11dh_link.c.orig	2015-09-02 00:44:20.000000000 +0000
++++ lib/dns/pkcs11dh_link.c
+@@ -632,8 +632,10 @@ pkcs11dh_destroy(dst_key_t *key) {
+ 
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+-	*region->base++ = (val & 0xff00) >> 8;
+-	*region->base++ = (val & 0x00ff);
++	*region->base = (val & 0xff00) >> 8;
++	isc_region_consume(region, 1);
++	*region->base = (val & 0x00ff);
++	isc_region_consume(region, 1);
+ }
+ 
+ static isc_uint16_t
+@@ -644,7 +646,8 @@ uint16_fromregion(isc_region_t *region) 
+ 	val = ((unsigned int)(cp[0])) << 8;
+ 	val |= ((unsigned int)(cp[1]));
+ 
+-	region->base += 2;
++	isc_region_consume(region, 2);
++
+ 	return (val);
+ }
+ 
+@@ -708,16 +711,16 @@ pkcs11dh_todns(const dst_key_t *key, isc
+ 	}
+ 	else
+ 		memmove(r.base, prime, plen);
+-	r.base += plen;
++	isc_region_consume(&r, plen);
+ 
+ 	uint16_toregion(glen, &r);
+ 	if (glen > 0)
+ 		memmove(r.base, base, glen);
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	uint16_toregion(publen, &r);
+ 	memmove(r.base, pub, publen);
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -764,10 +767,12 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
+ 	}
+ 	plen_ = plen;
+ 	if (plen == 1 || plen == 2) {
+-		if (plen == 1)
+-			special = *r.base++;
+-		else
++		if (plen == 1) {
++			special = *r.base;
++			isc_region_consume(&r, 1);
++		} else {
+ 			special = uint16_fromregion(&r);
++		}
+ 		switch (special) {
+ 			case 1:
+ 				prime = pk11_dh_bn768;
+@@ -789,7 +794,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
+ 	}
+ 	else {
+ 		prime = r.base;
+-		r.base += plen;
++		isc_region_consume(&r, plen);
+ 	}
+ 
+ 	/*
+@@ -835,7 +840,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
+ 		}
+ 		base = r.base;
+ 	}
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	if (r.length < 2) {
+ 		memset(dh, 0, sizeof(*dh));
+@@ -849,7 +854,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buf
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	pub = r.base;
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	key->key_size = pk11_numbits(prime, plen_);
+ 
diff --git a/net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c b/net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c
new file mode 100644
index 00000000000..de1cc1e3c07
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c
@@ -0,0 +1,97 @@
+$NetBSD: patch-lib_dns_pkcs11dsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/pkcs11dsa_link.c.orig	2015-09-02 00:44:29.000000000 +0000
++++ lib/dns/pkcs11dsa_link.c
+@@ -388,6 +388,7 @@ pkcs11dsa_sign(dst_context_t *dctx, isc_
+ 	isc_region_t r;
+ 	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ 	isc_result_t ret = ISC_R_SUCCESS;
++	unsigned int klen;
+ 
+ 	isc_buffer_availableregion(sig, &r);
+ 	if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
+@@ -399,7 +400,10 @@ pkcs11dsa_sign(dst_context_t *dctx, isc_
+ 	if (siglen != ISC_SHA1_DIGESTLENGTH * 2)
+ 		return (DST_R_SIGNFAILURE);
+ 
+-	*r.base = (dctx->key->key_size - 512)/64;
++	klen = (dctx->key->key_size - 512)/64;
++	if (klen > 255)
++		return (ISC_R_FAILURE);
++	*r.base = klen;
+ 	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+ 
+     err:
+@@ -744,23 +748,25 @@ pkcs11dsa_todns(const dst_key_t *key, is
+ 		return (ISC_R_NOSPACE);
+ 
+ 	memset(r.base, 0, dnslen);
+-	*r.base++ = t;
++	*r.base = t;
++	isc_region_consume(&r, 1);
++
+ 	cp = (CK_BYTE *) subprime->pValue;
+ 	memmove(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen,
+ 		cp, subprime->ulValueLen);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	cp = (CK_BYTE *) prime->pValue;
+ 	memmove(r.base + key->key_size/8 - prime->ulValueLen,
+ 		cp, prime->ulValueLen);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	cp = (CK_BYTE *) base->pValue;
+ 	memmove(r.base + key->key_size/8 - base->ulValueLen,
+ 		cp, base->ulValueLen);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	cp = (CK_BYTE *) pub_key->pValue;
+ 	memmove(r.base + key->key_size/8 - pub_key->ulValueLen,
+ 		cp, pub_key->ulValueLen);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -784,7 +790,8 @@ pkcs11dsa_fromdns(dst_key_t *key, isc_bu
+ 		return (ISC_R_NOMEMORY);
+ 	memset(dsa, 0, sizeof(*dsa));
+ 
+-	t = (unsigned int) *r.base++;
++	t = (unsigned int) *r.base;
++	isc_region_consume(&r, 1);
+ 	if (t > 8) {
+ 		memset(dsa, 0, sizeof(*dsa));
+ 		isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+@@ -792,23 +799,23 @@ pkcs11dsa_fromdns(dst_key_t *key, isc_bu
+ 	}
+ 	p_bytes = 64 + 8 * t;
+ 
+-	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
++	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ 		memset(dsa, 0, sizeof(*dsa));
+ 		isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 
+ 	subprime = r.base;
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 
+ 	prime = r.base;
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	base = r.base;
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	pub_key = r.base;
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	key->key_size = p_bytes * 8;
+ 
diff --git a/net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c b/net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c
new file mode 100644
index 00000000000..18745b8c7fe
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c
@@ -0,0 +1,67 @@
+$NetBSD: patch-lib_dns_pkcs11rsa_link.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/pkcs11rsa_link.c.orig	2015-09-02 00:44:38.000000000 +0000
++++ lib/dns/pkcs11rsa_link.c
+@@ -791,23 +791,21 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_bu
+ 	unsigned int e_bytes, mod_bytes;
+ 	CK_BYTE *exponent = NULL, *modulus = NULL;
+ 	CK_ATTRIBUTE *attr;
++	unsigned int length;
+ 
+ 	isc_buffer_remainingregion(data, &r);
+ 	if (r.length == 0)
+ 		return (ISC_R_SUCCESS);
++	length = r.length;
+ 
+ 	rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+ 	if (rsa == NULL)
+ 		return (ISC_R_NOMEMORY);
++
+ 	memset(rsa, 0, sizeof(*rsa));
+ 
+-	if (r.length < 1) {
+-		memset(rsa, 0, sizeof(*rsa));
+-		isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+-		return (DST_R_INVALIDPUBLICKEY);
+-	}
+-	e_bytes = *r.base++;
+-	r.length--;
++	e_bytes = *r.base;
++	isc_region_consume(&r, 1);
+ 
+ 	if (e_bytes == 0) {
+ 		if (r.length < 2) {
+@@ -815,9 +813,10 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_bu
+ 			isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-		e_bytes = ((*r.base++) << 8);
+-		e_bytes += *r.base++;
+-		r.length -= 2;
++		e_bytes = (*r.base) << 8;
++		isc_region_consume(&r, 1);
++		e_bytes += *r.base;
++		isc_region_consume(&r, 1);
+ 	}
+ 
+ 	if (r.length < e_bytes) {
+@@ -826,14 +825,13 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_bu
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	exponent = r.base;
+-	r.base += e_bytes;
+-	r.length -= e_bytes;
++	isc_region_consume(&r, e_bytes);
+ 	modulus = r.base;
+ 	mod_bytes = r.length;
+ 
+ 	key->key_size = pk11_numbits(modulus, mod_bytes);
+ 
+-	isc_buffer_forward(data, r.length);
++	isc_buffer_forward(data, length);
+ 
+ 	rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+ 	if (rsa->repr == NULL)
diff --git a/net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c b/net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c
new file mode 100644
index 00000000000..9f9e0655fc4
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-lib_dns_rdata_generic_openpgpkey_61.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
+failure in openpgpkey_61.c
+
+--- lib/dns/rdata/generic/openpgpkey_61.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/rdata/generic/openpgpkey_61.c
+@@ -81,6 +81,8 @@ fromwire_openpgpkey(ARGS_FROMWIRE) {
+ 	 * Keyring.
+ 	 */
+ 	isc_buffer_activeregion(source, &sr);
++	if (sr.length < 1)
++		return (ISC_R_UNEXPECTEDEND);
+ 	isc_buffer_forward(source, sr.length);
+ 	return (mem_tobuffer(target, sr.base, sr.length));
+ }
diff --git a/net/bind910/patches/patch-lib_dns_resolver.c b/net/bind910/patches/patch-lib_dns_resolver.c
new file mode 100644
index 00000000000..0d981217a75
--- /dev/null
+++ b/net/bind910/patches/patch-lib_dns_resolver.c
@@ -0,0 +1,28 @@
+$NetBSD: patch-lib_dns_resolver.c,v 1.1 2015/09/02 19:46:44 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/resolver.c.orig	2015-09-02 00:43:20.000000000 +0000
++++ lib/dns/resolver.c
+@@ -9488,6 +9488,12 @@ dns_resolver_algorithm_supported(dns_res
+ 
+ 	REQUIRE(VALID_RESOLVER(resolver));
+ 
++	/*
++	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
++	 */
++	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
++		return (ISC_FALSE);
++
+ #if USE_ALGLOCK
+ 	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+ #endif
+@@ -9507,6 +9513,7 @@ dns_resolver_algorithm_supported(dns_res
+ #endif
+ 	if (found)
+ 		return (ISC_FALSE);
++
+ 	return (dst_algorithm_supported(alg));
+ }
+ 
diff --git a/net/bind99/Makefile b/net/bind99/Makefile
index 9bbf50cf433..e64ef31884c 100644
--- a/net/bind99/Makefile
+++ b/net/bind99/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.46 2015/07/28 22:35:36 taca Exp $
+# $NetBSD: Makefile,v 1.47 2015/09/02 19:44:28 sevan Exp $
 
 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ \
 		http://ftp.belnet.be/pub/mirror/ftp.isc.org/isc/bind9/${BIND_VERSION}/
diff --git a/net/bind99/distinfo b/net/bind99/distinfo
index ac3dfcdb12b..a455ffa7e4b 100644
--- a/net/bind99/distinfo
+++ b/net/bind99/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2015/07/28 22:35:36 taca Exp $
+$NetBSD: distinfo,v 1.31 2015/09/02 19:44:28 sevan Exp $
 
 SHA1 (bind-9.9.7-P2.tar.gz) = 2c3620765911c154340f4d19ec5c8978edb84942
 RMD160 (bind-9.9.7-P2.tar.gz) = a6d2c6738281895a6ed87e5a168c7e35e7fc5fac
@@ -8,6 +8,15 @@ SHA1 (patch-bin_tests_system_Makefile.in) = 483fca89658263f5c1f974ce115172183535
 SHA1 (patch-config.threads.in) = 227b83efe9cb3e301aaac9b97cf42f1fb8ad06b2
 SHA1 (patch-configure) = d3d9b8e531fbaad3ab42a86735cc01d5d4fbcdf0
 SHA1 (patch-contrib_dlz_config.dlz.in) = f18bec63fbfce7cb2cd72929058ce3770fce458f
+SHA1 (patch-lib_dns_hmac_link.c) = 60488a4c327ac6c2a42b80cb3a29af14a2e99f53
+SHA1 (patch-lib_dns_include_dst_dst.h) = 5ba823a239bb5583dc19a1954a79a7f4b5a0d15d
+SHA1 (patch-lib_dns_ncache.c) = 6ff95cf50d22c9d17e5c3b3a53dff39d5f3cf1bf
+SHA1 (patch-lib_dns_openssldh_link.c) = ede0820712cb10322bcf33b11055f9bbd18d9c00
+SHA1 (patch-lib_dns_openssldsa_link.c) = bb793e701b8eea8d1ad7f4e5f0059a0a51f44ad3
+SHA1 (patch-lib_dns_opensslecdsa_link.c) = dab239a7de0646f6f36c06d850b188627b5d1bcb
+SHA1 (patch-lib_dns_opensslsslrsa_link.c) = 02651bca011ecf81869b539c302690d05d7bbad4
 SHA1 (patch-lib_dns_rbt.c) = df4b029369d9fa3b250d8505b5f7590e2cd86654
+SHA1 (patch-lib_dns_rdata_generic_openpgpkey_61.c) = b834fba360f83784b792b08f8c0c401d21ee415c
+SHA1 (patch-lib_dns_resolver.c) = 6e1fa4c841113696891b0221e4e29ef6cd4ea4c1
 SHA1 (patch-lib_lwres_getaddrinfo.c) = cda91b6d1afa02de2c59d51490090ef4ab7f1a41
 SHA1 (patch-lib_lwres_getnameinfo.c) = 7ded70795a9001cce5c8094ef3f70ac787a6d43d
diff --git a/net/bind99/patches/patch-lib_dns_hmac_link.c b/net/bind99/patches/patch-lib_dns_hmac_link.c
new file mode 100644
index 00000000000..f3cdfed52a3
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_hmac_link.c
@@ -0,0 +1,120 @@
+$NetBSD: patch-lib_dns_hmac_link.c,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/hmac_link.c.orig	2015-09-02 00:08:13.000000000 +0000
++++ lib/dns/hmac_link.c
+@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_co
+ 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+ 	if (hmacmd5ctx == NULL)
+ 		return (ISC_R_NOMEMORY);
+-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
++	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+ 	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+ 	return (ISC_R_SUCCESS);
+ }
+@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, c
+ 	else if (hkey1 == NULL || hkey2 == NULL)
+ 		return (ISC_FALSE);
+ 
+-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
++	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+ 		return (ISC_TRUE);
+ 	else
+ 		return (ISC_FALSE);
+@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pse
+ 	isc_buffer_t b;
+ 	isc_result_t ret;
+ 	unsigned int bytes;
+-	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
++	unsigned char data[ISC_MD5_BLOCK_LENGTH];
+ 
+ 	UNUSED(callback);
+ 
+ 	bytes = (key->key_size + 7) / 8;
+-	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+-		bytes = ISC_SHA1_BLOCK_LENGTH;
+-		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
++	if (bytes > ISC_MD5_BLOCK_LENGTH) {
++		bytes = ISC_MD5_BLOCK_LENGTH;
++		key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+ 	}
+ 
+-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+ 
+ 	if (ret != ISC_R_SUCCESS)
+@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pse
+ 	isc_buffer_init(&b, data, bytes);
+ 	isc_buffer_add(&b, bytes);
+ 	ret = hmacmd5_fromdns(key, &b);
+-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ 
+ 	return (ret);
+ }
+@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+ 
+ 	memset(hkey->key, 0, sizeof(hkey->key));
+ 
+-	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
++	if (r.length > ISC_MD5_BLOCK_LENGTH) {
+ 		isc_md5_init(&md5ctx);
+ 		isc_md5_update(&md5ctx, r.base, r.length);
+ 		isc_md5_final(&md5ctx, hkey->key);
+@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buff
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacmd5 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buf
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha1 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha224 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha256 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha384 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_b
+ 	key->key_size = keylen * 8;
+ 	key->keydata.hmacsha512 = hkey;
+ 
++	isc_buffer_forward(data, r.length);
++
+ 	return (ISC_R_SUCCESS);
+ }
+ 
diff --git a/net/bind99/patches/patch-lib_dns_include_dst_dst.h b/net/bind99/patches/patch-lib_dns_include_dst_dst.h
new file mode 100644
index 00000000000..a08550282c7
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_include_dst_dst.h
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_include_dst_dst.h,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/include/dst/dst.h.orig	2015-09-02 00:08:13.000000000 +0000
++++ lib/dns/include/dst/dst.h
+@@ -69,6 +69,7 @@ typedef struct dst_context 	dst_context_
+ #define DST_ALG_HMACSHA256	163	/* XXXMPA */
+ #define DST_ALG_HMACSHA384	164	/* XXXMPA */
+ #define DST_ALG_HMACSHA512	165	/* XXXMPA */
++#define DST_ALG_INDIRECT	252
+ #define DST_ALG_PRIVATE		254
+ #define DST_ALG_EXPAND		255
+ #define DST_MAX_ALGS		255
diff --git a/net/bind99/patches/patch-lib_dns_ncache.c b/net/bind99/patches/patch-lib_dns_ncache.c
new file mode 100644
index 00000000000..c0b7f892c36
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_ncache.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-lib_dns_ncache.c,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/ncache.c.orig	2015-09-02 00:08:13.000000000 +0000
++++ lib/dns/ncache.c
+@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+ 		dns_name_fromregion(&tname, &remaining);
+ 		INSIST(remaining.length >= tname.length);
+ 		isc_buffer_forward(&source, tname.length);
+-		remaining.length -= tname.length;
+-		remaining.base += tname.length;
++		isc_region_consume(&remaining, tname.length);
+ 
+ 		INSIST(remaining.length >= 2);
+ 		type = isc_buffer_getuint16(&source);
+-		remaining.length -= 2;
+-		remaining.base += 2;
++		isc_region_consume(&remaining, 2);
+ 
+ 		if (type != dns_rdatatype_rrsig ||
+ 		    !dns_name_equal(&tname, name)) {
+@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t
+ 		INSIST(remaining.length >= 1);
+ 		trust = isc_buffer_getuint8(&source);
+ 		INSIST(trust <= dns_trust_ultimate);
+-		remaining.length -= 1;
+-		remaining.base += 1;
++		isc_region_consume(&remaining, 1);
+ 
+ 		raw = remaining.base;
+ 		count = raw[0] * 256 + raw[1];
diff --git a/net/bind99/patches/patch-lib_dns_openssldh_link.c b/net/bind99/patches/patch-lib_dns_openssldh_link.c
new file mode 100644
index 00000000000..b9e76d2adbd
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_openssldh_link.c
@@ -0,0 +1,106 @@
+$NetBSD: patch-lib_dns_openssldh_link.c,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/openssldh_link.c.orig	2015-09-02 00:08:13.000000000 +0000
++++ lib/dns/openssldh_link.c
+@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
+ 
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+-	*region->base++ = (val & 0xff00) >> 8;
+-	*region->base++ = (val & 0x00ff);
++	*region->base = (val & 0xff00) >> 8;
++	isc_region_consume(region, 1);
++	*region->base = (val & 0x00ff);
++	isc_region_consume(region, 1);
+ }
+ 
+ static isc_uint16_t
+@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) 
+ 	val = ((unsigned int)(cp[0])) << 8;
+ 	val |= ((unsigned int)(cp[1]));
+ 
+-	region->base += 2;
++	isc_region_consume(region, 2);
++
+ 	return (val);
+ }
+ 
+@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, is
+ 	}
+ 	else
+ 		BN_bn2bin(dh->p, r.base);
+-	r.base += plen;
++	isc_region_consume(&r, plen);
+ 
+ 	uint16_toregion(glen, &r);
+ 	if (glen > 0)
+ 		BN_bn2bin(dh->g, r.base);
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	uint16_toregion(publen, &r);
+ 	BN_bn2bin(dh->pub_key, r.base);
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	if (plen == 1 || plen == 2) {
+-		if (plen == 1)
+-			special = *r.base++;
+-		else
++		if (plen == 1) {
++			special = *r.base;
++			isc_region_consume(&r, 1);
++		} else {
+ 			special = uint16_fromregion(&r);
++		}
+ 		switch (special) {
+ 			case 1:
+ 				dh->p = &bn768;
+@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 				DH_free(dh);
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-	}
+-	else {
++	} else {
+ 		dh->p = BN_bin2bn(r.base, plen, NULL);
+-		r.base += plen;
++		isc_region_consume(&r, plen);
+ 	}
+ 
+ 	/*
+@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 				return (DST_R_INVALIDPUBLICKEY);
+ 			}
+ 		}
+-	}
+-	else {
++	} else {
+ 		if (glen == 0) {
+ 			DH_free(dh);
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+ 		dh->g = BN_bin2bn(r.base, glen, NULL);
+ 	}
+-	r.base += glen;
++	isc_region_consume(&r, glen);
+ 
+ 	if (r.length < 2) {
+ 		DH_free(dh);
+@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+-	r.base += publen;
++	isc_region_consume(&r, publen);
+ 
+ 	key->key_size = BN_num_bits(dh->p);
+ 
diff --git a/net/bind99/patches/patch-lib_dns_openssldsa_link.c b/net/bind99/patches/patch-lib_dns_openssldsa_link.c
new file mode 100644
index 00000000000..8db98ffdc60
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_openssldsa_link.c
@@ -0,0 +1,103 @@
+$NetBSD: patch-lib_dns_openssldsa_link.c,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/openssldsa_link.c.orig	2015-09-02 00:08:13.000000000 +0000
++++ lib/dns/openssldsa_link.c
+@@ -137,6 +137,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 	DSA *dsa = key->keydata.dsa;
+ 	isc_region_t r;
+ 	DSA_SIG *dsasig;
++	unsigned int klen;
+ #if USE_EVP
+ 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+ 	EVP_PKEY *pkey;
+@@ -188,6 +189,7 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 					       ISC_R_FAILURE));
+ 	}
+ 	free(sigbuf);
++
+ #elif 0
+ 	/* Only use EVP for the Digest */
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+@@ -209,11 +211,17 @@ openssldsa_sign(dst_context_t *dctx, isc
+ 					       "DSA_do_sign",
+ 					       DST_R_SIGNFAILURE));
+ #endif
+-	*r.base++ = (key->key_size - 512)/64;
++
++	klen = (key->key_size - 512)/64;
++	if (klen > 255)
++		return (ISC_R_FAILURE);
++	*r.base = klen;
++	isc_region_consume(&r, 1);
++
+ 	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	DSA_SIG_free(dsasig);
+ 	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+ 
+@@ -446,15 +454,16 @@ openssldsa_todns(const dst_key_t *key, i
+ 	if (r.length < (unsigned int) dnslen)
+ 		return (ISC_R_NOSPACE);
+ 
+-	*r.base++ = t;
++	*r.base = t;
++	isc_region_consume(&r, 1);
+ 	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	isc_buffer_add(data, dnslen);
+ 
+@@ -479,29 +488,30 @@ openssldsa_fromdns(dst_key_t *key, isc_b
+ 		return (ISC_R_NOMEMORY);
+ 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+ 
+-	t = (unsigned int) *r.base++;
++	t = (unsigned int) *r.base;
++	isc_region_consume(&r, 1);
+ 	if (t > 8) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	p_bytes = 64 + 8 * t;
+ 
+-	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
++	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ 		DSA_free(dsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 
+ 	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+-	r.base += ISC_SHA1_DIGESTLENGTH;
++	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ 
+ 	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+-	r.base += p_bytes;
++	isc_region_consume(&r, p_bytes);
+ 
+ 	key->key_size = p_bytes * 8;
+ 
diff --git a/net/bind99/patches/patch-lib_dns_opensslecdsa_link.c b/net/bind99/patches/patch-lib_dns_opensslecdsa_link.c
new file mode 100644
index 00000000000..c731c2164be
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_opensslecdsa_link.c
@@ -0,0 +1,19 @@
+$NetBSD: patch-lib_dns_opensslecdsa_link.c,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/opensslecdsa_link.c.orig	2015-09-02 00:08:13.000000000 +0000
++++ lib/dns/opensslecdsa_link.c
+@@ -159,9 +159,9 @@ opensslecdsa_sign(dst_context_t *dctx, i
+ 					       "ECDSA_do_sign",
+ 					       DST_R_SIGNFAILURE));
+ 	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
+-	r.base += siglen / 2;
++	isc_region_consume(&r, siglen / 2);
+ 	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
+-	r.base += siglen / 2;
++	isc_region_consume(&r, siglen / 2);
+ 	ECDSA_SIG_free(ecdsasig);
+ 	isc_buffer_add(sig, siglen);
+ 	ret = ISC_R_SUCCESS;
diff --git a/net/bind99/patches/patch-lib_dns_opensslsslrsa_link.c b/net/bind99/patches/patch-lib_dns_opensslsslrsa_link.c
new file mode 100644
index 00000000000..bdb47dc14ae
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_opensslsslrsa_link.c
@@ -0,0 +1,64 @@
+$NetBSD: patch-lib_dns_opensslsslrsa_link.c,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/opensslrsa_link.c.orig	2015-09-02 00:08:13.000000000 +0000
++++ lib/dns/opensslrsa_link.c
+@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 	RSA *rsa;
+ 	isc_region_t r;
+ 	unsigned int e_bytes;
++	unsigned int length;
+ #if USE_EVP
+ 	EVP_PKEY *pkey;
+ #endif
+@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 	isc_buffer_remainingregion(data, &r);
+ 	if (r.length == 0)
+ 		return (ISC_R_SUCCESS);
++	length = r.length;
+ 
+ 	rsa = RSA_new();
+ 	if (rsa == NULL)
+@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 		RSA_free(rsa);
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+-	e_bytes = *r.base++;
+-	r.length--;
++	e_bytes = *r.base;
++	isc_region_consume(&r, 1);
+ 
+ 	if (e_bytes == 0) {
+ 		if (r.length < 2) {
+ 			RSA_free(rsa);
+ 			return (DST_R_INVALIDPUBLICKEY);
+ 		}
+-		e_bytes = ((*r.base++) << 8);
+-		e_bytes += *r.base++;
+-		r.length -= 2;
++		e_bytes = (*r.base) << 8;
++		isc_region_consume(&r, 1);
++		e_bytes += *r.base;
++		isc_region_consume(&r, 1);
+ 	}
+ 
+ 	if (r.length < e_bytes) {
+@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
+ 		return (DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+-	r.base += e_bytes;
+-	r.length -= e_bytes;
++	isc_region_consume(&r, e_bytes);
+ 
+ 	rsa->n = BN_bin2bn(r.base, r.length, NULL);
+ 
+ 	key->key_size = BN_num_bits(rsa->n);
+ 
+-	isc_buffer_forward(data, r.length);
++	isc_buffer_forward(data, length);
+ 
+ #if USE_EVP
+ 	pkey = EVP_PKEY_new();
diff --git a/net/bind99/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c b/net/bind99/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c
new file mode 100644
index 00000000000..c1ae2c0bb95
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-lib_dns_rdata_generic_openpgpkey_61.c,v 1.1 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
+failure in openpgpkey_61.c
+
+--- lib/dns/rdata/generic/openpgpkey_61.c.orig	2015-09-01 23:56:36.000000000 +0000
++++ lib/dns/rdata/generic/openpgpkey_61.c
+@@ -76,6 +76,8 @@ fromwire_openpgpkey(ARGS_FROMWIRE) {
+ 	 * Keyring.
+ 	 */
+ 	isc_buffer_activeregion(source, &sr);
++	if (sr.length < 1)
++		return (ISC_R_UNEXPECTEDEND);
+ 	isc_buffer_forward(source, sr.length);
+ 	return (mem_tobuffer(target, sr.base, sr.length));
+ }
diff --git a/net/bind99/patches/patch-lib_dns_resolver.c b/net/bind99/patches/patch-lib_dns_resolver.c
new file mode 100644
index 00000000000..1415488204e
--- /dev/null
+++ b/net/bind99/patches/patch-lib_dns_resolver.c
@@ -0,0 +1,28 @@
+$NetBSD: patch-lib_dns_resolver.c,v 1.3 2015/09/02 19:44:28 sevan Exp $
+
+CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
+assertion in buffer.c
+
+--- lib/dns/resolver.c.orig	2015-09-02 00:08:14.000000000 +0000
++++ lib/dns/resolver.c
+@@ -9058,6 +9058,12 @@ dns_resolver_algorithm_supported(dns_res
+ 
+ 	REQUIRE(VALID_RESOLVER(resolver));
+ 
++	/*
++	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
++	 */
++	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
++		return (ISC_FALSE);
++
+ #if USE_ALGLOCK
+ 	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+ #endif
+@@ -9077,6 +9083,7 @@ dns_resolver_algorithm_supported(dns_res
+ #endif
+ 	if (found)
+ 		return (ISC_FALSE);
++
+ 	return (dst_algorithm_supported(alg));
+ }
+