net-dns/pdns-recursor: Revision bump, security bug #638568
authorSven Wegener <swegener@gentoo.org>
Mon, 27 Nov 2017 17:32:38 +0000 (17:32 +0000)
committerSven Wegener <swegener@gentoo.org>
Mon, 27 Nov 2017 17:36:52 +0000 (17:36 +0000)
Package-Manager: Portage-2.3.14, Repoman-2.3.6
Signed-off-by: Sven Wegener <swegener@gentoo.org>
net-dns/pdns-recursor/Manifest
net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch [new file with mode: 0644]
net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch [new file with mode: 0644]
net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch [new file with mode: 0644]
net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch [new file with mode: 0644]
net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild [new file with mode: 0644]

index 6d455d532405984be4955f37537a7022e106f7e0..add5cf30b79f76ad068a8789e6262ec24f20c102 100644 (file)
@@ -1,2 +1,2 @@
-DIST pdns-recursor-4.0.6.tar.bz2 1105423 SHA256 f2182ac644268bb08b865a71351f11d75c5015ac0608a1469eb4c1cd5494d60d SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159 WHIRLPOOL a2eece8a6cdfcd6c791cb6fa42053d524b4e54f1431d78345640d7f2d9f3079939c7905767abe65abb977bce45647fb7232d1148dac13737625ee4bfae221da8
-DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 SHA256 0b8bc3fec4cd39c62e53993ab7a87fc1f2b3d200df071a401775f33e47392169 SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d WHIRLPOOL b6e1c3cb233aff0ac10e1d0d4b5e3de508cf657e1f3fa27c3692e38c90f7af82cc6afe499915d1dbd78cdd5d5eb2ec814b2f3ae86ae6a3f353321abfbe191691
+DIST pdns-recursor-4.0.6.tar.bz2 1105423 BLAKE2B 50cc52f118630d4d8ce9876c2e11494a3c972ec90003c40fea36801eb08bd8b6173f876e6f53eb672ad8ff3da04e669946740a50f653a21459f25c1137d91297 SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159
+DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 BLAKE2B fcbc6f08f962c9c2f459448770406734eff2caab43b615690e9d910b65327e45182aa2c9bcadadeaa6eb3984a8cb463849d5e001ffb98bb618966da5b8557a8a SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch
new file mode 100644 (file)
index 0000000..fa0bfd0
--- /dev/null
@@ -0,0 +1,15 @@
+diff -ru pdns-recursor-4.0.6.orig/validate-recursor.cc pdns-recursor-4.0.6/validate-recursor.cc
+--- pdns-recursor-4.0.6.orig/validate-recursor.cc      2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/validate-recursor.cc   2017-11-02 18:29:16.612520450 +0100
+@@ -87,6 +87,11 @@
+     bool first = true;
+     for(const auto& csp : cspmap) {
+       for(const auto& sig : csp.second.signatures) {
++
++        if (!csp.first.first.isPartOf(sig->d_signer)) {
++          return increaseDNSSECStateCounter(Bogus);
++        }
++
+         vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
+         if (newState == Bogus) // No hope
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch
new file mode 100644 (file)
index 0000000..1425c33
--- /dev/null
@@ -0,0 +1,85 @@
+diff -ru pdns-recursor-4.0.6.orig/html/local.js pdns-recursor-4.0.6/html/local.js
+--- pdns-recursor-4.0.6.orig/html/local.js     2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/html/local.js  2017-11-02 18:26:04.624586674 +0100
+@@ -63,7 +63,7 @@
+       $.getJSON(qstring,
+                 function(data) {
+-                    var bouw="<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr>";
++                    var table = $('<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr></table>');
+                     var num=0;
+                     var total=0, rest=0;
+                     $.each(data["entries"], function(a,b) {
+@@ -75,12 +75,26 @@
+                         if(b[1].length > 25)
+                             b[1]=b[1].substring(0,25);
+-                        bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
+-                    });
+-                    bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
+-                    bouw=bouw+"</table>";
+-                    $("#queryring").html(bouw);
+-
++                        var line = $('<tr />');
++                        var number = $('<td />');
++                        number.text(b[0]);
++                        var domain = $('<td />');
++                        domain.text(b[1]);
++                        var type = $('<td />');
++                        type.text(b[2]);
++                        line.append(number);
++                        line.append(domain);
++                        line.append(type);
++                        table.append(line);
++                      });
++                    var line = $('<tr />');
++                    var number = $('<td />');
++                    number.text(rest);
++                    var label = $('<td>Rest</td>');
++                    line.append(number);
++                    line.append(label);
++                    table.append(line);
++                    $("#queryring").html(table);
+                 });
+       filtered=$("#filter2").is(':checked')
+@@ -91,7 +105,7 @@
+       $.getJSON(qstring, 
+                 function(data) {
+-                    var bouw="<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr>";
++                    var table = $('<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr></table>');
+                     var num=0, total=0, rest=0;
+                     $.each(data["entries"], function(a,b) {
+                         total+=b[0];
+@@ -101,11 +115,26 @@
+                         }
+                         if(b[1].length > 25)
+                             b[1]=b[1].substring(0,25);
+-                        bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
++                        var line = $('<tr />');
++                        var number = $('<td />');
++                        number.text(b[0]);
++                        var domain = $('<td />');
++                        domain.text(b[1]);
++                        var type = $('<td />');
++                        type.text(b[2]);
++                        line.append(number);
++                        line.append(domain);
++                        line.append(type);
++                        table.append(line);
+                     });
+-                    bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
+-                    bouw=bouw+"</table>";
+-                    $("#servfailqueryring").html(bouw);
++                    var line = $('<tr />');
++                    var number = $('<td />');
++                    number.text(rest);
++                    var label = $('<td>Rest</td>');
++                    line.append(number);
++                    line.append(label);
++                    table.append(line);
++                    $("#servfailqueryring").html(table);
+                 });
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch
new file mode 100644 (file)
index 0000000..2695830
--- /dev/null
@@ -0,0 +1,47 @@
+diff -ru pdns-recursor-4.0.6.orig/ws-recursor.cc pdns-recursor-4.0.6/ws-recursor.cc
+--- pdns-recursor-4.0.6.orig/ws-recursor.cc    2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/ws-recursor.cc 2017-11-02 18:13:55.762458134 +0100
+@@ -76,10 +76,11 @@
+       throw ApiException("'value' must be an array");
+     }
++    NetmaskGroup nmg;
+     for (auto value : jlist.array_items()) {
+       try {
+-        Netmask(value.string_value());
+-      } catch (NetmaskException &e) {
++        nmg.addMask(value.string_value());
++      } catch (const NetmaskException &e) {
+         throw ApiException(e.reason);
+       }
+     }
+@@ -91,9 +92,7 @@
+     // Clear allow-from, and provide a "parent" value
+     ss << "allow-from=" << endl;
+-    for (auto value : jlist.array_items()) {
+-      ss << "allow-from+=" << value.string_value() << endl;
+-    }
++    ss << "allow-from+=" << nmg.toString() << endl;
+     apiWriteConfigFile("allow-from", ss.str());
+@@ -201,10 +200,15 @@
+       if (server == "") {
+         throw ApiException("Forwarded-to server must not be an empty string");
+       }
+-      if (!serverlist.empty()) {
+-        serverlist += ";";
++      try {
++        ComboAddress ca = parseIPAndPort(server, 53);
++        if (!serverlist.empty()) {
++          serverlist += ";";
++        }
++        serverlist += ca.toStringWithPort();
++      } catch (const PDNSException &e) {
++        throw ApiException(e.reason);
+       }
+-      serverlist += server;
+     }
+     if (serverlist == "")
+       throw ApiException("Need at least one upstream server when forwarding");
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch
new file mode 100644 (file)
index 0000000..ee7cf68
--- /dev/null
@@ -0,0 +1,28 @@
+diff -ru pdns-recursor-4.0.6.orig/opensslsigners.cc pdns-recursor-4.0.6/opensslsigners.cc
+--- pdns-recursor-4.0.6.orig/opensslsigners.cc 2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/opensslsigners.cc      2017-11-02 18:18:37.489408103 +0100
+@@ -474,7 +474,7 @@
+   if (iqmp == NULL) {
+     RSA_free(key);
+     BN_clear_free(dmq1);
+-    BN_clear_free(iqmp);
++    BN_clear_free(dmp1);
+     throw runtime_error(getName()+" allocation of BIGNUM iqmp failed");
+   }
+   RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
+@@ -562,6 +562,7 @@
+   BIGNUM *n = BN_bin2bn((unsigned char*)modulus.c_str(), modulus.length(), NULL);
+   if (!n) {
+     RSA_free(key);
++    BN_clear_free(e);
+     throw runtime_error(getName()+" error loading n value of public key");
+   }
+@@ -866,6 +867,7 @@
+   int ret = EC_POINT_oct2point(d_ecgroup, pub_key, (unsigned char*) ecdsaPoint.c_str(), ecdsaPoint.length(), d_ctx);
+   if (ret != 1) {
++    EC_POINT_free(pub_key);
+     throw runtime_error(getName()+" reading ECP point from binary failed");
+   }
diff --git a/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild
new file mode 100644 (file)
index 0000000..f9b2483
--- /dev/null
@@ -0,0 +1,79 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit toolchain-funcs flag-o-matic eutils versionator
+
+DESCRIPTION="The PowerDNS Recursor"
+HOMEPAGE="https://www.powerdns.com/"
+SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="lua luajit protobuf systemd"
+REQUIRED_USE="?? ( lua luajit )"
+
+DEPEND="lua? ( >=dev-lang/lua-5.1:= )
+       luajit? ( dev-lang/luajit:= )
+       protobuf? (
+               dev-libs/protobuf
+               >=dev-libs/boost-1.42:=
+       )
+       systemd? ( sys-apps/systemd:0= )
+       >=dev-libs/boost-1.35:="
+RDEPEND="${DEPEND}
+       !<net-dns/pdns-2.9.20-r1"
+DEPEND="${DEPEND}
+       virtual/pkgconfig"
+
+S="${WORKDIR}"/${P/_/-}
+
+PATCHES=(
+       "${FILESDIR}"/CVE-2017-{15090,15092,15093,15094}-4.0.6.patch
+)
+
+pkg_setup() {
+       filter-flags -ftree-vectorize
+}
+
+src_configure() {
+       econf \
+               --sysconfdir=/etc/powerdns \
+               $(use_enable systemd) \
+               $(use_with lua) \
+               $(use_with luajit) \
+               $(use_with protobuf)
+}
+
+src_install() {
+       default
+
+       mv "${D}"/etc/powerdns/recursor.conf{-dist,}
+
+       # set defaults: setuid=nobody, setgid=nobody
+       sed -i \
+               -e 's/^# set\([ug]\)id=$/set\1id=nobody/' \
+               -e 's/^# quiet=$/quiet=on/' \
+               -e 's/^# chroot=$/chroot=\/var\/lib\/powerdns/' \
+               "${D}"/etc/powerdns/recursor.conf
+
+       newinitd "${FILESDIR}"/pdns-recursor-r1 pdns-recursor
+
+       keepdir /var/lib/powerdns
+}
+
+pkg_postinst() {
+       local old
+
+       for old in ${REPLACING_VERSIONS}; do
+               version_compare ${old} 4.0.0-r1
+               [[ $? -eq 1 ]] || continue
+
+               ewarn "Starting with 4.0.0-r1 the init script has been renamed from precursor"
+               ewarn "to pdns-recursor, please update your runlevels accordingly."
+
+               break
+       done
+}