| 1 |
commit: fe96aad50c79942fdd5fa760b018b44e2eb68df1 |
| 2 |
Author: Sven Wegener <swegener <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Nov 27 17:32:38 2017 +0000 |
| 4 |
Commit: Sven Wegener <swegener <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Nov 27 17:36:52 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe96aad5 |
| 7 |
|
| 8 |
net-dns/pdns-recursor: Revision bump, security bug #638568 |
| 9 |
|
| 10 |
Package-Manager: Portage-2.3.14, Repoman-2.3.6 |
| 11 |
Signed-off-by: Sven Wegener <swegener <AT> gentoo.org> |
| 12 |
|
| 13 |
net-dns/pdns-recursor/Manifest | 4 +- |
| 14 |
.../pdns-recursor/files/CVE-2017-15090-4.0.6.patch | 15 ++++ |
| 15 |
.../pdns-recursor/files/CVE-2017-15092-4.0.6.patch | 85 ++++++++++++++++++++++ |
| 16 |
.../pdns-recursor/files/CVE-2017-15093-4.0.6.patch | 47 ++++++++++++ |
| 17 |
.../pdns-recursor/files/CVE-2017-15094-4.0.6.patch | 28 +++++++ |
| 18 |
.../pdns-recursor/pdns-recursor-4.0.6-r1.ebuild | 79 ++++++++++++++++++++ |
| 19 |
6 files changed, 256 insertions(+), 2 deletions(-) |
| 20 |
|
| 21 |
diff --git a/net-dns/pdns-recursor/Manifest b/net-dns/pdns-recursor/Manifest |
| 22 |
index 6d455d53240..add5cf30b79 100644 |
| 23 |
--- a/net-dns/pdns-recursor/Manifest |
| 24 |
+++ b/net-dns/pdns-recursor/Manifest |
| 25 |
@@ -1,2 +1,2 @@ |
| 26 |
-DIST pdns-recursor-4.0.6.tar.bz2 1105423 SHA256 f2182ac644268bb08b865a71351f11d75c5015ac0608a1469eb4c1cd5494d60d SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159 WHIRLPOOL a2eece8a6cdfcd6c791cb6fa42053d524b4e54f1431d78345640d7f2d9f3079939c7905767abe65abb977bce45647fb7232d1148dac13737625ee4bfae221da8 |
| 27 |
-DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 SHA256 0b8bc3fec4cd39c62e53993ab7a87fc1f2b3d200df071a401775f33e47392169 SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d WHIRLPOOL b6e1c3cb233aff0ac10e1d0d4b5e3de508cf657e1f3fa27c3692e38c90f7af82cc6afe499915d1dbd78cdd5d5eb2ec814b2f3ae86ae6a3f353321abfbe191691 |
| 28 |
+DIST pdns-recursor-4.0.6.tar.bz2 1105423 BLAKE2B 50cc52f118630d4d8ce9876c2e11494a3c972ec90003c40fea36801eb08bd8b6173f876e6f53eb672ad8ff3da04e669946740a50f653a21459f25c1137d91297 SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159 |
| 29 |
+DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 BLAKE2B fcbc6f08f962c9c2f459448770406734eff2caab43b615690e9d910b65327e45182aa2c9bcadadeaa6eb3984a8cb463849d5e001ffb98bb618966da5b8557a8a SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d |
| 30 |
|
| 31 |
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch |
| 32 |
new file mode 100644 |
| 33 |
index 00000000000..fa0bfd099ab |
| 34 |
--- /dev/null |
| 35 |
+++ b/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch |
| 36 |
@@ -0,0 +1,15 @@ |
| 37 |
+diff -ru pdns-recursor-4.0.6.orig/validate-recursor.cc pdns-recursor-4.0.6/validate-recursor.cc |
| 38 |
+--- pdns-recursor-4.0.6.orig/validate-recursor.cc 2017-07-04 17:43:07.000000000 +0200 |
| 39 |
++++ pdns-recursor-4.0.6/validate-recursor.cc 2017-11-02 18:29:16.612520450 +0100 |
| 40 |
+@@ -87,6 +87,11 @@ |
| 41 |
+ bool first = true; |
| 42 |
+ for(const auto& csp : cspmap) { |
| 43 |
+ for(const auto& sig : csp.second.signatures) { |
| 44 |
++ |
| 45 |
++ if (!csp.first.first.isPartOf(sig->d_signer)) { |
| 46 |
++ return increaseDNSSECStateCounter(Bogus); |
| 47 |
++ } |
| 48 |
++ |
| 49 |
+ vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here |
| 50 |
+ |
| 51 |
+ if (newState == Bogus) // No hope |
| 52 |
|
| 53 |
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch |
| 54 |
new file mode 100644 |
| 55 |
index 00000000000..1425c33586c |
| 56 |
--- /dev/null |
| 57 |
+++ b/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch |
| 58 |
@@ -0,0 +1,85 @@ |
| 59 |
+diff -ru pdns-recursor-4.0.6.orig/html/local.js pdns-recursor-4.0.6/html/local.js |
| 60 |
+--- pdns-recursor-4.0.6.orig/html/local.js 2017-07-04 17:43:07.000000000 +0200 |
| 61 |
++++ pdns-recursor-4.0.6/html/local.js 2017-11-02 18:26:04.624586674 +0100 |
| 62 |
+@@ -63,7 +63,7 @@ |
| 63 |
+ |
| 64 |
+ $.getJSON(qstring, |
| 65 |
+ function(data) { |
| 66 |
+- var bouw="<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr>"; |
| 67 |
++ var table = $('<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr></table>'); |
| 68 |
+ var num=0; |
| 69 |
+ var total=0, rest=0; |
| 70 |
+ $.each(data["entries"], function(a,b) { |
| 71 |
+@@ -75,12 +75,26 @@ |
| 72 |
+ if(b[1].length > 25) |
| 73 |
+ b[1]=b[1].substring(0,25); |
| 74 |
+ |
| 75 |
+- bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>"); |
| 76 |
+- }); |
| 77 |
+- bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>"; |
| 78 |
+- bouw=bouw+"</table>"; |
| 79 |
+- $("#queryring").html(bouw); |
| 80 |
+- |
| 81 |
++ var line = $('<tr />'); |
| 82 |
++ var number = $('<td />'); |
| 83 |
++ number.text(b[0]); |
| 84 |
++ var domain = $('<td />'); |
| 85 |
++ domain.text(b[1]); |
| 86 |
++ var type = $('<td />'); |
| 87 |
++ type.text(b[2]); |
| 88 |
++ line.append(number); |
| 89 |
++ line.append(domain); |
| 90 |
++ line.append(type); |
| 91 |
++ table.append(line); |
| 92 |
++ }); |
| 93 |
++ var line = $('<tr />'); |
| 94 |
++ var number = $('<td />'); |
| 95 |
++ number.text(rest); |
| 96 |
++ var label = $('<td>Rest</td>'); |
| 97 |
++ line.append(number); |
| 98 |
++ line.append(label); |
| 99 |
++ table.append(line); |
| 100 |
++ $("#queryring").html(table); |
| 101 |
+ }); |
| 102 |
+ |
| 103 |
+ filtered=$("#filter2").is(':checked') |
| 104 |
+@@ -91,7 +105,7 @@ |
| 105 |
+ |
| 106 |
+ $.getJSON(qstring, |
| 107 |
+ function(data) { |
| 108 |
+- var bouw="<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr>"; |
| 109 |
++ var table = $('<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr></table>'); |
| 110 |
+ var num=0, total=0, rest=0; |
| 111 |
+ $.each(data["entries"], function(a,b) { |
| 112 |
+ total+=b[0]; |
| 113 |
+@@ -101,11 +115,26 @@ |
| 114 |
+ } |
| 115 |
+ if(b[1].length > 25) |
| 116 |
+ b[1]=b[1].substring(0,25); |
| 117 |
+- bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>"); |
| 118 |
++ var line = $('<tr />'); |
| 119 |
++ var number = $('<td />'); |
| 120 |
++ number.text(b[0]); |
| 121 |
++ var domain = $('<td />'); |
| 122 |
++ domain.text(b[1]); |
| 123 |
++ var type = $('<td />'); |
| 124 |
++ type.text(b[2]); |
| 125 |
++ line.append(number); |
| 126 |
++ line.append(domain); |
| 127 |
++ line.append(type); |
| 128 |
++ table.append(line); |
| 129 |
+ }); |
| 130 |
+- bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>"; |
| 131 |
+- bouw=bouw+"</table>"; |
| 132 |
+- $("#servfailqueryring").html(bouw); |
| 133 |
++ var line = $('<tr />'); |
| 134 |
++ var number = $('<td />'); |
| 135 |
++ number.text(rest); |
| 136 |
++ var label = $('<td>Rest</td>'); |
| 137 |
++ line.append(number); |
| 138 |
++ line.append(label); |
| 139 |
++ table.append(line); |
| 140 |
++ $("#servfailqueryring").html(table); |
| 141 |
+ |
| 142 |
+ }); |
| 143 |
+ |
| 144 |
|
| 145 |
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch |
| 146 |
new file mode 100644 |
| 147 |
index 00000000000..2695830b442 |
| 148 |
--- /dev/null |
| 149 |
+++ b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch |
| 150 |
@@ -0,0 +1,47 @@ |
| 151 |
+diff -ru pdns-recursor-4.0.6.orig/ws-recursor.cc pdns-recursor-4.0.6/ws-recursor.cc |
| 152 |
+--- pdns-recursor-4.0.6.orig/ws-recursor.cc 2017-07-04 17:43:07.000000000 +0200 |
| 153 |
++++ pdns-recursor-4.0.6/ws-recursor.cc 2017-11-02 18:13:55.762458134 +0100 |
| 154 |
+@@ -76,10 +76,11 @@ |
| 155 |
+ throw ApiException("'value' must be an array"); |
| 156 |
+ } |
| 157 |
+ |
| 158 |
++ NetmaskGroup nmg; |
| 159 |
+ for (auto value : jlist.array_items()) { |
| 160 |
+ try { |
| 161 |
+- Netmask(value.string_value()); |
| 162 |
+- } catch (NetmaskException &e) { |
| 163 |
++ nmg.addMask(value.string_value()); |
| 164 |
++ } catch (const NetmaskException &e) { |
| 165 |
+ throw ApiException(e.reason); |
| 166 |
+ } |
| 167 |
+ } |
| 168 |
+@@ -91,9 +92,7 @@ |
| 169 |
+ |
| 170 |
+ // Clear allow-from, and provide a "parent" value |
| 171 |
+ ss << "allow-from=" << endl; |
| 172 |
+- for (auto value : jlist.array_items()) { |
| 173 |
+- ss << "allow-from+=" << value.string_value() << endl; |
| 174 |
+- } |
| 175 |
++ ss << "allow-from+=" << nmg.toString() << endl; |
| 176 |
+ |
| 177 |
+ apiWriteConfigFile("allow-from", ss.str()); |
| 178 |
+ |
| 179 |
+@@ -201,10 +200,15 @@ |
| 180 |
+ if (server == "") { |
| 181 |
+ throw ApiException("Forwarded-to server must not be an empty string"); |
| 182 |
+ } |
| 183 |
+- if (!serverlist.empty()) { |
| 184 |
+- serverlist += ";"; |
| 185 |
++ try { |
| 186 |
++ ComboAddress ca = parseIPAndPort(server, 53); |
| 187 |
++ if (!serverlist.empty()) { |
| 188 |
++ serverlist += ";"; |
| 189 |
++ } |
| 190 |
++ serverlist += ca.toStringWithPort(); |
| 191 |
++ } catch (const PDNSException &e) { |
| 192 |
++ throw ApiException(e.reason); |
| 193 |
+ } |
| 194 |
+- serverlist += server; |
| 195 |
+ } |
| 196 |
+ if (serverlist == "") |
| 197 |
+ throw ApiException("Need at least one upstream server when forwarding"); |
| 198 |
|
| 199 |
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch |
| 200 |
new file mode 100644 |
| 201 |
index 00000000000..ee7cf6878d9 |
| 202 |
--- /dev/null |
| 203 |
+++ b/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch |
| 204 |
@@ -0,0 +1,28 @@ |
| 205 |
+diff -ru pdns-recursor-4.0.6.orig/opensslsigners.cc pdns-recursor-4.0.6/opensslsigners.cc |
| 206 |
+--- pdns-recursor-4.0.6.orig/opensslsigners.cc 2017-07-04 17:43:07.000000000 +0200 |
| 207 |
++++ pdns-recursor-4.0.6/opensslsigners.cc 2017-11-02 18:18:37.489408103 +0100 |
| 208 |
+@@ -474,7 +474,7 @@ |
| 209 |
+ if (iqmp == NULL) { |
| 210 |
+ RSA_free(key); |
| 211 |
+ BN_clear_free(dmq1); |
| 212 |
+- BN_clear_free(iqmp); |
| 213 |
++ BN_clear_free(dmp1); |
| 214 |
+ throw runtime_error(getName()+" allocation of BIGNUM iqmp failed"); |
| 215 |
+ } |
| 216 |
+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp); |
| 217 |
+@@ -562,6 +562,7 @@ |
| 218 |
+ BIGNUM *n = BN_bin2bn((unsigned char*)modulus.c_str(), modulus.length(), NULL); |
| 219 |
+ if (!n) { |
| 220 |
+ RSA_free(key); |
| 221 |
++ BN_clear_free(e); |
| 222 |
+ throw runtime_error(getName()+" error loading n value of public key"); |
| 223 |
+ } |
| 224 |
+ |
| 225 |
+@@ -866,6 +867,7 @@ |
| 226 |
+ |
| 227 |
+ int ret = EC_POINT_oct2point(d_ecgroup, pub_key, (unsigned char*) ecdsaPoint.c_str(), ecdsaPoint.length(), d_ctx); |
| 228 |
+ if (ret != 1) { |
| 229 |
++ EC_POINT_free(pub_key); |
| 230 |
+ throw runtime_error(getName()+" reading ECP point from binary failed"); |
| 231 |
+ } |
| 232 |
+ |
| 233 |
|
| 234 |
diff --git a/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild |
| 235 |
new file mode 100644 |
| 236 |
index 00000000000..f9b248316b3 |
| 237 |
--- /dev/null |
| 238 |
+++ b/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild |
| 239 |
@@ -0,0 +1,79 @@ |
| 240 |
+# Copyright 1999-2017 Gentoo Foundation |
| 241 |
+# Distributed under the terms of the GNU General Public License v2 |
| 242 |
+ |
| 243 |
+EAPI="6" |
| 244 |
+ |
| 245 |
+inherit toolchain-funcs flag-o-matic eutils versionator |
| 246 |
+ |
| 247 |
+DESCRIPTION="The PowerDNS Recursor" |
| 248 |
+HOMEPAGE="https://www.powerdns.com/" |
| 249 |
+SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2" |
| 250 |
+ |
| 251 |
+LICENSE="GPL-2" |
| 252 |
+SLOT="0" |
| 253 |
+KEYWORDS="~amd64 ~arm ~x86" |
| 254 |
+IUSE="lua luajit protobuf systemd" |
| 255 |
+REQUIRED_USE="?? ( lua luajit )" |
| 256 |
+ |
| 257 |
+DEPEND="lua? ( >=dev-lang/lua-5.1:= ) |
| 258 |
+ luajit? ( dev-lang/luajit:= ) |
| 259 |
+ protobuf? ( |
| 260 |
+ dev-libs/protobuf |
| 261 |
+ >=dev-libs/boost-1.42:= |
| 262 |
+ ) |
| 263 |
+ systemd? ( sys-apps/systemd:0= ) |
| 264 |
+ >=dev-libs/boost-1.35:=" |
| 265 |
+RDEPEND="${DEPEND} |
| 266 |
+ !<net-dns/pdns-2.9.20-r1" |
| 267 |
+DEPEND="${DEPEND} |
| 268 |
+ virtual/pkgconfig" |
| 269 |
+ |
| 270 |
+S="${WORKDIR}"/${P/_/-} |
| 271 |
+ |
| 272 |
+PATCHES=( |
| 273 |
+ "${FILESDIR}"/CVE-2017-{15090,15092,15093,15094}-4.0.6.patch |
| 274 |
+) |
| 275 |
+ |
| 276 |
+pkg_setup() { |
| 277 |
+ filter-flags -ftree-vectorize |
| 278 |
+} |
| 279 |
+ |
| 280 |
+src_configure() { |
| 281 |
+ econf \ |
| 282 |
+ --sysconfdir=/etc/powerdns \ |
| 283 |
+ $(use_enable systemd) \ |
| 284 |
+ $(use_with lua) \ |
| 285 |
+ $(use_with luajit) \ |
| 286 |
+ $(use_with protobuf) |
| 287 |
+} |
| 288 |
+ |
| 289 |
+src_install() { |
| 290 |
+ default |
| 291 |
+ |
| 292 |
+ mv "${D}"/etc/powerdns/recursor.conf{-dist,} |
| 293 |
+ |
| 294 |
+ # set defaults: setuid=nobody, setgid=nobody |
| 295 |
+ sed -i \ |
| 296 |
+ -e 's/^# set\([ug]\)id=$/set\1id=nobody/' \ |
| 297 |
+ -e 's/^# quiet=$/quiet=on/' \ |
| 298 |
+ -e 's/^# chroot=$/chroot=\/var\/lib\/powerdns/' \ |
| 299 |
+ "${D}"/etc/powerdns/recursor.conf |
| 300 |
+ |
| 301 |
+ newinitd "${FILESDIR}"/pdns-recursor-r1 pdns-recursor |
| 302 |
+ |
| 303 |
+ keepdir /var/lib/powerdns |
| 304 |
+} |
| 305 |
+ |
| 306 |
+pkg_postinst() { |
| 307 |
+ local old |
| 308 |
+ |
| 309 |
+ for old in ${REPLACING_VERSIONS}; do |
| 310 |
+ version_compare ${old} 4.0.0-r1 |
| 311 |
+ [[ $? -eq 1 ]] || continue |
| 312 |
+ |
| 313 |
+ ewarn "Starting with 4.0.0-r1 the init script has been renamed from precursor" |
| 314 |
+ ewarn "to pdns-recursor, please update your runlevels accordingly." |
| 315 |
+ |
| 316 |
+ break |
| 317 |
+ done |
| 318 |
+} |
Archives