pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/opendnssec Add a couple of patches I have bee...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/c96d64cfcf94
branches:  trunk
changeset: 349847:c96d64cfcf94
user:      he <he%pkgsrc.org@localhost>
date:      Sat Jul 16 19:49:07 2016 +0000

description:
Add a couple of patches I have been using with opendnssec in our
installation:
 * Log the zone before triggering the "part->soamin" assert.
   We've seen this fire with older versions, but it's a while
   since I saw it happen.  This is to provide more debugging info
   should it fire.
 * If an .ixfr journal file is detected as "corrupted", rename it
   to <zone>.ixfr-bad instead of unlinking it, which would leave
   no trace of OpenDNSSEC's own wrongdoing.
 * If the signer is exposed, avoid a potential DoS vector with a
   crafted message.
Bump PKGREVISION.

diffstat:

 security/opendnssec/Makefile                               |   3 +-
 security/opendnssec/distinfo                               |   5 +-
 security/opendnssec/patches/patch-signer_src_signer_ixfr.c |  17 +++++++
 security/opendnssec/patches/patch-signer_src_signer_zone.c |  30 ++++++++++++++
 security/opendnssec/patches/patch-signer_src_wire_query.c  |  18 ++++++++
 5 files changed, 71 insertions(+), 2 deletions(-)

diffs (106 lines):

diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/Makefile
--- a/security/opendnssec/Makefile      Sat Jul 16 14:28:49 2016 +0000
+++ b/security/opendnssec/Makefile      Sat Jul 16 19:49:07 2016 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.57 2016/06/08 08:35:10 he Exp $
+# $NetBSD: Makefile,v 1.58 2016/07/16 19:49:07 he Exp $
 #
 
 DISTNAME=      opendnssec-1.4.10
+PKGREVISION=   1
 CATEGORIES=    security net
 MASTER_SITES=  http://www.opendnssec.org/files/source/
 
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/distinfo
--- a/security/opendnssec/distinfo      Sat Jul 16 14:28:49 2016 +0000
+++ b/security/opendnssec/distinfo      Sat Jul 16 19:49:07 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.33 2016/06/08 08:35:10 he Exp $
+$NetBSD: distinfo,v 1.34 2016/07/16 19:49:07 he Exp $
 
 SHA1 (opendnssec-1.4.10.tar.gz) = c83c452b9951df8dd784d7c39aae90363f1a1213
 RMD160 (opendnssec-1.4.10.tar.gz) = 0ee7e1b282da6839be919b18faf9fbe567bfc130
@@ -7,3 +7,6 @@
 SHA1 (patch-aa) = 104e077af6c368cbb5fc3034d58b2f2249fcf991
 SHA1 (patch-enforcer_utils_Makefile.am) = 80915dee723535e5854e62bc18f00ba2d5d7496c
 SHA1 (patch-enforcer_utils_Makefile.in) = 6c1b4ad25956bfcc8b410a8ca22f2581e64198d1
+SHA1 (patch-signer_src_signer_ixfr.c) = 74c2c320080e585a6126e146c453998f44c164f7
+SHA1 (patch-signer_src_signer_zone.c) = 0330236f11ccab7ed83b73bc83d851f932124318
+SHA1 (patch-signer_src_wire_query.c) = ab60e229687be910be9acd0a43d47987498de070
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/patches/patch-signer_src_signer_ixfr.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/opendnssec/patches/patch-signer_src_signer_ixfr.c        Sat Jul 16 19:49:07 2016 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-signer_src_signer_ixfr.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+The part->soamin assertion seems to trigger.
+Be helpful and log the zone name before the assert.
+
+--- signer/src/signer/ixfr.c.orig      2016-01-21 14:31:54.000000000 +0000
++++ signer/src/signer/ixfr.c
+@@ -227,6 +227,9 @@ part_print(FILE* fd, ixfr_type* ixfr, si
+     }
+     ods_log_assert(part->min);
+     ods_log_assert(part->plus);
++    if (!part->soamin) {
++      ods_log_error("[%s] zone %s no part->soamin", ixfr_str, zone->name);
++    }
+     ods_log_assert(part->soamin);
+     ods_log_assert(part->soaplus);
+     if (util_rr_print(fd, part->soamin) != ODS_STATUS_OK) {
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/patches/patch-signer_src_signer_zone.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/opendnssec/patches/patch-signer_src_signer_zone.c        Sat Jul 16 19:49:07 2016 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-signer_src_signer_zone.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+For debugging, save any corrupted ixfr journal files as <zone>.ixfr-bad.
+
+--- signer/src/signer/zone.c.orig      2016-05-02 10:40:02.000000000 +0000
++++ signer/src/signer/zone.c
+@@ -1028,12 +1028,22 @@ zone_recover2(zone_type* zone)
+             fd = ods_fopen(filename, NULL, "r");
+         }
+         if (fd) {
++          char *badfn = NULL;
++
+             status = backup_read_ixfr(fd, zone);
+             if (status != ODS_STATUS_OK) {
+                 ods_log_warning("[%s] corrupted journal file zone %s, "
+                     "skipping (%s)", zone_str, zone->name,
+                     ods_status2str(status));
+-                (void)unlink(filename);
++              badfn = ods_build_path(zone->name, ".ixfr-bad", 0, 1);
++              if (badfn) {
++                  (void)rename(filename, badfn);
++                  ods_log_warning("[%s] corrupted journal for zone %s "
++                      "saved as %s", zone_str, zone->name, badfn);
++                  free(badfn);
++              } else {
++                    (void)unlink(filename);
++              }
+                 ixfr_cleanup(zone->ixfr);
+                 zone->ixfr = ixfr_create((void*)zone);
+             }
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/patches/patch-signer_src_wire_query.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/opendnssec/patches/patch-signer_src_wire_query.c Sat Jul 16 19:49:07 2016 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-signer_src_wire_query.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+Add a check for whether we have an RRset in the query,
+to side-step DoS via crafted packet.
+
+--- signer/src/wire/query.c.orig       2016-05-02 10:40:02.000000000 +0000
++++ signer/src/wire/query.c
+@@ -869,6 +869,10 @@ query_process(query_type* q, void* engin
+         return query_formerr(q);
+     }
+     rr = ldns_rr_list_rr(ldns_pkt_question(pkt), 0);
++    if (rr == NULL) {
++      ods_log_debug("[%s] no RRset in query, ignoring", query_str);
++      return QUERY_DISCARDED; /* no RRset in query */
++    }
+     lock_basic_lock(&e->zonelist->zl_lock);
+     /* we can just lookup the zone, because we will only handle SOA queries,
+        zone transfers, updates and notifies */



Home | Main Index | Thread Index | Old Index