pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/opendnssec Add a couple of patches I have bee...
details: https://anonhg.NetBSD.org/pkgsrc/rev/c96d64cfcf94
branches: trunk
changeset: 349847:c96d64cfcf94
user: he <he%pkgsrc.org@localhost>
date: Sat Jul 16 19:49:07 2016 +0000
description:
Add a couple of patches I have been using with opendnssec in our
installation:
* Log the zone before triggering the "part->soamin" assert.
We've seen this fire with older versions, but it's a while
since I saw it happen. This is to provide more debugging info
should it fire.
* If an .ixfr journal file is detected as "corrupted", rename it
to <zone>.ixfr-bad instead of unlinking it, which would leave
no trace of OpenDNSSEC's own wrongdoing.
* If the signer is exposed, avoid a potential DoS vector with a
crafted message.
Bump PKGREVISION.
diffstat:
security/opendnssec/Makefile | 3 +-
security/opendnssec/distinfo | 5 +-
security/opendnssec/patches/patch-signer_src_signer_ixfr.c | 17 +++++++
security/opendnssec/patches/patch-signer_src_signer_zone.c | 30 ++++++++++++++
security/opendnssec/patches/patch-signer_src_wire_query.c | 18 ++++++++
5 files changed, 71 insertions(+), 2 deletions(-)
diffs (106 lines):
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/Makefile
--- a/security/opendnssec/Makefile Sat Jul 16 14:28:49 2016 +0000
+++ b/security/opendnssec/Makefile Sat Jul 16 19:49:07 2016 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.57 2016/06/08 08:35:10 he Exp $
+# $NetBSD: Makefile,v 1.58 2016/07/16 19:49:07 he Exp $
#
DISTNAME= opendnssec-1.4.10
+PKGREVISION= 1
CATEGORIES= security net
MASTER_SITES= http://www.opendnssec.org/files/source/
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/distinfo
--- a/security/opendnssec/distinfo Sat Jul 16 14:28:49 2016 +0000
+++ b/security/opendnssec/distinfo Sat Jul 16 19:49:07 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.33 2016/06/08 08:35:10 he Exp $
+$NetBSD: distinfo,v 1.34 2016/07/16 19:49:07 he Exp $
SHA1 (opendnssec-1.4.10.tar.gz) = c83c452b9951df8dd784d7c39aae90363f1a1213
RMD160 (opendnssec-1.4.10.tar.gz) = 0ee7e1b282da6839be919b18faf9fbe567bfc130
@@ -7,3 +7,6 @@
SHA1 (patch-aa) = 104e077af6c368cbb5fc3034d58b2f2249fcf991
SHA1 (patch-enforcer_utils_Makefile.am) = 80915dee723535e5854e62bc18f00ba2d5d7496c
SHA1 (patch-enforcer_utils_Makefile.in) = 6c1b4ad25956bfcc8b410a8ca22f2581e64198d1
+SHA1 (patch-signer_src_signer_ixfr.c) = 74c2c320080e585a6126e146c453998f44c164f7
+SHA1 (patch-signer_src_signer_zone.c) = 0330236f11ccab7ed83b73bc83d851f932124318
+SHA1 (patch-signer_src_wire_query.c) = ab60e229687be910be9acd0a43d47987498de070
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/patches/patch-signer_src_signer_ixfr.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/opendnssec/patches/patch-signer_src_signer_ixfr.c Sat Jul 16 19:49:07 2016 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-signer_src_signer_ixfr.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+The part->soamin assertion seems to trigger.
+Be helpful and log the zone name before the assert.
+
+--- signer/src/signer/ixfr.c.orig 2016-01-21 14:31:54.000000000 +0000
++++ signer/src/signer/ixfr.c
+@@ -227,6 +227,9 @@ part_print(FILE* fd, ixfr_type* ixfr, si
+ }
+ ods_log_assert(part->min);
+ ods_log_assert(part->plus);
++ if (!part->soamin) {
++ ods_log_error("[%s] zone %s no part->soamin", ixfr_str, zone->name);
++ }
+ ods_log_assert(part->soamin);
+ ods_log_assert(part->soaplus);
+ if (util_rr_print(fd, part->soamin) != ODS_STATUS_OK) {
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/patches/patch-signer_src_signer_zone.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/opendnssec/patches/patch-signer_src_signer_zone.c Sat Jul 16 19:49:07 2016 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-signer_src_signer_zone.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+For debugging, save any corrupted ixfr journal files as <zone>.ixfr-bad.
+
+--- signer/src/signer/zone.c.orig 2016-05-02 10:40:02.000000000 +0000
++++ signer/src/signer/zone.c
+@@ -1028,12 +1028,22 @@ zone_recover2(zone_type* zone)
+ fd = ods_fopen(filename, NULL, "r");
+ }
+ if (fd) {
++ char *badfn = NULL;
++
+ status = backup_read_ixfr(fd, zone);
+ if (status != ODS_STATUS_OK) {
+ ods_log_warning("[%s] corrupted journal file zone %s, "
+ "skipping (%s)", zone_str, zone->name,
+ ods_status2str(status));
+- (void)unlink(filename);
++ badfn = ods_build_path(zone->name, ".ixfr-bad", 0, 1);
++ if (badfn) {
++ (void)rename(filename, badfn);
++ ods_log_warning("[%s] corrupted journal for zone %s "
++ "saved as %s", zone_str, zone->name, badfn);
++ free(badfn);
++ } else {
++ (void)unlink(filename);
++ }
+ ixfr_cleanup(zone->ixfr);
+ zone->ixfr = ixfr_create((void*)zone);
+ }
diff -r e8f63f006b7e -r c96d64cfcf94 security/opendnssec/patches/patch-signer_src_wire_query.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/opendnssec/patches/patch-signer_src_wire_query.c Sat Jul 16 19:49:07 2016 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-signer_src_wire_query.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+Add a check for whether we have an RRset in the query,
+to side-step DoS via crafted packet.
+
+--- signer/src/wire/query.c.orig 2016-05-02 10:40:02.000000000 +0000
++++ signer/src/wire/query.c
+@@ -869,6 +869,10 @@ query_process(query_type* q, void* engin
+ return query_formerr(q);
+ }
+ rr = ldns_rr_list_rr(ldns_pkt_question(pkt), 0);
++ if (rr == NULL) {
++ ods_log_debug("[%s] no RRset in query, ignoring", query_str);
++ return QUERY_DISCARDED; /* no RRset in query */
++ }
+ lock_basic_lock(&e->zonelist->zl_lock);
+ /* we can just lookup the zone, because we will only handle SOA queries,
+ zone transfers, updates and notifies */
Home |
Main Index |
Thread Index |
Old Index