[pkgsrc/trunk]: pkgsrc/net/powerdns-recursor Add upstream patch to fix CVE-20...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/net/powerdns-recursor Add upstream patch to fix CVE-20...
From: roy <roy%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 16:55:56 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/ce779b553777
branches:  trunk
changeset: 643124:ce779b553777
user:      roy <roy%pkgsrc.org@localhost>
date:      Thu Dec 11 20:18:17 2014 +0000

description:
Add upstream patch to fix CVE-2014-8601.
Remove myself as maintainer.

diffstat:

 net/powerdns-recursor/Makefile                    |   6 +-
 net/powerdns-recursor/distinfo                    |   3 +-
 net/powerdns-recursor/patches/patch-CVE-2014-8601 |  60 +++++++++++++++++++++++
 3 files changed, 65 insertions(+), 4 deletions(-)

diffs (98 lines):

diff -r fcf499d70c4a -r ce779b553777 net/powerdns-recursor/Makefile
--- a/net/powerdns-recursor/Makefile    Thu Dec 11 20:18:09 2014 +0000
+++ b/net/powerdns-recursor/Makefile    Thu Dec 11 20:18:17 2014 +0000
@@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.15 2014/10/19 22:27:47 alnsn Exp $
+# $NetBSD: Makefile,v 1.16 2014/12/11 20:18:17 roy Exp $
 #
 
 DISTNAME=              pdns-recursor-3.3
-PKGREVISION=           4
+PKGREVISION=           5
 CATEGORIES=            net
 MASTER_SITES=          http://downloads.powerdns.com/releases/
 EXTRACT_SUFX=          .tar.bz2
 
-MAINTAINER=            roy%NetBSD.org@localhost
+MAINTAINER=            pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=              http://www.powerdns.com/
 COMMENT=               PowerDNS resolver/recursing nameserver
 LICENSE=               gnu-gpl-v2
diff -r fcf499d70c4a -r ce779b553777 net/powerdns-recursor/distinfo
--- a/net/powerdns-recursor/distinfo    Thu Dec 11 20:18:09 2014 +0000
+++ b/net/powerdns-recursor/distinfo    Thu Dec 11 20:18:17 2014 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.11 2013/06/27 10:56:22 wiz Exp $
+$NetBSD: distinfo,v 1.12 2014/12/11 20:18:17 roy Exp $
 
 SHA1 (pdns-recursor-3.3.tar.bz2) = 2f42955b8b8de355709e9072da2d5dbfadd7ffac
 RMD160 (pdns-recursor-3.3.tar.bz2) = 17bd7ac68892c3fca218c3dc3e70074dd9e748d6
 Size (pdns-recursor-3.3.tar.bz2) = 145785 bytes
+SHA1 (patch-CVE-2014-8601) = dae3dec54e53022183a8889eb1c741b00d08cd0b
 SHA1 (patch-Makefile) = 840d0be6dd7decf4b037efc4f9da05a97815ce8e
 SHA1 (patch-brg_endian.h) = 2fb9d3231e969b2be57d160b0952e11091ae6e26
 SHA1 (patch-cachecleaner.hh) = e9a9ade3fe63160eb897df959f6921b791122499
diff -r fcf499d70c4a -r ce779b553777 net/powerdns-recursor/patches/patch-CVE-2014-8601
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/powerdns-recursor/patches/patch-CVE-2014-8601 Thu Dec 11 20:18:17 2014 +0000
@@ -0,0 +1,60 @@
+$NetBSD: patch-CVE-2014-8601,v 1.1 2014/12/11 20:18:17 roy Exp $
+
+Upstream backported fix for CVE-2014-8601
+
+commit 62d189c81359c70821523d7ba9831d0f6e57b012
+Author: Your Name <you%example.com@localhost>
+Date:   Tue Dec 2 08:50:41 2014 +0000
+
+    backport query limiter to 3.3
+
+diff --git pdns_recursor.cc pdns_recursor.cc
+index 0f9b08f..3bb71e0 100644
+--- pdns_recursor.cc
++++ pdns_recursor.cc
+@@ -522,7 +522,14 @@ void startDoResolve(void *p)
+     bool variableAnswer = false;
+     // if there is a PowerDNSLua active, and it 'took' the query in preResolve, we don't launch beginResolve
+     if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) {
+-       res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
++      try {
++        res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
++      }
++      catch(ImmediateServFailException &e) {
++        L<<Logger::Error<<"Sending SERVFAIL during resolve of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
++
++        res = RCode::ServFail;
++      }
+ 
+       if(t_pdl->get()) {
+         if(res == RCode::NXDomain)
+diff --git a/syncres.cc b/syncres.cc
+index 4b05acf..08b2930 100644
+--- syncres.cc
++++ syncres.cc
+@@ -874,6 +874,7 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
+           }
+           else {
+             s_outqueries++; d_outqueries++;
++            if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname);
+           TryTCP:
+             if(doTCP) {
+               LOG<<prefix<<qname<<": using TCP with "<< remoteIP->toStringWithPort() <<endl;
+diff --git a/syncres.hh b/syncres.hh
+index e3249d2..6c151e0 100644
+--- syncres.hh
++++ syncres.hh
+@@ -502,6 +502,13 @@ private:
+   static AtomicCounter s_currentConnections; //!< total number of current TCP connections
+ };
+ 
++class ImmediateServFailException
++{
++public:
++  ImmediateServFailException(string r){reason=r;};
++
++  string reason; //! Print this to tell the user what went wrong
++};
+ 
+ struct RemoteKeeper
+ {

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Updated devel/p5-IO-Compress to 2.067
Next by Date: [pkgsrc/trunk]: pkgsrc/biology/mpqc Don't depend on implicit ${PREFIX}/lib.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated devel/p5-IO-Compress to 2.067
Next by Thread: [pkgsrc/trunk]: pkgsrc/biology/mpqc Don't depend on implicit ${PREFIX}/lib.
Indexes:

Home | Main Index | Thread Index | Old Index