diffstat for pdns-recursor-3.5.3 pdns-recursor-3.5.3 changelog | 33 ++++++++++++ control | 3 - patches/CVE-2014-8601.patch | 58 ++++++++++++++++++++++ patches/CVE-2015-1868-2.patch | 19 +++++++ patches/CVE-2015-1868.patch | 32 ++++++++++++ patches/CVE-2016-7068.patch | 107 ++++++++++++++++++++++++++++++++++++++++++ patches/qtypes.patch | 49 +++++++++++++++++++ patches/series | 5 + 8 files changed, 305 insertions(+), 1 deletion(-) diff -Nru pdns-recursor-3.5.3/debian/changelog pdns-recursor-3.5.3/debian/changelog --- pdns-recursor-3.5.3/debian/changelog 2013-09-22 12:46:16.000000000 +0000 +++ pdns-recursor-3.5.3/debian/changelog 2017-01-17 21:11:18.000000000 +0000 @@ -1,3 +1,36 @@ +pdns-recursor (3.5.3-1ubuntu0.1) trusty-security; urgency=high + + * SECURITY UPDATE: + * References + * CVE-2014-8601: PowerDNS Recursor before 3.6.2 does not limit delegation + chaining, which allows remote attackers to cause a denial of service + ("performance degradations") via a large or infinite number of referrals, + as demonstrated by resolving domains hosted by ezdns.it. + - Added debian/patches/CVE-2014-8601.patch + * CVE-2015-1868: The label decompression functionality in PowerDNS Recursor + 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) + Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote + attackers to cause a denial of service (CPU consumption or crash) via a + request with a name that refers to itself. + - Added debian/patches/CVE-2015-1868.patch + * CVE-2015-5470: The label decompression functionality in PowerDNS Recursor + before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before + 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of + service (CPU consumption or crash) via a request with a long name that + refers to itself. NOTE: this vulnerability exists because of an incomplete + fix for CVE-2015-1868. + - Added debian/patches/CVE-2015-1868-2.patch + * CVE-2016-7068: Florian Heinz and Martin Kluge reported that pdns-recursor + parses all records present in a query regardless of whether they are + needed or even legitimate, allowing a remote, unauthenticated attacker to + cause an abnormal CPU usage load on the pdns server, resulting in a + partial denial of service if the system becomes overloaded. + - Added debian/patches/CVE-2016-7068.patch + * Add debian/patches/qtypes.patch so qtypes required for CVE-2016-7068.patch + are available + + -- Scott Kitterman Fri, 13 Jan 2017 15:20:50 -0500 + pdns-recursor (3.5.3-1) unstable; urgency=low * New upstream version diff -Nru pdns-recursor-3.5.3/debian/control pdns-recursor-3.5.3/debian/control --- pdns-recursor-3.5.3/debian/control 2013-08-24 14:15:01.000000000 +0000 +++ pdns-recursor-3.5.3/debian/control 2017-01-17 21:11:37.000000000 +0000 @@ -2,7 +2,8 @@ Section: net Priority: extra Standards-Version: 3.9.4 -Maintainer: Debian PowerDNS Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian PowerDNS Maintainers Uploaders: Matthijs Möhlmann , Marc Haber Build-Depends: debhelper (>= 9~), quilt, dpkg-dev (>= 1.10.17), libboost-dev, libboost-serialization-dev, liblua5.1-0-dev Vcs-Git: git://git.debian.org/pkg-pdns/pdns-recursor.git diff -Nru pdns-recursor-3.5.3/debian/patches/CVE-2014-8601.patch pdns-recursor-3.5.3/debian/patches/CVE-2014-8601.patch --- pdns-recursor-3.5.3/debian/patches/CVE-2014-8601.patch 1970-01-01 00:00:00.000000000 +0000 +++ pdns-recursor-3.5.3/debian/patches/CVE-2014-8601.patch 2017-01-17 20:48:32.000000000 +0000 @@ -0,0 +1,58 @@ +Description: CVE-2014-8601: backport query limiter to 3.5.3 +Origin: backport, https://downloads.powerdns.com/patches/2014-02/3.5.3.patch +Bug: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1656931 +Forwarded: not-needed +Reviewed-by: Scott Kitterman +Last-Update: 2016-01-17 +--- + +diff --git a/pdns_recursor.cc b/pdns_recursor.cc +index dcadf1b..3708137 100644 +--- a/pdns_recursor.cc ++++ b/pdns_recursor.cc +@@ -533,7 +533,14 @@ void startDoResolve(void *p) + bool variableAnswer = false; + // if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve + if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) { +- res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); ++ try { ++ res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); ++ } ++ catch(ImmediateServFailException &e) { ++ L<d_mdp.d_qname<<"' because: "<get()) { + if(res == RCode::NoError) { +diff --git a/syncres.cc b/syncres.cc +index afadfbc..f98f116 100644 +--- a/syncres.cc ++++ b/syncres.cc +@@ -915,6 +915,7 @@ int SyncRes::doResolveAt(set nameservers, string auth, + } + else { + s_outqueries++; d_outqueries++; ++ if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname); + TryTCP: + if(doTCP) { + LOG(prefix<toStringWithPort() < +Last-Update: 2017-01-17 +--- + +--- pdns-recursor-3.5.3.orig/dnsparser.cc 2017-01-13 13:02:29.561478097 -0500 ++++ pdns-recursor-3.5.3/dnsparser.cc 2017-01-13 13:02:29.557478096 -0500 +@@ -470,6 +470,8 @@ + } + ret.append(1,'.'); + } ++ if (ret.length() > 1024) ++ throw MOADNSException("Total name too long"); + } + } + diff -Nru pdns-recursor-3.5.3/debian/patches/CVE-2015-1868.patch pdns-recursor-3.5.3/debian/patches/CVE-2015-1868.patch --- pdns-recursor-3.5.3/debian/patches/CVE-2015-1868.patch 1970-01-01 00:00:00.000000000 +0000 +++ pdns-recursor-3.5.3/debian/patches/CVE-2015-1868.patch 2017-01-17 20:57:54.000000000 +0000 @@ -0,0 +1,32 @@ +Description: CVE-2015-1868: limit loop iterations during decompression to prevent DoS +Origin: https://downloads.powerdns.com/patches/2015-01/others.patch +Bug: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1656931 +Forwarded: not-needed +Author: Aki Tuomi +Reviewed-by: Scott Kitterman +Last-Update: 2017-01-17 +--- + +--- pdns-recursor-3.5.3.orig/dnsparser.cc 2017-01-13 12:59:06.053472869 -0500 ++++ pdns-recursor-3.5.3/dnsparser.cc 2017-01-13 12:59:06.049472869 -0500 +@@ -434,9 +434,10 @@ + + void PacketReader::getLabelFromContent(const vector& content, uint16_t& frompos, string& ret, int recurs) + { +- if(recurs > 1000) // the forward reference-check below should make this test 100% obsolete ++ if(recurs > 100) // the forward reference-check below should make this test 100% obsolete + throw MOADNSException("Loop"); + ++ int pos = frompos; + for(;;) { + unsigned char labellen=content.at(frompos++); + +@@ -449,7 +450,7 @@ + uint16_t offset=256*(labellen & ~0xc0) + (unsigned int)content.at(frompos++) - sizeof(dnsheader); + // cout<<"This is an offset, need to go to: "<= frompos-2) ++ if(offset >= pos) + throw MOADNSException("forward reference during label decompression"); + return getLabelFromContent(content, offset, ret, ++recurs); + } diff -Nru pdns-recursor-3.5.3/debian/patches/CVE-2016-7068.patch pdns-recursor-3.5.3/debian/patches/CVE-2016-7068.patch --- pdns-recursor-3.5.3/debian/patches/CVE-2016-7068.patch 1970-01-01 00:00:00.000000000 +0000 +++ pdns-recursor-3.5.3/debian/patches/CVE-2016-7068.patch 2017-01-17 21:14:01.000000000 +0000 @@ -0,0 +1,107 @@ +Description: CVE-2016-7068, fix DoS caused by specially crafted DNS queries +Origin: backport, https://downloads.powerdns.com/patches/2016-02/rec-3.6.4-spuriosurrs-167732.patch +Forwarded: not-needed +Bug: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1656931 +Author: Florian Heinz and Martin Kluge +Reviewed-by: Scott Kitterman +Last-Update: 2017-01-17 +--- + +--- pdns-recursor-3.5.3.orig/dnsparser.cc 2017-01-13 13:11:08.457491426 -0500 ++++ pdns-recursor-3.5.3/dnsparser.cc 2017-01-13 13:16:16.253499333 -0500 +@@ -138,7 +138,7 @@ + memcpy(&packet[pos], &drh, sizeof(drh)); pos+=sizeof(drh); + memcpy(&packet[pos], serialized.c_str(), serialized.size()); pos+=(uint16_t)serialized.size(); + +- MOADNSParser mdp((char*)&*packet.begin(), (unsigned int)packet.size()); ++ MOADNSParser mdp(false, (char*)&*packet.begin(), (unsigned int)packet.size()); + shared_ptr ret= mdp.d_answers.begin()->first.d_content; + ret->header.d_type=ret->d_qtype; + ret->label=mdp.d_answers.begin()->first.d_label; +@@ -195,7 +195,7 @@ + return zmakermap; + } + +-void MOADNSParser::init(const char *packet, unsigned int len) ++void MOADNSParser::init(bool query, const char *packet, unsigned int len) + { + if(len < sizeof(dnsheader)) + throw MOADNSException("Packet shorter than minimal header"); +@@ -209,6 +209,9 @@ + d_header.ancount=ntohs(d_header.ancount); + d_header.nscount=ntohs(d_header.nscount); + d_header.arcount=ntohs(d_header.arcount); ++ ++ if (query && (d_header.qdcount > 1)) ++ throw MOADNSException("Query with QD > 1 ("+lexical_cast(d_header.qdcount)+")"); + + uint16_t contentlen=len-sizeof(dnsheader); + +@@ -253,7 +256,13 @@ + dr.d_label=label; + dr.d_clen=ah.d_clen; + +- dr.d_content=boost::shared_ptr(DNSRecordContent::mastermake(dr, pr)); ++ if (query && (dr.d_place == DNSRecord::Answer || dr.d_place == DNSRecord::Nameserver || (dr.d_type != QType::OPT && dr.d_type != QType::TSIG && dr.d_type != QType::SIG) || ((dr.d_type == QType::TSIG || dr.d_type == QType::SIG) && dr.d_class != 0xff))) { ++ dr.d_content=boost::shared_ptr(new UnknownRecordContent(dr, pr)); ++ } ++ else { ++ dr.d_content=boost::shared_ptr(DNSRecordContent::mastermake(dr, pr)); ++ } ++ + d_answers.push_back(make_pair(dr, pr.d_pos)); + + if(dr.d_type == QType::TSIG && dr.d_class == 0xff) +--- pdns-recursor-3.5.3.orig/dnsparser.hh 2017-01-13 13:11:08.457491426 -0500 ++++ pdns-recursor-3.5.3/dnsparser.hh 2017-01-13 13:11:08.453491426 -0500 +@@ -295,15 +295,15 @@ + { + public: + //! Parse from a string +- MOADNSParser(const string& buffer) : d_tsigPos(0) ++ MOADNSParser(bool query, const string& buffer) : d_tsigPos(0) + { +- init(buffer.c_str(), (unsigned int)buffer.size()); ++ init(query, buffer.c_str(), (unsigned int)buffer.size()); + } + + //! Parse from a pointer and length +- MOADNSParser(const char *packet, unsigned int len) : d_tsigPos(0) ++ MOADNSParser(bool query, const char *packet, unsigned int len) : d_tsigPos(0) + { +- init(packet, len); ++ init(query, packet, len); + } + + dnsheader d_header; +@@ -329,7 +329,7 @@ + } + private: + void getDnsrecordheader(struct dnsrecordheader &ah); +- void init(const char *packet, unsigned int len); ++ void init(bool query, const char *packet, unsigned int len); + vector d_content; + uint16_t d_tsigPos; + }; +--- pdns-recursor-3.5.3.orig/lwres.cc 2017-01-13 13:11:08.457491426 -0500 ++++ pdns-recursor-3.5.3/lwres.cc 2017-01-13 13:11:08.453491426 -0500 +@@ -165,7 +165,7 @@ + lwr->d_result.clear(); + try { + lwr->d_tcbit=0; +- MOADNSParser mdp((const char*)buf.get(), len); ++ MOADNSParser mdp(false, (const char*)buf.get(), len); + lwr->d_aabit=mdp.d_header.aa; + lwr->d_tcbit=mdp.d_header.tc; + lwr->d_rcode=mdp.d_header.rcode; +--- pdns-recursor-3.5.3.orig/pdns_recursor.cc 2017-01-13 13:11:08.457491426 -0500 ++++ pdns-recursor-3.5.3/pdns_recursor.cc 2017-01-13 13:22:47.661509387 -0500 +@@ -125,7 +125,7 @@ + + //! used to send information to a newborn mthread + struct DNSComboWriter { +- DNSComboWriter(const char* data, uint16_t len, const struct timeval& now) : d_mdp(data, len), d_now(now), ++ DNSComboWriter(const char* data, uint16_t len, const struct timeval& now) : d_mdp(true, data, len), d_now(now), + d_tcp(false), d_socket(-1) + {} + MOADNSParser d_mdp; diff -Nru pdns-recursor-3.5.3/debian/patches/qtypes.patch pdns-recursor-3.5.3/debian/patches/qtypes.patch --- pdns-recursor-3.5.3/debian/patches/qtypes.patch 1970-01-01 00:00:00.000000000 +0000 +++ pdns-recursor-3.5.3/debian/patches/qtypes.patch 2017-01-17 21:13:17.000000000 +0000 @@ -0,0 +1,49 @@ +Description: Add missing qtypes + * Add debian/patches/qtypes.patch so qtypes required for CVE-2016-7068.patch + are available +Author: Scott Kitterman +Origin: upstream +Last-Update: 2017-01-13 + +Index: pdns-recursor-3.5.3/qtype.hh +=================================================================== +--- pdns-recursor-3.5.3.orig/qtype.hh ++++ pdns-recursor-3.5.3/qtype.hh +@@ -77,8 +77,8 @@ public: + static int chartocode(const char *p); //!< convert a character string to a code + // more solaris fun + #undef DS +- enum typeenum {A=1,NS=2,CNAME=5,SOA=6, MR=9, PTR=12,HINFO=13,MX=15,TXT=16,RP=17,AFSDB=18,KEY=25,AAAA=28,LOC=29,SRV=33,NAPTR=35, KX=36, +- CERT=37,OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51, ++ enum typeenum {A=1,NS=2,CNAME=5,SOA=6, MR=9, PTR=12,HINFO=13,MX=15,TXT=16,RP=17,AFSDB=18, SIG=24, KEY=25,AAAA=28,LOC=29,SRV=33,NAPTR=35, KX=36, ++ CERT=37, A6=38, OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51, + TLSA=52, SPF=99, TSIG=250, AXFR=252, IXFR=251, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types; + typedef pair namenum; + static vector names; +@@ -109,18 +109,25 @@ private: + qtype_insert("AAAA",28); + qtype_insert("LOC",29); + qtype_insert("SRV",33); ++ qtype_insert("NAPTR",35); ++ qtype_insert("KX",36); + qtype_insert("CERT", 37); + qtype_insert("A6",38); +- qtype_insert("NAPTR",35); ++ qtype_insert("OPT",41); + qtype_insert("DS", 43); + qtype_insert("SSHFP", 44); ++ qtype_insert("IPSECKEY", 45); + qtype_insert("RRSIG", 46); + qtype_insert("NSEC", 47); + qtype_insert("DNSKEY", 48); ++ qtype_insert("DHCID", 49); + qtype_insert("NSEC3", 50); + qtype_insert("NSEC3PARAM", 51); + qtype_insert("TLSA",52); + qtype_insert("SPF",99); ++ qtype_insert("EUI48",108); ++ qtype_insert("EUI64",109); ++ qtype_insert("TSIG", 250); + qtype_insert("IXFR",251); + qtype_insert("AXFR",252); + qtype_insert("ANY",255); diff -Nru pdns-recursor-3.5.3/debian/patches/series pdns-recursor-3.5.3/debian/patches/series --- pdns-recursor-3.5.3/debian/patches/series 2013-08-07 15:56:08.000000000 +0000 +++ pdns-recursor-3.5.3/debian/patches/series 2017-01-17 20:36:29.000000000 +0000 @@ -3,3 +3,8 @@ pdns-recursor-less-chatty hurd-ftbfs-patch remove-pdns_hw-patch +CVE-2014-8601.patch +CVE-2015-1868.patch +CVE-2015-1868-2.patch +CVE-2016-7068.patch +qtypes.patch