Fix for CVE-2008-3337 taken from PowerDNS 2.9.21.1: return SERVFAIL to mailformed queries instead of just dropping them (as this facilitates DNS spoofing attacks). Bump PKGREVISION.diff -r1.3 -r1.4 pkgsrc/net/powerdns/Makefile
(ghen)
| @@ -1,21 +1,21 @@ | @@ -1,21 +1,21 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.3 2008/01/30 22:36:14 heinz Exp $ | 1 | # $NetBSD: Makefile,v 1.4 2008/08/11 13:59:48 ghen Exp $ | |
| 2 | 2 | |||
| 3 | PKG_DESTDIR_SUPPORT= user-destdir | 3 | PKG_DESTDIR_SUPPORT= user-destdir | |
| 4 | 4 | |||
| 5 | .include "Makefile.common" | 5 | .include "Makefile.common" | |
| 6 | 6 | |||
| 7 | PKGNAME= ${DISTNAME:S/pdns/powerdns/} | 7 | PKGNAME= ${DISTNAME:S/pdns/powerdns/} | |
| 8 | PKGREVISION= 1 | 8 | PKGREVISION= 2 | |
| 9 | COMMENT= Modern, advanced and high performance nameserver | 9 | COMMENT= Modern, advanced and high performance nameserver | |
| 10 | 10 | |||
| 11 | CONFIGURE_ARGS+= --with-modules="geo" | 11 | CONFIGURE_ARGS+= --with-modules="geo" | |
| 12 | CONFIGURE_ARGS+= --with-dynmodules="pipe" | 12 | CONFIGURE_ARGS+= --with-dynmodules="pipe" | |
| 13 | 13 | |||
| 14 | RCD_SCRIPTS= pdns | 14 | RCD_SCRIPTS= pdns | |
| 15 | 15 | |||
| 16 | EGDIR= ${PREFIX}/share/examples/pdns | 16 | EGDIR= ${PREFIX}/share/examples/pdns | |
| 17 | MAKE_ENV+= EGDIR=${EGDIR} | 17 | MAKE_ENV+= EGDIR=${EGDIR} | |
| 18 | 18 | |||
| 19 | CONF_FILES+= ${EGDIR}/pdns.conf-dist ${PKG_SYSCONFDIR}/pdns.conf | 19 | CONF_FILES+= ${EGDIR}/pdns.conf-dist ${PKG_SYSCONFDIR}/pdns.conf | |
| 20 | 20 | |||
| 21 | SUBST_CLASSES+= conf | 21 | SUBST_CLASSES+= conf |
| @@ -1,7 +1,8 @@ | @@ -1,7 +1,8 @@ | |||
| 1 | $NetBSD: distinfo,v 1.2 2007/05/09 08:05:24 ghen Exp $ | 1 | $NetBSD: distinfo,v 1.3 2008/08/11 13:59:48 ghen Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (pdns-2.9.21.tar.gz) = 2b86e4b44ef43db308c62e32b10ed0d5221a45c9 | 3 | SHA1 (pdns-2.9.21.tar.gz) = 2b86e4b44ef43db308c62e32b10ed0d5221a45c9 | |
| 4 | RMD160 (pdns-2.9.21.tar.gz) = ed53de20a4e660ab2537b3c888b0a85225764a51 | 4 | RMD160 (pdns-2.9.21.tar.gz) = ed53de20a4e660ab2537b3c888b0a85225764a51 | |
| 5 | Size (pdns-2.9.21.tar.gz) = 991071 bytes | 5 | Size (pdns-2.9.21.tar.gz) = 991071 bytes | |
| 6 | SHA1 (patch-aa) = 034845af3a9b66f57e482e3b43e43b61c17f51ab | 6 | SHA1 (patch-aa) = 034845af3a9b66f57e482e3b43e43b61c17f51ab | |
| 7 | SHA1 (patch-ab) = d47887faff80330122ccf1cfd047c11e114c1153 | 7 | SHA1 (patch-ab) = d47887faff80330122ccf1cfd047c11e114c1153 | |
| 8 | SHA1 (patch-ac) = aa7387cd9c283810d41d6097ecfbe6e688621432 |
$NetBSD: patch-ac,v 1.1 2008/08/11 13:59:48 ghen Exp $
Fix for CVE-2008-3337 taken from PowerDNS 2.9.21.1: return SERVFAIL to
mailformed queries instead of just dropping them (as this facilitates
DNS spoofing attacks).
--- pdns/packethandler.cc.orig 2007-04-21 15:56:36.000000000 +0200
+++ pdns/packethandler.cc
@@ -576,9 +576,11 @@ DNSPacket *PacketHandler::questionOrRecu
if(!validDNSName(p->qdomain)) {
if(arg().mustDo("log-dns-details"))
- L<<Logger::Error<<"Received a malformed qdomain from "<<p->getRemote()<<", '"<<p->qdomain<<"': dropping"<<endl;
+ L<<Logger::Error<<"Received a malformed qdomain from "<<p->getRemote()<<", '"<<p->qdomain<<"': sending servfail"<<endl;
S.inc("corrupt-packets");
- return 0;
+ r=p->replyPacket();
+ r->setRcode(RCode::ServFail);
+ return r;
}
if(p->d.opcode) { // non-zero opcode (again thanks RA!)
if(p->d.opcode==Opcode::Update) {