Tue Dec 16 23:23:22 2014 UTC ()

Pullup ticket #4573 - requested by roy
net/powerdns-recursor: security patch

Revisions pulled up:
- net/powerdns-recursor/Makefile                                1.16
- net/powerdns-recursor/distinfo                                1.12
- net/powerdns-recursor/patches/patch-CVE-2014-8601             1.1

---
   Module Name:    pkgsrc
   Committed By:   roy
   Date:           Thu Dec 11 20:18:17 UTC 2014

   Modified Files:
           pkgsrc/net/powerdns-recursor: Makefile distinfo
   Added Files:
           pkgsrc/net/powerdns-recursor/patches: patch-CVE-2014-8601

   Log Message:
   Add upstream patch to fix CVE-2014-8601.
   Remove myself as maintainer.


(tron)

diff -r1.14 -r1.14.4.1 pkgsrc/net/powerdns-recursor/Makefile
diff -r1.11 -r1.11.12.1 pkgsrc/net/powerdns-recursor/distinfo
diff -r0 -r1.1.2.2 pkgsrc/net/powerdns-recursor/patches/patch-CVE-2014-8601

--- pkgsrc/net/powerdns-recursor/Makefile 2014/05/03 13:01:24 1.14
+++ pkgsrc/net/powerdns-recursor/Makefile 2014/12/16 23:23:22 1.14.4.1

 @@ -1,23 +1,23 @@
-# $NetBSD: Makefile,v 1.14 2014/05/03 13:01:24 alnsn Exp $
+# $NetBSD: Makefile,v 1.14.4.1 2014/12/16 23:23:22 tron Exp $
+#
 DISTNAME=		pdns-recursor-3.3
-PKGREVISION=		3
+PKGREVISION=		5
 CATEGORIES=		net
 MASTER_SITES=		http://downloads.powerdns.com/releases/
 EXTRACT_SUFX=		.tar.bz2
-MAINTAINER=		roy@NetBSD.org
+MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.powerdns.com/
 COMMENT=		PowerDNS resolver/recursing nameserver
 LICENSE=		gnu-gpl-v2
 MAKE_JOBS_SAFE=		no
 USE_TOOLS=		gmake
 USE_LANGUAGES=		c c++
 RCD_SCRIPTS+=		pdns_recursor
 EGDIR=			${PREFIX}/share/examples/pdns-recursor

--- pkgsrc/net/powerdns-recursor/distinfo 2013/06/27 10:56:22 1.11
+++ pkgsrc/net/powerdns-recursor/distinfo 2014/12/16 23:23:22 1.11.12.1

 @@ -1,18 +1,19 @@
-$NetBSD: distinfo,v 1.11 2013/06/27 10:56:22 wiz Exp $
+$NetBSD: distinfo,v 1.11.12.1 2014/12/16 23:23:22 tron Exp $
 SHA1 (pdns-recursor-3.3.tar.bz2) = 2f42955b8b8de355709e9072da2d5dbfadd7ffac
 RMD160 (pdns-recursor-3.3.tar.bz2) = 17bd7ac68892c3fca218c3dc3e70074dd9e748d6
 Size (pdns-recursor-3.3.tar.bz2) = 145785 bytes
 SHA1 (patch-CVE-2014-8601) = dae3dec54e53022183a8889eb1c741b00d08cd0b
 SHA1 (patch-Makefile) = 840d0be6dd7decf4b037efc4f9da05a97815ce8e
 SHA1 (patch-brg_endian.h) = 2fb9d3231e969b2be57d160b0952e11091ae6e26
 SHA1 (patch-cachecleaner.hh) = e9a9ade3fe63160eb897df959f6921b791122499
 SHA1 (patch-dns.hh) = 4d24a3c2bad973e05ed4b1c20bacce3b70992e5a
 SHA1 (patch-dnsparser.cc) = 257072b44d3d68ccd3b773cd4db7d0495f67d874
 SHA1 (patch-dnsparser.hh) = 85dad11c65d242630244a600ab5d857af591db9f
 SHA1 (patch-kqueuemplexer.cc) = e67ca0cc9703e5ba5f89f85eefd457c72495ca52
 SHA1 (patch-namespaces.hh) = 3c9b7c68a8576fd63747b6773549b98f30cba1a0
 SHA1 (patch-pdns__recursor.1) = 33170dd8ec13b0607ebf2ef8366656c565ca4664
 SHA1 (patch-pdns__recursor.cc) = 02baa1f54035aae06d241f1732bd165af60dd584
 SHA1 (patch-rec__channel.cc) = 3bd902cf9152cb90c3cb934263dd0482cac16d16
 SHA1 (patch-rec__channel__rec.cc) = a183984d31aad6d1665d11c40e872511c18bd740
 SHA1 (patch-rec__control.1) = e6ea8e7b93e23cd37bddb272e7cd64858cdf7f83

$NetBSD: patch-CVE-2014-8601,v 1.1.2.2 2014/12/16 23:23:22 tron Exp $

Upstream backported fix for CVE-2014-8601

commit 62d189c81359c70821523d7ba9831d0f6e57b012
Author: Your Name <you@example.com>
Date:   Tue Dec 2 08:50:41 2014 +0000

    backport query limiter to 3.3

diff --git pdns_recursor.cc pdns_recursor.cc
index 0f9b08f..3bb71e0 100644
--- pdns_recursor.cc
+++ pdns_recursor.cc
@@ -522,7 +522,14 @@ void startDoResolve(void *p)
     bool variableAnswer = false;
     // if there is a PowerDNSLua active, and it 'took' the query in preResolve, we don't launch beginResolve
     if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) {
-       res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+      try {
+        res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+      }
+      catch(ImmediateServFailException &e) {
+        L<<Logger::Error<<"Sending SERVFAIL during resolve of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
+
+        res = RCode::ServFail;
+      }
 
       if(t_pdl->get()) {
         if(res == RCode::NXDomain)
diff --git a/syncres.cc b/syncres.cc
index 4b05acf..08b2930 100644
--- syncres.cc
+++ syncres.cc
@@ -874,6 +874,7 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
           }
           else {
             s_outqueries++; d_outqueries++;
+            if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname);
           TryTCP:
             if(doTCP) {
               LOG<<prefix<<qname<<": using TCP with "<< remoteIP->toStringWithPort() <<endl;
diff --git a/syncres.hh b/syncres.hh
index e3249d2..6c151e0 100644
--- syncres.hh
+++ syncres.hh
@@ -502,6 +502,13 @@ private:
   static AtomicCounter s_currentConnections; //!< total number of current TCP connections
 };
 
+class ImmediateServFailException
+{
+public:
+  ImmediateServFailException(string r){reason=r;};
+
+  string reason; //! Print this to tell the user what went wrong
+};
 
 struct RemoteKeeper
 {