Pullup ticket #4573 - requested by roy net/powerdns-recursor: security patch Revisions pulled up: - net/powerdns-recursor/Makefile 1.16 - net/powerdns-recursor/distinfo 1.12 - net/powerdns-recursor/patches/patch-CVE-2014-8601 1.1 --- Module Name: pkgsrc Committed By: roy Date: Thu Dec 11 20:18:17 UTC 2014 Modified Files: pkgsrc/net/powerdns-recursor: Makefile distinfo Added Files: pkgsrc/net/powerdns-recursor/patches: patch-CVE-2014-8601 Log Message: Add upstream patch to fix CVE-2014-8601. Remove myself as maintainer.diff -r1.14 -r1.14.4.1 pkgsrc/net/powerdns-recursor/Makefile
(tron)
@@ -1,23 +1,23 @@ | @@ -1,23 +1,23 @@ | |||
1 | # $NetBSD: Makefile,v 1.14 2014/05/03 13:01:24 alnsn Exp $ | 1 | # $NetBSD: Makefile,v 1.14.4.1 2014/12/16 23:23:22 tron Exp $ | |
2 | # | 2 | # | |
3 | 3 | |||
4 | DISTNAME= pdns-recursor-3.3 | 4 | DISTNAME= pdns-recursor-3.3 | |
5 | PKGREVISION= 3 | 5 | PKGREVISION= 5 | |
6 | CATEGORIES= net | 6 | CATEGORIES= net | |
7 | MASTER_SITES= http://downloads.powerdns.com/releases/ | 7 | MASTER_SITES= http://downloads.powerdns.com/releases/ | |
8 | EXTRACT_SUFX= .tar.bz2 | 8 | EXTRACT_SUFX= .tar.bz2 | |
9 | 9 | |||
10 | MAINTAINER= roy@NetBSD.org | 10 | MAINTAINER= pkgsrc-users@NetBSD.org | |
11 | HOMEPAGE= http://www.powerdns.com/ | 11 | HOMEPAGE= http://www.powerdns.com/ | |
12 | COMMENT= PowerDNS resolver/recursing nameserver | 12 | COMMENT= PowerDNS resolver/recursing nameserver | |
13 | LICENSE= gnu-gpl-v2 | 13 | LICENSE= gnu-gpl-v2 | |
14 | 14 | |||
15 | MAKE_JOBS_SAFE= no | 15 | MAKE_JOBS_SAFE= no | |
16 | 16 | |||
17 | USE_TOOLS= gmake | 17 | USE_TOOLS= gmake | |
18 | USE_LANGUAGES= c c++ | 18 | USE_LANGUAGES= c c++ | |
19 | 19 | |||
20 | RCD_SCRIPTS+= pdns_recursor | 20 | RCD_SCRIPTS+= pdns_recursor | |
21 | 21 | |||
22 | EGDIR= ${PREFIX}/share/examples/pdns-recursor | 22 | EGDIR= ${PREFIX}/share/examples/pdns-recursor | |
23 | 23 |
@@ -1,18 +1,19 @@ | @@ -1,18 +1,19 @@ | |||
1 | $NetBSD: distinfo,v 1.11 2013/06/27 10:56:22 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.11.12.1 2014/12/16 23:23:22 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (pdns-recursor-3.3.tar.bz2) = 2f42955b8b8de355709e9072da2d5dbfadd7ffac | 3 | SHA1 (pdns-recursor-3.3.tar.bz2) = 2f42955b8b8de355709e9072da2d5dbfadd7ffac | |
4 | RMD160 (pdns-recursor-3.3.tar.bz2) = 17bd7ac68892c3fca218c3dc3e70074dd9e748d6 | 4 | RMD160 (pdns-recursor-3.3.tar.bz2) = 17bd7ac68892c3fca218c3dc3e70074dd9e748d6 | |
5 | Size (pdns-recursor-3.3.tar.bz2) = 145785 bytes | 5 | Size (pdns-recursor-3.3.tar.bz2) = 145785 bytes | |
6 | SHA1 (patch-CVE-2014-8601) = dae3dec54e53022183a8889eb1c741b00d08cd0b | |||
6 | SHA1 (patch-Makefile) = 840d0be6dd7decf4b037efc4f9da05a97815ce8e | 7 | SHA1 (patch-Makefile) = 840d0be6dd7decf4b037efc4f9da05a97815ce8e | |
7 | SHA1 (patch-brg_endian.h) = 2fb9d3231e969b2be57d160b0952e11091ae6e26 | 8 | SHA1 (patch-brg_endian.h) = 2fb9d3231e969b2be57d160b0952e11091ae6e26 | |
8 | SHA1 (patch-cachecleaner.hh) = e9a9ade3fe63160eb897df959f6921b791122499 | 9 | SHA1 (patch-cachecleaner.hh) = e9a9ade3fe63160eb897df959f6921b791122499 | |
9 | SHA1 (patch-dns.hh) = 4d24a3c2bad973e05ed4b1c20bacce3b70992e5a | 10 | SHA1 (patch-dns.hh) = 4d24a3c2bad973e05ed4b1c20bacce3b70992e5a | |
10 | SHA1 (patch-dnsparser.cc) = 257072b44d3d68ccd3b773cd4db7d0495f67d874 | 11 | SHA1 (patch-dnsparser.cc) = 257072b44d3d68ccd3b773cd4db7d0495f67d874 | |
11 | SHA1 (patch-dnsparser.hh) = 85dad11c65d242630244a600ab5d857af591db9f | 12 | SHA1 (patch-dnsparser.hh) = 85dad11c65d242630244a600ab5d857af591db9f | |
12 | SHA1 (patch-kqueuemplexer.cc) = e67ca0cc9703e5ba5f89f85eefd457c72495ca52 | 13 | SHA1 (patch-kqueuemplexer.cc) = e67ca0cc9703e5ba5f89f85eefd457c72495ca52 | |
13 | SHA1 (patch-namespaces.hh) = 3c9b7c68a8576fd63747b6773549b98f30cba1a0 | 14 | SHA1 (patch-namespaces.hh) = 3c9b7c68a8576fd63747b6773549b98f30cba1a0 | |
14 | SHA1 (patch-pdns__recursor.1) = 33170dd8ec13b0607ebf2ef8366656c565ca4664 | 15 | SHA1 (patch-pdns__recursor.1) = 33170dd8ec13b0607ebf2ef8366656c565ca4664 | |
15 | SHA1 (patch-pdns__recursor.cc) = 02baa1f54035aae06d241f1732bd165af60dd584 | 16 | SHA1 (patch-pdns__recursor.cc) = 02baa1f54035aae06d241f1732bd165af60dd584 | |
16 | SHA1 (patch-rec__channel.cc) = 3bd902cf9152cb90c3cb934263dd0482cac16d16 | 17 | SHA1 (patch-rec__channel.cc) = 3bd902cf9152cb90c3cb934263dd0482cac16d16 | |
17 | SHA1 (patch-rec__channel__rec.cc) = a183984d31aad6d1665d11c40e872511c18bd740 | 18 | SHA1 (patch-rec__channel__rec.cc) = a183984d31aad6d1665d11c40e872511c18bd740 | |
18 | SHA1 (patch-rec__control.1) = e6ea8e7b93e23cd37bddb272e7cd64858cdf7f83 | 19 | SHA1 (patch-rec__control.1) = e6ea8e7b93e23cd37bddb272e7cd64858cdf7f83 |
$NetBSD: patch-CVE-2014-8601,v 1.1.2.2 2014/12/16 23:23:22 tron Exp $
Upstream backported fix for CVE-2014-8601
commit 62d189c81359c70821523d7ba9831d0f6e57b012
Author: Your Name <you@example.com>
Date: Tue Dec 2 08:50:41 2014 +0000
backport query limiter to 3.3
diff --git pdns_recursor.cc pdns_recursor.cc
index 0f9b08f..3bb71e0 100644
--- pdns_recursor.cc
+++ pdns_recursor.cc
@@ -522,7 +522,14 @@ void startDoResolve(void *p)
bool variableAnswer = false;
// if there is a PowerDNSLua active, and it 'took' the query in preResolve, we don't launch beginResolve
if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) {
- res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+ try {
+ res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+ }
+ catch(ImmediateServFailException &e) {
+ L<<Logger::Error<<"Sending SERVFAIL during resolve of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
+
+ res = RCode::ServFail;
+ }
if(t_pdl->get()) {
if(res == RCode::NXDomain)
diff --git a/syncres.cc b/syncres.cc
index 4b05acf..08b2930 100644
--- syncres.cc
+++ syncres.cc
@@ -874,6 +874,7 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
}
else {
s_outqueries++; d_outqueries++;
+ if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname);
TryTCP:
if(doTCP) {
LOG<<prefix<<qname<<": using TCP with "<< remoteIP->toStringWithPort() <<endl;
diff --git a/syncres.hh b/syncres.hh
index e3249d2..6c151e0 100644
--- syncres.hh
+++ syncres.hh
@@ -502,6 +502,13 @@ private:
static AtomicCounter s_currentConnections; //!< total number of current TCP connections
};
+class ImmediateServFailException
+{
+public:
+ ImmediateServFailException(string r){reason=r;};
+
+ string reason; //! Print this to tell the user what went wrong
+};
struct RemoteKeeper
{