Bug#872928: stretch-pu: package dnsdist/1.1.0-2+deb9u1

Tue, 22 Aug 2017 08:27:37 -0700 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
purely based on version-targetted patches from upstream.

Thanks,
Chris

diff -Nru dnsdist-1.1.0/debian/changelog dnsdist-1.1.0/debian/changelog
--- dnsdist-1.1.0/debian/changelog      2016-12-31 15:50:47.000000000 +0000
+++ dnsdist-1.1.0/debian/changelog      2017-08-22 13:58:05.000000000 +0000
@@ -1,3 +1,10 @@
+dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
+    (Closes: #872854)
+
+ -- Christian Hofstaedtler <z...@debian.org>  Tue, 22 Aug 2017 13:58:05 +0000
+
 dnsdist (1.1.0-2) unstable; urgency=medium
 
   * Bump debhelper compat to 10 for systemd support.
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch 
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch    1970-01-01 
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch    2017-08-22 
13:58:05.000000000 +0000
@@ -0,0 +1,37 @@
+--- a/dnsdist-ecs.cc
++++ b/dnsdist-ecs.cc
+@@ -392,26 +392,29 @@ void handleEDNSClientSubnet(char* const packet, const 
size_t packetSize, const u
+ static int removeEDNSOptionFromOptions(unsigned char* optionsStart, const 
uint16_t optionsLen, const uint16_t optionCodeToRemove, uint16_t* newOptionsLen)
+ {
+   unsigned char* p = optionsStart;
+-  const unsigned char* end = p + optionsLen;
+-  while ((p + 4) <= end) {
++  size_t pos = 0;
++  while ((pos + 4) <= optionsLen) {
+     unsigned char* optionBegin = p;
+     const uint16_t optionCode = 0x100*p[0] + p[1];
+     p += sizeof(optionCode);
++    pos += sizeof(optionCode);
+     const uint16_t optionLen = 0x100*p[0] + p[1];
+     p += sizeof(optionLen);
+-    if ((p + optionLen) > end) {
++    pos += sizeof(optionLen);
++    if ((pos + optionLen) > optionsLen) {
+       return EINVAL;
+     }
+     if (optionCode == optionCodeToRemove) {
+-      if (p + optionLen < end) {
++      if (pos + optionLen < optionsLen) {
+         /* move remaining options over the removed one,
+            if any */
+-        memmove(optionBegin, p + optionLen, end - (p + optionLen));
++        memmove(optionBegin, p + optionLen, optionsLen - (pos + optionLen));
+       }
+       *newOptionsLen = optionsLen - (sizeof(optionCode) + sizeof(optionLen) + 
optionLen);
+       return 0;
+     }
+     p += optionLen;
++    pos += optionLen;
+   }
+   return ENOENT;
+ }
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc 
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc        1970-01-01 
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc        2017-08-22 
13:58:05.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNN0aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZjugf9FqmZzPzql6A8yvqix4lj
+/dXYIuuoIqt2NKIZlKkf4QsMO9fhF+AC6WkPessodAExkyB4IdxrmneumWvVNRpO
+beXT+2l6COKjvDkmYvc+5qKDUPEYHxvh6G1dBFDSGvn5AH5uZI2xXko7R3NdA2m+
+hThY37mkDSsiHrqWGNjj6/DoWIJFeU7gRg2aHkos68JiNdIhai6LMYerwecu4v1b
+6Y5xG6hI85Ofn25xKbXNBjAlj1vYJS8/nMYqqWdxD+eIFKX9FkClwE9IkOdqmyRv
+K0vceChANzLvnIzIcYm81AgKTKqPAoQMQP/0L+IG4hSwVTytHLeajsbQ/XRFDUUW
+Gg==
+=+FBw
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 
dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch      1970-01-01 
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch      2017-08-22 
13:58:05.000000000 +0000
@@ -0,0 +1,123 @@
+--- a/dnsdist-web.cc
++++ b/dnsdist-web.cc
+@@ -79,13 +79,28 @@ static void apiSaveACL(const NetmaskGroup& nmg)
+   apiWriteConfigFile("acl", content);
+ }
+ 
+-static bool compareAuthorization(YaHTTP::Request& req, const string 
&expected_password, const string& expectedApiKey)
++static bool checkAPIKey(const YaHTTP::Request& req, const string& 
expectedApiKey)
+ {
+-  // validate password
+-  YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
+-  bool auth_ok = false;
+-  if (header != req.headers.end() && toLower(header->second).find("basic ") 
== 0) {
+-    string cookie = header->second.substr(6);
++  if (expectedApiKey.empty()) {
++    return false;
++  }
++
++  const auto header = req.headers.find("x-api-key");
++  if (header != req.headers.end()) {
++    return (header->second == expectedApiKey);
++  }
++
++  return false;
++}
++
++static bool checkWebPassword(const YaHTTP::Request& req, const string 
&expected_password)
++{
++  static const char basicStr[] = "basic ";
++
++  const auto header = req.headers.find("authorization");
++
++  if (header != req.headers.end() && toLower(header->second).find(basicStr) 
== 0) {
++    string cookie = header->second.substr(sizeof(basicStr) - 1);
+ 
+     string plain;
+     B64Decode(cookie, plain);
+@@ -93,24 +108,46 @@ static bool compareAuthorization(YaHTTP::Request& req, 
const string &expected_pa
+     vector<string> cparts;
+     stringtok(cparts, plain, ":");
+ 
+-    // this gets rid of terminating zeros
+-    auth_ok = (cparts.size()==2 && (0==strcmp(cparts[1].c_str(), 
expected_password.c_str())));
++    if (cparts.size() == 2) {
++      return cparts[1] == expected_password;
++    }
+   }
+-  if (!auth_ok && !expectedApiKey.empty()) {
+-    /* if this is a request for the API,
+-       check if the API key is correct */
+-    if (req.url.path=="/jsonstat" ||
+-        req.url.path=="/api/v1/servers/localhost" ||
+-        req.url.path=="/api/v1/servers/localhost/config" ||
+-        req.url.path=="/api/v1/servers/localhost/config/allow-from" ||
+-        req.url.path=="/api/v1/servers/localhost/statistics") {
+-      header = req.headers.find("x-api-key");
+-      if (header != req.headers.end()) {
+-        auth_ok = (0==strcmp(header->second.c_str(), expectedApiKey.c_str()));
+-      }
++
++  return false;
++}
++
++static bool isAnAPIRequest(const YaHTTP::Request& req)
++{
++  return req.url.path.find("/api/") == 0;
++}
++
++static bool isAnAPIRequestAllowedWithWebAuth(const YaHTTP::Request& req)
++{
++  return req.url.path == "/api/v1/servers/localhost";
++}
++
++static bool isAStatsRequest(const YaHTTP::Request& req)
++{
++  return req.url.path == "/jsonstat";
++}
++
++static bool compareAuthorization(const YaHTTP::Request& req, const string 
&expected_password, const string& expectedApiKey)
++{
++  if (isAnAPIRequest(req)) {
++    /* Access to the API requires a valid API key */
++    if (checkAPIKey(req, expectedApiKey)) {
++      return true;
+     }
++
++    return isAnAPIRequestAllowedWithWebAuth(req) && checkWebPassword(req, 
expected_password);
++  }
++
++  if (isAStatsRequest(req)) {
++    /* Access to the stats is allowed for both API and Web users */
++    return checkAPIKey(req, expectedApiKey) || checkWebPassword(req, 
expected_password);
+   }
+-  return auth_ok;
++
++  return checkWebPassword(req, expected_password);
+ }
+ 
+ static bool isMethodAllowed(const YaHTTP::Request& req)
+@@ -126,9 +163,9 @@ static bool isMethodAllowed(const YaHTTP::Request& req)
+   return false;
+ }
+ 
+-static void handleCORS(YaHTTP::Request& req, YaHTTP::Response& resp)
++static void handleCORS(const YaHTTP::Request& req, YaHTTP::Response& resp)
+ {
+-  YaHTTP::strstr_map_t::iterator origin = req.headers.find("Origin");
++  const auto origin = req.headers.find("Origin");
+   if (origin != req.headers.end()) {
+     if (req.method == "OPTIONS") {
+       /* Pre-flight request */
+@@ -142,7 +179,10 @@ static void handleCORS(YaHTTP::Request& req, 
YaHTTP::Response& resp)
+     }
+ 
+     resp.headers["Access-Control-Allow-Origin"] = origin->second;
+-    resp.headers["Access-Control-Allow-Credentials"] = "true";
++
++    if (isAStatsRequest(req) || isAnAPIRequestAllowedWithWebAuth(req)) {
++      resp.headers["Access-Control-Allow-Credentials"] = "true";
++    }
+   }
+ }
+ 
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc 
dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc  1970-01-01 
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc  2017-08-22 
13:58:05.000000000 +0000
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNNYaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYw+Qf3eZKM2q3WXjmX1up/63Nr
+BqjWHCasVxEG30NA+yGMVumuTol84AuO2t7mpZROxIu0SHlcnYNn0ehoSLI7KdJG
+8ZDzJVWKMCW1hScdIPjIu4PEHyjHB+ws5ty8Z92Oz6k/vp4t/LVTwrMDXzBbpfET
+TxujIcIGPJGjZFZoH64TQ5wSM+t4LzvjxdoUCmCMghfa9lPr9pqPoG6hnpU59Xn0
+7dIOYzECDLe/xNTp0dEe+pncAhEprsKPeqSVMwpZWYq7Zk0IK1I/uAiUp7t48EJU
+NsWLovH98eL+dTLKd/j/Zc+sfiG/0sKlQsLygqHy54zc9e2FR2Kz5BKNaYcttbwq
+=B1Fh
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/series 
dnsdist-1.1.0/debian/patches/series
--- dnsdist-1.1.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/series 2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2016-7069.patch
+CVE-2017-7557-1.1.0.patch

Reply via email to