Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Security update using upstream patches to fix CVE-2017-15090,
CVE-2017-15092, CVE-2017-15093, CVE-2017-15094.
DSA has marked those as non-DSA but suggested fixing through
a stable update instead.
debdiff against deb9u1 (in stable proper) attached.
Thanks,
Chris
diff -Nru pdns-recursor-4.0.4/debian/changelog
pdns-recursor-4.0.4/debian/changelog
--- pdns-recursor-4.0.4/debian/changelog 2017-06-27 12:31:08.000000000
+0000
+++ pdns-recursor-4.0.4/debian/changelog 2017-11-27 21:44:40.000000000
+0000
@@ -1,3 +1,13 @@
+pdns-recursor (4.0.4-1+deb9u2) stretch; urgency=medium
+
+ * Add upstream patches fixing security issues:
+ * Insufficient validation of DNSSEC signatures. CVE-2017-15090
+ * Cross-Site Scripting in the web interface. CVE-2017-15092
+ * Configuration file injection in the API. CVE-2017-15093
+ * Memory leak in DNSSEC parsing. CVE-2017-15094
+
+ -- Christian Hofstaedtler <z...@debian.org> Mon, 27 Nov 2017 21:44:40 +0000
+
pdns-recursor (4.0.4-1+deb9u1) stretch; urgency=medium
* Add new root trust anchor KSK-2017 to embedded root trust list.
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch
pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,15 @@
+diff -ru pdns-recursor-4.0.6.orig/validate-recursor.cc
pdns-recursor-4.0.6/validate-recursor.cc
+--- pdns-recursor-4.0.6.orig/validate-recursor.cc 2017-07-04
17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/validate-recursor.cc 2017-11-02 18:29:16.612520450
+0100
+@@ -87,6 +87,11 @@
+ bool first = true;
+ for(const auto& csp : cspmap) {
+ for(const auto& sig : csp.second.signatures) {
++
++ if (!csp.first.first.isPartOf(sig->d_signer)) {
++ return increaseDNSSECStateCounter(Bogus);
++ }
++
+ vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check
validity here
+
+ if (newState == Bogus) // No hope
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc
pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStE4aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEbDZwf+JDDe7box5QLp+5T4gaQj
+1SyU2UaL2LVgIZbkvMoM03mGEc5LOushKLE0aoTKPwYbz2m5Oz1We3d1/Bv2OtJD
+9AXslTaaqSg0rmdeEJIPYUa393TXLXhCjKUcF/5kbo0Y6+T5dcukGMw/LkZqt4/O
+RLnj51eN0lSQrS+nCXHfREmIP2nj8+T6xAjNGIZ3NEQ9c3m1dPAzvd/skYiJkm/P
+dC3uyEYFRlN33fQp8LYL/mK3HDApX9DESfJUsqvnpJlX6qyUejxkGeJZ3ro1IStE
+NI5m1GRoI3FBbywIn9BPcllU0RkIS5X7r0wRWZ7D0e1nWHcgPqtyVkjvh6kUbRgs
+VA==
+=3aIe
+-----END PGP SIGNATURE-----
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch
pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,85 @@
+diff -ru pdns-recursor-4.0.6.orig/html/local.js
pdns-recursor-4.0.6/html/local.js
+--- pdns-recursor-4.0.6.orig/html/local.js 2017-07-04 17:43:07.000000000
+0200
++++ pdns-recursor-4.0.6/html/local.js 2017-11-02 18:26:04.624586674 +0100
+@@ -63,7 +63,7 @@
+
+ $.getJSON(qstring,
+ function(data) {
+- var
bouw="<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr>";
++ var table =
$('<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr></table>');
+ var num=0;
+ var total=0, rest=0;
+ $.each(data["entries"], function(a,b) {
+@@ -75,12 +75,26 @@
+ if(b[1].length > 25)
+ b[1]=b[1].substring(0,25);
+
+-
bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
+- });
+- bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
+- bouw=bouw+"</table>";
+- $("#queryring").html(bouw);
+-
++ var line = $('<tr />');
++ var number = $('<td />');
++ number.text(b[0]);
++ var domain = $('<td />');
++ domain.text(b[1]);
++ var type = $('<td />');
++ type.text(b[2]);
++ line.append(number);
++ line.append(domain);
++ line.append(type);
++ table.append(line);
++ });
++ var line = $('<tr />');
++ var number = $('<td />');
++ number.text(rest);
++ var label = $('<td>Rest</td>');
++ line.append(number);
++ line.append(label);
++ table.append(line);
++ $("#queryring").html(table);
+ });
+
+ filtered=$("#filter2").is(':checked')
+@@ -91,7 +105,7 @@
+
+ $.getJSON(qstring,
+ function(data) {
+- var bouw="<table><tr><th>Number</th><th>Servfail
domain</th><th>Type</th></tr>";
++ var table = $('<table><tr><th>Number</th><th>Servfail
domain</th><th>Type</th></tr></table>');
+ var num=0, total=0, rest=0;
+ $.each(data["entries"], function(a,b) {
+ total+=b[0];
+@@ -101,11 +115,26 @@
+ }
+ if(b[1].length > 25)
+ b[1]=b[1].substring(0,25);
+-
bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
++ var line = $('<tr />');
++ var number = $('<td />');
++ number.text(b[0]);
++ var domain = $('<td />');
++ domain.text(b[1]);
++ var type = $('<td />');
++ type.text(b[2]);
++ line.append(number);
++ line.append(domain);
++ line.append(type);
++ table.append(line);
+ });
+- bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
+- bouw=bouw+"</table>";
+- $("#servfailqueryring").html(bouw);
++ var line = $('<tr />');
++ var number = $('<td />');
++ number.text(rest);
++ var label = $('<td>Rest</td>');
++ line.append(number);
++ line.append(label);
++ table.append(line);
++ $("#servfailqueryring").html(table);
+
+ });
+
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch.asc
pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch.asc
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch.asc
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch.asc
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStIwaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZqBAf/UIW70Ly0yoYnm0gnUERw
+qVNaWua5JYbszhuVB3hYNBZtczb6aCrWO/4DkOZhlJkQwO8JBJNa/zFkQ9jpxa7l
+r3HsP1oB7dc9EIeDzHKeOli9c8Yzwu3TUYjEzmmZ7wx/mUeEgFSvxBigpt+SXeFq
+HfNEUTxZYr/V5bxl9AnOiQVFm8nNx/yJGdI8kMzd2LrM0fZ0YOWaQP/Ho57sJ4mo
+UlhbaZqhPjvIGcajQV3ryWIhP4jg3cEKSYahRJFSJQufqheuXK2LDKnjOfyIs9NM
+gc3oa9wxYeKnD8hQv7Gu/i4/CbO0IGK2vtpAWSaYqg5MYiLRbJVzTx1XGOKRRRbt
++Q==
+=AXZo
+-----END PGP SIGNATURE-----
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch
pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,47 @@
+diff -ru pdns-recursor-4.0.6.orig/ws-recursor.cc
pdns-recursor-4.0.6/ws-recursor.cc
+--- pdns-recursor-4.0.6.orig/ws-recursor.cc 2017-07-04 17:43:07.000000000
+0200
++++ pdns-recursor-4.0.6/ws-recursor.cc 2017-11-02 18:13:55.762458134 +0100
+@@ -76,10 +76,11 @@
+ throw ApiException("'value' must be an array");
+ }
+
++ NetmaskGroup nmg;
+ for (auto value : jlist.array_items()) {
+ try {
+- Netmask(value.string_value());
+- } catch (NetmaskException &e) {
++ nmg.addMask(value.string_value());
++ } catch (const NetmaskException &e) {
+ throw ApiException(e.reason);
+ }
+ }
+@@ -91,9 +92,7 @@
+
+ // Clear allow-from, and provide a "parent" value
+ ss << "allow-from=" << endl;
+- for (auto value : jlist.array_items()) {
+- ss << "allow-from+=" << value.string_value() << endl;
+- }
++ ss << "allow-from+=" << nmg.toString() << endl;
+
+ apiWriteConfigFile("allow-from", ss.str());
+
+@@ -201,10 +200,15 @@
+ if (server == "") {
+ throw ApiException("Forwarded-to server must not be an empty string");
+ }
+- if (!serverlist.empty()) {
+- serverlist += ";";
++ try {
++ ComboAddress ca = parseIPAndPort(server, 53);
++ if (!serverlist.empty()) {
++ serverlist += ";";
++ }
++ serverlist += ca.toStringWithPort();
++ } catch (const PDNSException &e) {
++ throw ApiException(e.reason);
+ }
+- serverlist += server;
+ }
+ if (serverlist == "")
+ throw ApiException("Need at least one upstream server when forwarding");
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch.asc
pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch.asc
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch.asc
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15093-4.0.6.patch.asc
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStJ8aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYO/Af/d954evxHxWfKphyV8mvQ
+qnfbQUXG0akDmqFPz2IxeL/VvGzhwIbXAZvRigShcKNCkdzjcNHzz5pXKNIxzIb1
+K+zmPweMgeKgALoxtIw9GIvoZEiWKxHL7dkA0FO+I9K+RFayvqksaJQZnFXDWMho
+jhlgMcTGy3lsXA2VDYXqtU+TQ+Ee0TWoZ16oHvpcroILIXnAHFAqd4+8evDacSC6
++pVF5FCEJTylhO0vxjmu2FS69ZCq4+3mrWVC5twzKcf1D4AMvclM3ipAUrzTuRUo
+V/8UM1wvX+/yvnLCLXFW9kDDjiUoHQeVWAPUrw5SOapouxfQ7cpGLBcZsBfy4vk9
+LA==
+=1Lxz
+-----END PGP SIGNATURE-----
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch
pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,28 @@
+diff -ru pdns-recursor-4.0.6.orig/opensslsigners.cc
pdns-recursor-4.0.6/opensslsigners.cc
+--- pdns-recursor-4.0.6.orig/opensslsigners.cc 2017-07-04 17:43:07.000000000
+0200
++++ pdns-recursor-4.0.6/opensslsigners.cc 2017-11-02 18:18:37.489408103
+0100
+@@ -474,7 +474,7 @@
+ if (iqmp == NULL) {
+ RSA_free(key);
+ BN_clear_free(dmq1);
+- BN_clear_free(iqmp);
++ BN_clear_free(dmp1);
+ throw runtime_error(getName()+" allocation of BIGNUM iqmp failed");
+ }
+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
+@@ -562,6 +562,7 @@
+ BIGNUM *n = BN_bin2bn((unsigned char*)modulus.c_str(), modulus.length(),
NULL);
+ if (!n) {
+ RSA_free(key);
++ BN_clear_free(e);
+ throw runtime_error(getName()+" error loading n value of public key");
+ }
+
+@@ -866,6 +867,7 @@
+
+ int ret = EC_POINT_oct2point(d_ecgroup, pub_key, (unsigned char*)
ecdsaPoint.c_str(), ecdsaPoint.length(), d_ctx);
+ if (ret != 1) {
++ EC_POINT_free(pub_key);
+ throw runtime_error(getName()+" reading ECP point from binary failed");
+ }
+
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch.asc
pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch.asc
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch.asc
1970-01-01 00:00:00.000000000 +0000
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15094-4.0.6.patch.asc
2017-11-27 21:44:40.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStK4aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZkcwf/R7kKvjTDNBXVHgafAnis
+3/eyDU6ieNzbbI+Ohv44EaJ3H9VOQr6PDH7yy+COl1rmPaGi5SJOj857IZYgiHeA
+GPjIuTZzHDhl6lnPz+ZkDxuyK1ywkbFFrkENTPoZhcd5Gpp4n0L63pwZ196lLiOP
+GKQNaSyhiyxReHbaYIVNLPXdgNadmUoEYWOxnLfknwxiDE/dKiBDaMW9Tg0BfZs4
+QzqiY76VFYkJ4rdEns+KtGSQboz6ZFduLQ5+3Jfd1t3PsS9VltmmJW64G9dLPGIn
+wQhwgtRqJ3Zb/T3Be+QV1dM7ran0VTkCyoupDQloDh7Sbgfb8hr7pjg1XS2MXA+l
+rQ==
+=vwxR
+-----END PGP SIGNATURE-----
diff -Nru pdns-recursor-4.0.4/debian/patches/series
pdns-recursor-4.0.4/debian/patches/series
--- pdns-recursor-4.0.4/debian/patches/series 2017-06-27 12:31:08.000000000
+0000
+++ pdns-recursor-4.0.4/debian/patches/series 2017-11-27 21:44:40.000000000
+0000
@@ -1 +1,5 @@
0001-Add-the-2017-root-key.patch
+CVE-2017-15090-4.0.6.patch
+CVE-2017-15092-4.0.6.patch
+CVE-2017-15093-4.0.6.patch
+CVE-2017-15094-4.0.6.patch
