aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-10-24 09:15:13 -0300
committerKevin Daudt <kdaudt@alpinelinux.org>2019-10-31 16:39:29 +0000
commit73eb35a4678f12c11a7a0cae308c1acbd4a04e17 (patch)
tree069049c0c32dfa0c4a2a9ac0e82bb940c0cec718
parent8068beb7764186e23ef3384d64b0a90bb0523d60 (diff)
downloadaports-73eb35a4678f12c11a7a0cae308c1acbd4a04e17.tar.gz
aports-73eb35a4678f12c11a7a0cae308c1acbd4a04e17.tar.bz2
aports-73eb35a4678f12c11a7a0cae308c1acbd4a04e17.tar.xz
main/unbound: fix CVE-2019-16866
ref #10897 Closes !766
-rw-r--r--main/unbound/APKBUILD8
-rw-r--r--main/unbound/CVE-2019-16866.patch26
2 files changed, 33 insertions, 1 deletions
diff --git a/main/unbound/APKBUILD b/main/unbound/APKBUILD
index d914cc47e2..22392d66cd 100644
--- a/main/unbound/APKBUILD
+++ b/main/unbound/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=unbound
pkgver=1.9.1
-pkgrel=2
+pkgrel=3
pkgdesc="Unbound is a validating, recursive, and caching DNS resolver"
url="http://unbound.net/"
arch="all"
@@ -20,12 +20,17 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs $pkgname-dbg
$pkgname-openrc py-unbound:py $pkgname-migrate::noarch"
source="https://unbound.net/downloads/$pkgname-$pkgver.tar.gz
conf.patch
+ CVE-2019-16866.patch
migrate-dnscache-to-unbound
$pkgname.initd
$pkgname.confd
"
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes
+# 1.9.1-r3:
+# - CVE-2019-16866
+
build() {
cd "$builddir"
@@ -108,6 +113,7 @@ migrate() {
sha512sums="5dfac7ce3892f73109fdfe0f81863643b1f4c10cee2d4e2d1a28132f1b9ea4d4f89242e4e6348fdadf998f1c75d53577cbf4f719e98faa1342fc3c5de2e8903d unbound-1.9.1.tar.gz
f9b90c6e717f99f3927a20320c5ec9e666af9eb4ad732520cd6de12c9ea98375c44dbbc598bef955a7c0243fbce0b29d9015ccc85b909b62509967cd8976a3c8 conf.patch
+da578f620bc1abca4a53bb3448c023c59ccd33c0d560603ab5e6caf7eebd8e4d8a2401f2e4ebbcf1124f168699be02a489ae27d7b723f9b67678592ecea30529 CVE-2019-16866.patch
0a5c7b8f2b8c79c5384bce05962c8f8f5f31ce3aeb967b0e897361a24ea7065eb4e7c28ff3acfb0fb0d46be966d4e526e64b231f49b589ec63f576c25433bb59 migrate-dnscache-to-unbound
a2b39cb00d342c3bae70ae714dc2bd7c15d0475b35f7afff11fb0bd4c1786f83dd5425a5900a7b4d6c17915a6c546e37f82404bceb44f79c054629e999f23152 unbound.initd
40c660f275a78f93677761f52bdf7ef151941e8469dd17767a947dbe575880e0d113c320d15c7ea7e12ef636d8ec9453eeae804619678293fa35e3d4c7e75a71 unbound.confd"
diff --git a/main/unbound/CVE-2019-16866.patch b/main/unbound/CVE-2019-16866.patch
new file mode 100644
index 0000000000..63ebf61005
--- /dev/null
+++ b/main/unbound/CVE-2019-16866.patch
@@ -0,0 +1,26 @@
+diff --git a/util/data/msgparse.c b/util/data/msgparse.c
+index 13cad8a..fb31237 100644
+--- a/util/data/msgparse.c
++++ b/util/data/msgparse.c
+@@ -1061,18 +1061,18 @@ parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns,
+ size_t rdata_len;
+ uint8_t* rdata_ptr;
+ log_assert(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) == 1);
++ memset(edns, 0, sizeof(*edns));
+ if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0 ||
+ LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) {
+ if(!skip_pkt_rrs(pkt, ((int)LDNS_ANCOUNT(sldns_buffer_begin(pkt)))+
+ ((int)LDNS_NSCOUNT(sldns_buffer_begin(pkt)))))
+- return 0;
++ return LDNS_RCODE_FORMERR;
+ }
+ /* check edns section is present */
+ if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) {
+ return LDNS_RCODE_FORMERR;
+ }
+ if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) == 0) {
+- memset(edns, 0, sizeof(*edns));
+ edns->udp_size = 512;
+ return 0;
+ }
+