aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-11-20 11:27:30 +0100
committerLeo <thinkabit.ukim@gmail.com>2019-11-20 11:30:06 +0100
commitae112bcbe065a2f232ad8c641ab8da6b84f7e74c (patch)
treee3927dc548f2cc55ee199056ffe443eb6c373a63
parent9746bba8b1ef891f7af4cc454546ad787884bc84 (diff)
downloadaports-ae112bcbe065a2f232ad8c641ab8da6b84f7e74c.tar.gz
aports-ae112bcbe065a2f232ad8c641ab8da6b84f7e74c.tar.bz2
aports-ae112bcbe065a2f232ad8c641ab8da6b84f7e74c.tar.xz
main/unbound: fix CVE-2019-18934
ref #10965
-rw-r--r--main/unbound/APKBUILD6
-rw-r--r--main/unbound/CVE-2019-18934.patch218
2 files changed, 223 insertions, 1 deletions
diff --git a/main/unbound/APKBUILD b/main/unbound/APKBUILD
index 9719cf0f58..4190a03080 100644
--- a/main/unbound/APKBUILD
+++ b/main/unbound/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=unbound
pkgver=1.7.3
-pkgrel=1
+pkgrel=2
pkgdesc="Unbound is a validating, recursive, and caching DNS resolver"
url="http://unbound.net/"
arch="all"
@@ -21,6 +21,7 @@ source="http://unbound.net/downloads/$pkgname-$pkgver.tar.gz
conf.patch
update-unbound-root-hints
CVE-2019-16866.patch
+ CVE-2019-18934.patch
migrate-dnscache-to-unbound
root.hints
$pkgname.initd
@@ -29,6 +30,8 @@ source="http://unbound.net/downloads/$pkgname-$pkgver.tar.gz
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 1.7.3-r2:
+# - CVE-2019-18934
# 1.7.3-r1:
# - CVE-2019-16866
@@ -107,6 +110,7 @@ sha512sums="34b2e93660e519b2eccefef26a6c7ac09fa3312384cc3bc449ff2b10743bd86bfeb3
bd51769e3e2d6035df1abbf220038a56a69795a092b5f31005e1910c6c88e334d7e71fe16d874885ef74c597f3a1d7af50f9ad9736ba7ebb10ae50178828661c conf.patch
b16b7b15392c0d560718ee543f1eebc5617085fb30d61cddc20dd948bd8b1634ee5b2de1c9cb172a6c0d1c5bbaf98b6fd39816d39c72a43ff619455449e668ac update-unbound-root-hints
da578f620bc1abca4a53bb3448c023c59ccd33c0d560603ab5e6caf7eebd8e4d8a2401f2e4ebbcf1124f168699be02a489ae27d7b723f9b67678592ecea30529 CVE-2019-16866.patch
+b2ae6363d89c4effa9e926210c4b876eb8fefa79bf459047107e6fb8eb8aca2b9844a4a8bdabe361248be2eeb36519aac7bbc4fe7b805447958088bcc18a83d2 CVE-2019-18934.patch
b26a13c1c88da9611a65705dc59f7233c5e0f6aced0d7d66c18536a969a2de627ca5d4bb55eedd81f2f040fa11bde48eaaeca2850f376e72e7a531678a259131 migrate-dnscache-to-unbound
0dca3470ed4ca9b76d6f47f5d20e92924e6648f0870d8594fe6735d8f1cdfeeee7296301066c2a8b2b94f7daed86c15efe00c301ca27e435e5dd2c85508dc9c8 root.hints
d8392a6d238b46fd207d57eb2d23d0806d070c203ae196a6c2a6a4f7de4c95beecee86640649ff7dcc1cec3d3edcd313e8d91bff4188bdc1133b12fe6eff554e unbound.initd
diff --git a/main/unbound/CVE-2019-18934.patch b/main/unbound/CVE-2019-18934.patch
new file mode 100644
index 0000000000..8d37b9b212
--- /dev/null
+++ b/main/unbound/CVE-2019-18934.patch
@@ -0,0 +1,218 @@
+diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
+index c8400c6..9e916d6 100644
+--- a/ipsecmod/ipsecmod.c
++++ b/ipsecmod/ipsecmod.c
+@@ -161,6 +161,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
+ return 1;
+ }
+
++/**
++ * Check if the string passed is a valid domain name with safe characters to
++ * pass to a shell.
++ * This will only allow:
++ * - digits
++ * - alphas
++ * - hyphen (not at the start)
++ * - dot (not at the start, or the only character)
++ * - underscore
++ * @param s: pointer to the string.
++ * @param slen: string's length.
++ * @return true if s only contains safe characters; false otherwise.
++ */
++static int
++domainname_has_safe_characters(char* s, size_t slen) {
++ size_t i;
++ for(i = 0; i < slen; i++) {
++ if(s[i] == '\0') return 1;
++ if((s[i] == '-' && i != 0)
++ || (s[i] == '.' && (i != 0 || s[1] == '\0'))
++ || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
++ || (s[i] >= 'A' && s[i] <= 'Z')
++ || (s[i] >= 'a' && s[i] <= 'z')) {
++ continue;
++ }
++ return 0;
++ }
++ return 1;
++}
++
++/**
++ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
++ * a shell.
++ * This is only relevant for checking the gateway when the gateway type is 3
++ * (domainname).
++ * @param s: pointer to the string.
++ * @param slen: string's length.
++ * @return true if s contains only safe characters; false otherwise.
++ */
++static int
++ipseckey_has_safe_characters(char* s, size_t slen) {
++ int precedence, gateway_type, algorithm;
++ char* gateway;
++ gateway = (char*)calloc(slen, sizeof(char));
++ if(!gateway) {
++ log_err("ipsecmod: out of memory when calling the hook");
++ return 0;
++ }
++ if(sscanf(s, "%d %d %d %s ",
++ &precedence, &gateway_type, &algorithm, gateway) != 4) {
++ free(gateway);
++ return 0;
++ }
++ if(gateway_type != 3) {
++ free(gateway);
++ return 1;
++ }
++ if(domainname_has_safe_characters(gateway, slen)) {
++ free(gateway);
++ return 1;
++ }
++ free(gateway);
++ return 0;
++}
++
+ /**
+ * Prepare the data and call the hook.
+ *
+@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ {
+ size_t slen, tempdata_len, tempstring_len, i;
+ char str[65535], *s, *tempstring;
+- int w;
++ int w = 0, w_temp, qtype;
+ struct ub_packed_rrset_key* rrset_key;
+ struct packed_rrset_data* rrset_data;
+ uint8_t *tempdata;
+@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ memset(s, 0, slen);
+
+ /* Copy the hook into the buffer. */
+- sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
++ w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ /* Copy the qname into the buffer. */
+ tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
+ qstate->qinfo.qname_len);
+@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ log_err("ipsecmod: out of memory when calling the hook");
+ return 0;
+ }
+- sldns_str_print(&s, &slen, "\"%s\"", tempstring);
++ if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
++ log_err("ipsecmod: qname has unsafe characters");
++ free(tempstring);
++ return 0;
++ }
++ w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+ free(tempstring);
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY TTL into the buffer. */
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+- sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
++ w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
+- /* Copy the A/AAAA record(s) into the buffer. Start and end this section
+- * with a double quote. */
++ w += sldns_str_print(&s, &slen, " ");
+ rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep);
++ /* Double check that the records are indeed A/AAAA.
++ * This should never happen as this function is only executed for A/AAAA
++ * queries but make sure we don't pass anything other than A/AAAA to the
++ * shell. */
++ qtype = ntohs(rrset_key->rk.type);
++ if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
++ log_err("ipsecmod: Answer is not of A or AAAA type");
++ return 0;
++ }
+ rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+- sldns_str_print(&s, &slen, "\"");
++ /* Copy the A/AAAA record(s) into the buffer. Start and end this section
++ * with a double quote. */
++ w += sldns_str_print(&s, &slen, "\"");
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+- w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
++ w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+ rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
+- if(w < 0) {
++ if(w_temp < 0) {
+ /* Error in printout. */
+- return -1;
+- } else if((size_t)w >= slen) {
++ log_err("ipsecmod: Error in printing IP address");
++ return 0;
++ } else if((size_t)w_temp >= slen) {
+ s = NULL; /* We do not want str to point outside of buffer. */
+ slen = 0;
+- return -1;
++ log_err("ipsecmod: shell command too long");
++ return 0;
+ } else {
+- s += w;
+- slen -= w;
++ s += w_temp;
++ slen -= w_temp;
++ w += w_temp;
+ }
+ }
+- sldns_str_print(&s, &slen, "\"");
++ w += sldns_str_print(&s, &slen, "\"");
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY record(s) into the buffer. Start and end this section
+ * with a double quote. */
+- sldns_str_print(&s, &slen, "\"");
++ w += sldns_str_print(&s, &slen, "\"");
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+- sldns_str_print(&s, &slen, " ");
++ w += sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+ tempdata = rrset_data->rr_data[i] + 2;
+ tempdata_len = rrset_data->rr_len[i] - 2;
+ /* Save the buffer pointers. */
+ tempstring = s; tempstring_len = slen;
+- w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
+- NULL, 0);
++ w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
++ &slen, NULL, 0);
+ /* There was an error when parsing the IPSECKEY; reset the buffer
+ * pointers to their previous values. */
+- if(w == -1){
++ if(w_temp == -1) {
+ s = tempstring; slen = tempstring_len;
++ } else if(w_temp > 0) {
++ if(!ipseckey_has_safe_characters(
++ tempstring, tempstring_len - slen)) {
++ log_err("ipsecmod: ipseckey has unsafe characters");
++ return 0;
++ }
++ w += w_temp;
+ }
+ }
+- sldns_str_print(&s, &slen, "\"");
+- verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
++ w += sldns_str_print(&s, &slen, "\"");
++ if(w >= (int)sizeof(str)) {
++ log_err("ipsecmod: shell command too long");
++ return 0;
++ }
++ verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
+ /* ipsecmod-hook should return 0 on success. */
+ if(system(str) != 0)
+ return 0;