aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/unbound/APKBUILD9
-rw-r--r--main/unbound/CVE-2019-16866.patch26
2 files changed, 33 insertions, 2 deletions
diff --git a/main/unbound/APKBUILD b/main/unbound/APKBUILD
index 3b0f1f960d..c92f09b4a8 100644
--- a/main/unbound/APKBUILD
+++ b/main/unbound/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=unbound
pkgver=1.7.3
-pkgrel=0
+pkgrel=1
pkgdesc="Unbound is a validating, recursive, and caching DNS resolver"
url="http://unbound.net/"
arch="all"
@@ -20,6 +20,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs $pkgname-dbg py-unbound:py
source="http://unbound.net/downloads/$pkgname-$pkgver.tar.gz
conf.patch
update-unbound-root-hints
+ CVE-2019-16866.patch
migrate-dnscache-to-unbound
root.hints
$pkgname.initd
@@ -27,6 +28,10 @@ source="http://unbound.net/downloads/$pkgname-$pkgver.tar.gz
"
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes
+# 1.7.3-r1:
+# - CVE-2019-16866
+
build() {
cd "$builddir"
@@ -98,10 +103,10 @@ migrate() {
install -m755 -D "$srcdir"/migrate-dnscache-to-unbound \
"$subpkgdir"/usr/bin/migrate-dnscache-to-unbound
}
-
sha512sums="34b2e93660e519b2eccefef26a6c7ac09fa3312384cc3bc449ff2b10743bd86bfeb36ec19d35eb913f8d0a3d91ad7923260a66fc799f28b0a2cc06741d80f27a unbound-1.7.3.tar.gz
bd51769e3e2d6035df1abbf220038a56a69795a092b5f31005e1910c6c88e334d7e71fe16d874885ef74c597f3a1d7af50f9ad9736ba7ebb10ae50178828661c conf.patch
b16b7b15392c0d560718ee543f1eebc5617085fb30d61cddc20dd948bd8b1634ee5b2de1c9cb172a6c0d1c5bbaf98b6fd39816d39c72a43ff619455449e668ac update-unbound-root-hints
+da578f620bc1abca4a53bb3448c023c59ccd33c0d560603ab5e6caf7eebd8e4d8a2401f2e4ebbcf1124f168699be02a489ae27d7b723f9b67678592ecea30529 CVE-2019-16866.patch
b26a13c1c88da9611a65705dc59f7233c5e0f6aced0d7d66c18536a969a2de627ca5d4bb55eedd81f2f040fa11bde48eaaeca2850f376e72e7a531678a259131 migrate-dnscache-to-unbound
0dca3470ed4ca9b76d6f47f5d20e92924e6648f0870d8594fe6735d8f1cdfeeee7296301066c2a8b2b94f7daed86c15efe00c301ca27e435e5dd2c85508dc9c8 root.hints
d8392a6d238b46fd207d57eb2d23d0806d070c203ae196a6c2a6a4f7de4c95beecee86640649ff7dcc1cec3d3edcd313e8d91bff4188bdc1133b12fe6eff554e unbound.initd
diff --git a/main/unbound/CVE-2019-16866.patch b/main/unbound/CVE-2019-16866.patch
new file mode 100644
index 0000000000..63ebf61005
--- /dev/null
+++ b/main/unbound/CVE-2019-16866.patch
@@ -0,0 +1,26 @@
+diff --git a/util/data/msgparse.c b/util/data/msgparse.c
+index 13cad8a..fb31237 100644
+--- a/util/data/msgparse.c
++++ b/util/data/msgparse.c
+@@ -1061,18 +1061,18 @@ parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns,
+ size_t rdata_len;
+ uint8_t* rdata_ptr;
+ log_assert(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) == 1);
++ memset(edns, 0, sizeof(*edns));
+ if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0 ||
+ LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) {
+ if(!skip_pkt_rrs(pkt, ((int)LDNS_ANCOUNT(sldns_buffer_begin(pkt)))+
+ ((int)LDNS_NSCOUNT(sldns_buffer_begin(pkt)))))
+- return 0;
++ return LDNS_RCODE_FORMERR;
+ }
+ /* check edns section is present */
+ if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) {
+ return LDNS_RCODE_FORMERR;
+ }
+ if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) == 0) {
+- memset(edns, 0, sizeof(*edns));
+ edns->udp_size = 512;
+ return 0;
+ }
+