import unbound-1.7.3-10.el8
This commit is contained in:
parent
ebba006c53
commit
36200b548a
218
SOURCES/unbound-1.7.3-ipsec-hook.patch
Normal file
218
SOURCES/unbound-1.7.3-ipsec-hook.patch
Normal file
@ -0,0 +1,218 @@
|
||||
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
|
||||
index c8400c6..9e916d6 100644
|
||||
--- a/ipsecmod/ipsecmod.c
|
||||
+++ b/ipsecmod/ipsecmod.c
|
||||
@@ -162,6 +162,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
|
||||
}
|
||||
|
||||
/**
|
||||
+ * Check if the string passed is a valid domain name with safe characters to
|
||||
+ * pass to a shell.
|
||||
+ * This will only allow:
|
||||
+ * - digits
|
||||
+ * - alphas
|
||||
+ * - hyphen (not at the start)
|
||||
+ * - dot (not at the start, or the only character)
|
||||
+ * - underscore
|
||||
+ * @param s: pointer to the string.
|
||||
+ * @param slen: string's length.
|
||||
+ * @return true if s only contains safe characters; false otherwise.
|
||||
+ */
|
||||
+static int
|
||||
+domainname_has_safe_characters(char* s, size_t slen) {
|
||||
+ size_t i;
|
||||
+ for(i = 0; i < slen; i++) {
|
||||
+ if(s[i] == '\0') return 1;
|
||||
+ if((s[i] == '-' && i != 0)
|
||||
+ || (s[i] == '.' && (i != 0 || s[1] == '\0'))
|
||||
+ || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
|
||||
+ || (s[i] >= 'A' && s[i] <= 'Z')
|
||||
+ || (s[i] >= 'a' && s[i] <= 'z')) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
|
||||
+ * a shell.
|
||||
+ * This is only relevant for checking the gateway when the gateway type is 3
|
||||
+ * (domainname).
|
||||
+ * @param s: pointer to the string.
|
||||
+ * @param slen: string's length.
|
||||
+ * @return true if s contains only safe characters; false otherwise.
|
||||
+ */
|
||||
+static int
|
||||
+ipseckey_has_safe_characters(char* s, size_t slen) {
|
||||
+ int precedence, gateway_type, algorithm;
|
||||
+ char* gateway;
|
||||
+ gateway = (char*)calloc(slen, sizeof(char));
|
||||
+ if(!gateway) {
|
||||
+ log_err("ipsecmod: out of memory when calling the hook");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if(sscanf(s, "%d %d %d %s ",
|
||||
+ &precedence, &gateway_type, &algorithm, gateway) != 4) {
|
||||
+ free(gateway);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if(gateway_type != 3) {
|
||||
+ free(gateway);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ if(domainname_has_safe_characters(gateway, slen)) {
|
||||
+ free(gateway);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ free(gateway);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
* Prepare the data and call the hook.
|
||||
*
|
||||
* @param qstate: query state.
|
||||
@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
|
||||
{
|
||||
size_t slen, tempdata_len, tempstring_len, i;
|
||||
char str[65535], *s, *tempstring;
|
||||
- int w;
|
||||
+ int w = 0, w_temp, qtype;
|
||||
struct ub_packed_rrset_key* rrset_key;
|
||||
struct packed_rrset_data* rrset_data;
|
||||
uint8_t *tempdata;
|
||||
@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
|
||||
memset(s, 0, slen);
|
||||
|
||||
/* Copy the hook into the buffer. */
|
||||
- sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
|
||||
+ w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
|
||||
/* Put space into the buffer. */
|
||||
- sldns_str_print(&s, &slen, " ");
|
||||
+ w += sldns_str_print(&s, &slen, " ");
|
||||
/* Copy the qname into the buffer. */
|
||||
tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
|
||||
qstate->qinfo.qname_len);
|
||||
@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
|
||||
log_err("ipsecmod: out of memory when calling the hook");
|
||||
return 0;
|
||||
}
|
||||
- sldns_str_print(&s, &slen, "\"%s\"", tempstring);
|
||||
+ if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
|
||||
+ log_err("ipsecmod: qname has unsafe characters");
|
||||
+ free(tempstring);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
|
||||
free(tempstring);
|
||||
/* Put space into the buffer. */
|
||||
- sldns_str_print(&s, &slen, " ");
|
||||
+ w += sldns_str_print(&s, &slen, " ");
|
||||
/* Copy the IPSECKEY TTL into the buffer. */
|
||||
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
|
||||
- sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
|
||||
+ w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
|
||||
/* Put space into the buffer. */
|
||||
- sldns_str_print(&s, &slen, " ");
|
||||
- /* Copy the A/AAAA record(s) into the buffer. Start and end this section
|
||||
- * with a double quote. */
|
||||
+ w += sldns_str_print(&s, &slen, " ");
|
||||
rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
|
||||
qstate->return_msg->rep);
|
||||
+ /* Double check that the records are indeed A/AAAA.
|
||||
+ * This should never happen as this function is only executed for A/AAAA
|
||||
+ * queries but make sure we don't pass anything other than A/AAAA to the
|
||||
+ * shell. */
|
||||
+ qtype = ntohs(rrset_key->rk.type);
|
||||
+ if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
|
||||
+ log_err("ipsecmod: Answer is not of A or AAAA type");
|
||||
+ return 0;
|
||||
+ }
|
||||
rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
|
||||
- sldns_str_print(&s, &slen, "\"");
|
||||
+ /* Copy the A/AAAA record(s) into the buffer. Start and end this section
|
||||
+ * with a double quote. */
|
||||
+ w += sldns_str_print(&s, &slen, "\"");
|
||||
for(i=0; i<rrset_data->count; i++) {
|
||||
if(i > 0) {
|
||||
/* Put space into the buffer. */
|
||||
- sldns_str_print(&s, &slen, " ");
|
||||
+ w += sldns_str_print(&s, &slen, " ");
|
||||
}
|
||||
/* Ignore the first two bytes, they are the rr_data len. */
|
||||
- w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
|
||||
+ w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
|
||||
rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
|
||||
- if(w < 0) {
|
||||
+ if(w_temp < 0) {
|
||||
/* Error in printout. */
|
||||
- return -1;
|
||||
- } else if((size_t)w >= slen) {
|
||||
+ log_err("ipsecmod: Error in printing IP address");
|
||||
+ return 0;
|
||||
+ } else if((size_t)w_temp >= slen) {
|
||||
s = NULL; /* We do not want str to point outside of buffer. */
|
||||
slen = 0;
|
||||
- return -1;
|
||||
+ log_err("ipsecmod: shell command too long");
|
||||
+ return 0;
|
||||
} else {
|
||||
- s += w;
|
||||
- slen -= w;
|
||||
+ s += w_temp;
|
||||
+ slen -= w_temp;
|
||||
+ w += w_temp;
|
||||
}
|
||||
}
|
||||
- sldns_str_print(&s, &slen, "\"");
|
||||
+ w += sldns_str_print(&s, &slen, "\"");
|
||||
/* Put space into the buffer. */
|
||||
- sldns_str_print(&s, &slen, " ");
|
||||
+ w += sldns_str_print(&s, &slen, " ");
|
||||
/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
|
||||
* with a double quote. */
|
||||
- sldns_str_print(&s, &slen, "\"");
|
||||
+ w += sldns_str_print(&s, &slen, "\"");
|
||||
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
|
||||
for(i=0; i<rrset_data->count; i++) {
|
||||
if(i > 0) {
|
||||
/* Put space into the buffer. */
|
||||
- sldns_str_print(&s, &slen, " ");
|
||||
+ w += sldns_str_print(&s, &slen, " ");
|
||||
}
|
||||
/* Ignore the first two bytes, they are the rr_data len. */
|
||||
tempdata = rrset_data->rr_data[i] + 2;
|
||||
tempdata_len = rrset_data->rr_len[i] - 2;
|
||||
/* Save the buffer pointers. */
|
||||
tempstring = s; tempstring_len = slen;
|
||||
- w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
|
||||
- NULL, 0);
|
||||
+ w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
|
||||
+ &slen, NULL, 0);
|
||||
/* There was an error when parsing the IPSECKEY; reset the buffer
|
||||
* pointers to their previous values. */
|
||||
- if(w == -1){
|
||||
+ if(w_temp == -1) {
|
||||
s = tempstring; slen = tempstring_len;
|
||||
+ } else if(w_temp > 0) {
|
||||
+ if(!ipseckey_has_safe_characters(
|
||||
+ tempstring, tempstring_len - slen)) {
|
||||
+ log_err("ipsecmod: ipseckey has unsafe characters");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ w += w_temp;
|
||||
}
|
||||
}
|
||||
- sldns_str_print(&s, &slen, "\"");
|
||||
- verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
|
||||
+ w += sldns_str_print(&s, &slen, "\"");
|
||||
+ if(w >= (int)sizeof(str)) {
|
||||
+ log_err("ipsecmod: shell command too long");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
|
||||
/* ipsecmod-hook should return 0 on success. */
|
||||
if(system(str) != 0)
|
||||
return 0;
|
109
SOURCES/unbound-1.7.3-use-basic-lock.patch
Normal file
109
SOURCES/unbound-1.7.3-use-basic-lock.patch
Normal file
@ -0,0 +1,109 @@
|
||||
diff --git a/util/log.c b/util/log.c
|
||||
index 75a58f9..43dd572 100644
|
||||
--- a/util/log.c
|
||||
+++ b/util/log.c
|
||||
@@ -70,7 +70,7 @@ static int key_created = 0;
|
||||
static ub_thread_key_type logkey;
|
||||
#ifndef THREADS_DISABLED
|
||||
/** pthread mutex to protect FILE* */
|
||||
-static lock_quick_type log_lock;
|
||||
+static lock_basic_type log_lock;
|
||||
#endif
|
||||
/** the identity of this executable/process */
|
||||
static const char* ident="unbound";
|
||||
@@ -90,18 +90,18 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
|
||||
if(!key_created) {
|
||||
key_created = 1;
|
||||
ub_thread_key_create(&logkey, NULL);
|
||||
- lock_quick_init(&log_lock);
|
||||
+ lock_basic_init(&log_lock);
|
||||
}
|
||||
- lock_quick_lock(&log_lock);
|
||||
+ lock_basic_lock(&log_lock);
|
||||
if(logfile
|
||||
#if defined(HAVE_SYSLOG_H) || defined(UB_ON_WINDOWS)
|
||||
|| logging_to_syslog
|
||||
#endif
|
||||
) {
|
||||
- lock_quick_unlock(&log_lock); /* verbose() needs the lock */
|
||||
+ lock_basic_unlock(&log_lock); /* verbose() needs the lock */
|
||||
verbose(VERB_QUERY, "switching log to %s",
|
||||
use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"));
|
||||
- lock_quick_lock(&log_lock);
|
||||
+ lock_basic_lock(&log_lock);
|
||||
}
|
||||
if(logfile && logfile != stderr) {
|
||||
FILE* cl = logfile;
|
||||
@@ -119,7 +119,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
|
||||
* chroot and no longer be able to access dev/log and so on */
|
||||
openlog(ident, LOG_NDELAY, LOG_DAEMON);
|
||||
logging_to_syslog = 1;
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
return;
|
||||
}
|
||||
#elif defined(UB_ON_WINDOWS)
|
||||
@@ -128,13 +128,13 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
|
||||
}
|
||||
if(use_syslog) {
|
||||
logging_to_syslog = 1;
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
return;
|
||||
}
|
||||
#endif /* HAVE_SYSLOG_H */
|
||||
if(!filename || !filename[0]) {
|
||||
logfile = stderr;
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
return;
|
||||
}
|
||||
/* open the file for logging */
|
||||
@@ -143,7 +143,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
|
||||
filename += strlen(chrootdir);
|
||||
f = fopen(filename, "a");
|
||||
if(!f) {
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
log_err("Could not open logfile %s: %s", filename,
|
||||
strerror(errno));
|
||||
return;
|
||||
@@ -153,14 +153,14 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
|
||||
setvbuf(f, NULL, (int)_IOLBF, 0);
|
||||
#endif
|
||||
logfile = f;
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
}
|
||||
|
||||
void log_file(FILE *f)
|
||||
{
|
||||
- lock_quick_lock(&log_lock);
|
||||
+ lock_basic_lock(&log_lock);
|
||||
logfile = f;
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
}
|
||||
|
||||
void log_thread_set(int* num)
|
||||
@@ -250,9 +250,9 @@ log_vmsg(int pri, const char* type,
|
||||
return;
|
||||
}
|
||||
#endif /* HAVE_SYSLOG_H */
|
||||
- lock_quick_lock(&log_lock);
|
||||
+ lock_basic_lock(&log_lock);
|
||||
if(!logfile) {
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
return;
|
||||
}
|
||||
if(log_now)
|
||||
@@ -279,7 +279,7 @@ log_vmsg(int pri, const char* type,
|
||||
/* line buffering does not work on windows */
|
||||
fflush(logfile);
|
||||
#endif
|
||||
- lock_quick_unlock(&log_lock);
|
||||
+ lock_basic_unlock(&log_lock);
|
||||
}
|
||||
|
||||
/**
|
@ -34,7 +34,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.7.3
|
||||
Release: 8%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 10%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://www.unbound.net/
|
||||
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -59,6 +59,8 @@ Patch2: unbound-1.7.2-python3-devel.patch
|
||||
Patch3: unbound-1.7.2-python3-pkgconfig.patch
|
||||
Patch4: unbound-1.7.3-anchor-fallback.patch
|
||||
Patch5: unbound-1.7.3-host-any.patch
|
||||
Patch6: unbound-1.7.3-use-basic-lock.patch
|
||||
Patch7: unbound-1.7.3-ipsec-hook.patch
|
||||
|
||||
BuildRequires: gcc, make
|
||||
BuildRequires: flex, openssl-devel
|
||||
@ -158,6 +160,8 @@ pushd %{pkgname}
|
||||
%patch3 -p1 -b .python3
|
||||
%patch4 -p1 -b .anchor-fallback
|
||||
%patch5 -p1 -b .host-any
|
||||
%patch6 -p1 -b .use-basic-lock
|
||||
%patch7 -p1 -b .ipsec-hook
|
||||
|
||||
# only for snapshots
|
||||
# autoreconf -iv
|
||||
@ -429,6 +433,13 @@ popd
|
||||
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
|
||||
|
||||
%changelog
|
||||
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
|
||||
- Secure ipsec mode (#1772061)
|
||||
- CVE-2019-18934
|
||||
|
||||
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-9
|
||||
- Use pthread_mutex_t locks when dealing with I/O operations (#1775708)
|
||||
|
||||
* Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
|
||||
- Release memory in unbound-host
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user