Hello community, here is the log from the commit of package pdns-recursor for openSUSE:Factory checked in at 2018-11-27 10:44:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pdns-recursor (Old) and /work/SRC/openSUSE:Factory/.pdns-recursor.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pdns-recursor" Tue Nov 27 10:44:34 2018 rev:23 rq:652039 version:4.1.8 Changes: -------- --- /work/SRC/openSUSE:Factory/pdns-recursor/pdns-recursor.changes 2018-11-08 09:50:42.860942318 +0100 +++ /work/SRC/openSUSE:Factory/.pdns-recursor.new.19453/pdns-recursor.changes 2018-11-27 10:46:18.979955971 +0100 @@ -1,0 +2,18 @@ +Mon Nov 26 16:15:31 UTC 2018 - adam.majer@suse.de + +- update to 4.1.8 + https://blog.powerdns.com/2018/11/26/powerdns-recursor-4-1-8-released/ + + - Fixes case where a crafted query can cause a denial of service + (CVE-2018-16855, bsc#1116592) + +------------------------------------------------------------------- +Fri Nov 9 14:05:18 UTC 2018 - adam.majer@suse.de + +- update to 4.1.7 + https://blog.powerdns.com/2018/11/09/powerdns-recursor-4-1-7-released/ + + - Revert ‘Keep the EDNS status of a server on FormErr with EDNS’ + - Refuse queries for all meta-types + +------------------------------------------------------------------- Old: ---- pdns-recursor-4.1.6.tar.bz2 pdns-recursor-4.1.6.tar.bz2.sig New: ---- pdns-recursor-4.1.8.tar.bz2 pdns-recursor-4.1.8.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pdns-recursor.spec ++++++ --- /var/tmp/diff_new_pack.CgkaAp/_old 2018-11-27 10:46:21.867953005 +0100 +++ /var/tmp/diff_new_pack.CgkaAp/_new 2018-11-27 10:46:21.875952997 +0100 @@ -35,11 +35,8 @@ %endif Name: pdns-recursor -Version: 4.1.6 +Version: 4.1.8 Release: 0 -%define pkg_version 4.1.6 -# -# BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -84,8 +81,8 @@ PreReq: pdns-common # Url: http://www.powerdns.com/ -Source: http://downloads.powerdns.com/releases/%{name}-%{pkg_version}.tar.bz2 -Source10: http://downloads.powerdns.com/releases/%{name}-%{pkg_version}.tar.bz2.sig +Source: http://downloads.powerdns.com/releases/%{name}-%{version}.tar.bz2 +Source10: http://downloads.powerdns.com/releases/%{name}-%{version}.tar.bz2.sig Source11: https://powerdns.com/powerdns-keyblock.asc#/pdns-recursor.keyring Source1: pdns-recursor.init Source2: recursor.conf @@ -104,7 +101,7 @@ http://www.powerdns.com %prep -%setup -n %{name}-%{pkg_version} +%setup -n %{name}-%{version} %build autoreconf -fi ++++++ pdns-recursor-4.1.6.tar.bz2 -> pdns-recursor-4.1.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/.version new/pdns-recursor-4.1.8/.version --- old/pdns-recursor-4.1.6/.version 2018-11-07 12:35:29.000000000 +0100 +++ new/pdns-recursor-4.1.8/.version 2018-11-26 14:23:43.000000000 +0100 @@ -1 +1 @@ -4.1.6 +4.1.8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/configure new/pdns-recursor-4.1.8/configure --- old/pdns-recursor-4.1.6/configure 2018-11-07 12:35:28.000000000 +0100 +++ new/pdns-recursor-4.1.8/configure 2018-11-26 14:23:42.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for pdns-recursor 4.1.6. +# Generated by GNU Autoconf 2.69 for pdns-recursor 4.1.8. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='pdns-recursor' PACKAGE_TARNAME='pdns-recursor' -PACKAGE_VERSION='4.1.6' -PACKAGE_STRING='pdns-recursor 4.1.6' +PACKAGE_VERSION='4.1.8' +PACKAGE_STRING='pdns-recursor 4.1.8' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1445,7 +1445,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pdns-recursor 4.1.6 to adapt to many kinds of systems. +\`configure' configures pdns-recursor 4.1.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1515,7 +1515,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pdns-recursor 4.1.6:";; + short | recursive ) echo "Configuration of pdns-recursor 4.1.8:";; esac cat <<\_ACEOF @@ -1677,7 +1677,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pdns-recursor configure 4.1.6 +pdns-recursor configure 4.1.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2270,7 +2270,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pdns-recursor $as_me 4.1.6, which was +It was created by pdns-recursor $as_me 4.1.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3133,7 +3133,7 @@ # Define the identity of the package. PACKAGE='pdns-recursor' - VERSION='4.1.6' + VERSION='4.1.8' cat >>confdefs.h <<_ACEOF @@ -21846,7 +21846,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pdns-recursor $as_me 4.1.6, which was +This file was extended by pdns-recursor $as_me 4.1.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21912,7 +21912,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -pdns-recursor config.status 4.1.6 +pdns-recursor config.status 4.1.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/packetcache.hh new/pdns-recursor-4.1.8/packetcache.hh --- old/pdns-recursor-4.1.6/packetcache.hh 2018-11-07 12:35:16.000000000 +0100 +++ new/pdns-recursor-4.1.8/packetcache.hh 2018-11-26 14:23:30.000000000 +0100 @@ -38,7 +38,7 @@ const char* end = packet.c_str() + packetSize; const char* p = packet.c_str() + pos; - for(; p < end && *p; ++p) { // XXX if you embed a 0 in your qname we'll stop lowercasing there + for(; p < end && *p; ++p, ++pos) { // XXX if you embed a 0 in your qname we'll stop lowercasing there const unsigned char l = dns_tolower(*p); // label lengths can safely be lower cased ret=burtle(&l, 1, ret); } // XXX the embedded 0 in the qname will break the subnet stripping diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/pdns_recursor.1 new/pdns-recursor-4.1.8/pdns_recursor.1 --- old/pdns-recursor-4.1.6/pdns_recursor.1 2018-11-07 12:36:20.000000000 +0100 +++ new/pdns-recursor-4.1.8/pdns_recursor.1 2018-11-26 14:24:33.000000000 +0100 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "PDNS_RECURSOR" "1" "Nov 07, 2018" "4.1" "PowerDNS Recursor" +.TH "PDNS_RECURSOR" "1" "Nov 26, 2018" "4.1" "PowerDNS Recursor" .SH NAME pdns_recursor \- The PowerDNS Recursor binary . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/rec_control.1 new/pdns-recursor-4.1.8/rec_control.1 --- old/pdns-recursor-4.1.6/rec_control.1 2018-11-07 12:36:20.000000000 +0100 +++ new/pdns-recursor-4.1.8/rec_control.1 2018-11-26 14:24:33.000000000 +0100 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "REC_CONTROL" "1" "Nov 07, 2018" "4.1" "PowerDNS Recursor" +.TH "REC_CONTROL" "1" "Nov 26, 2018" "4.1" "PowerDNS Recursor" .SH NAME rec_control \- Command line tool to control a running Recursor . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/syncres.cc new/pdns-recursor-4.1.8/syncres.cc --- old/pdns-recursor-4.1.6/syncres.cc 2018-11-07 12:35:16.000000000 +0100 +++ new/pdns-recursor-4.1.8/syncres.cc 2018-11-26 14:23:30.000000000 +0100 @@ -117,8 +117,6 @@ /** everything begins here - this is the entry point just after receiving a packet */ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret) { - /* rfc6895 section 3.1 + RRSIG and NSEC3 */ - static const std::set<uint16_t> metaTypes = { QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB }; vState state = Indeterminate; s_queries++; d_wasVariable=false; @@ -129,7 +127,9 @@ return 0; // so do check before updating counters (we do now) } - if (metaTypes.count(qtype.getCode())) { + auto qtypeCode = qtype.getCode(); + /* rfc6895 section 3.1 */ + if ((qtypeCode >= 128 && qtypeCode <= 254) || qtypeCode == QType::RRSIG || qtypeCode == QType::NSEC3 || qtypeCode == QType::OPT || qtypeCode == 65535) { return -1; } @@ -479,7 +479,12 @@ return ret; } else if(mode==EDNSStatus::UNKNOWN || mode==EDNSStatus::EDNSOK || mode == EDNSStatus::EDNSIGNORANT ) { - if(!res->d_haveEDNS && (res->d_rcode == RCode::FormErr || res->d_rcode == RCode::NotImp)) { + /* So, you might be tempted to treat the presence of EDNS in a response as meaning that the + server does understand EDNS, and thus prevent a downgrade to no EDNS. + It turns out that you can't because there are a lot of crappy servers out there, + so you have to treat a FormErr as 'I have no idea what this EDNS thing is' no matter what. + */ + if(res->d_rcode == RCode::FormErr || res->d_rcode == RCode::NotImp) { // cerr<<"Downgrading to NOEDNS because of "<<RCode::to_s(res->d_rcode)<<" for query to "<<ip.toString()<<" for '"<<domain<<"'"<<endl; mode = EDNSStatus::NOEDNS; continue; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/test-packetcache_hh.cc new/pdns-recursor-4.1.8/test-packetcache_hh.cc --- old/pdns-recursor-4.1.6/test-packetcache_hh.cc 2018-11-07 12:35:16.000000000 +0100 +++ new/pdns-recursor-4.1.8/test-packetcache_hh.cc 2018-11-26 14:23:30.000000000 +0100 @@ -166,6 +166,38 @@ } } +BOOST_AUTO_TEST_CASE(test_PacketCacheRecSimple) { + + const DNSName qname("www.powerdns.com."); + uint16_t qtype = QType::AAAA; + EDNSSubnetOpts opt; + DNSPacketWriter::optvect_t ednsOptions; + uint16_t ecsBegin; + uint16_t ecsEnd; + + { + vector<uint8_t> packet; + DNSPacketWriter pw1(packet, qname, qtype); + pw1.getHeader()->rd = true; + pw1.getHeader()->qr = false; + pw1.getHeader()->id = 0x42; + pw1.addOpt(512, 0, 0); + pw1.commit(); + + string spacket1((const char*)&packet[0], packet.size()); + /* set the RD length to a large value */ + unsigned char* ptr = reinterpret_cast<unsigned char*>(&spacket1.at(sizeof(dnsheader) + qname.wirelength() + /* qtype and qclass */ 4 + /* OPT root label (1), type (2), class (2) and ttl (4) */ 9)); + *ptr = 255; + *(ptr + 1) = 255; + /* truncate the end of the OPT header to try to trigger an out of bounds read */ + spacket1.resize(spacket1.size() - 6); + PacketCache::canHashPacket(spacket1, &ecsBegin, &ecsEnd); + /* no ECS */ + BOOST_CHECK_EQUAL(ecsBegin, 0); + BOOST_CHECK_EQUAL(ecsEnd, 0); + } +} + BOOST_AUTO_TEST_CASE(test_PacketCacheRecCollision) { /* rec version (ECS is processed, we hash the whole query except for the ID and the ECS value, while lowercasing the qname) */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.6/test-syncres_cc.cc new/pdns-recursor-4.1.8/test-syncres_cc.cc --- old/pdns-recursor-4.1.6/test-syncres_cc.cc 2018-11-07 12:35:16.000000000 +0100 +++ new/pdns-recursor-4.1.8/test-syncres_cc.cc 2018-11-26 14:23:30.000000000 +0100 @@ -652,8 +652,9 @@ initSR(sr); /* in this test, the auth answers with FormErr to an EDNS-enabled - query, but the response does contain EDNS so we should not mark - it as EDNS ignorant or intolerant. + query, but the response does contain EDNS so we might consider + that the server knows a bit about EDNS. It turns out that we can't + because there are too many awful servers out there. */ size_t queriesWithEDNS = 0; size_t queriesWithoutEDNS = 0; @@ -669,11 +670,15 @@ } usedServers.insert(ip); - if (type == QType::DNAME) { - setLWResult(res, RCode::FormErr); + if (type == QType::A) { if (EDNS0Level > 0) { + setLWResult(res, RCode::FormErr); res->d_haveEDNS = true; } + else { + setLWResult(res, 0, true, false, false); + addRecordToLW(res, domain, QType::A, "192.0.2.1"); + } return 1; } @@ -683,15 +688,40 @@ primeHints(); vector<DNSRecord> ret; - int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::DNAME), QClass::IN, ret); - BOOST_CHECK_EQUAL(res, RCode::ServFail); - BOOST_CHECK_EQUAL(ret.size(), 0); - BOOST_CHECK_EQUAL(queriesWithEDNS, 26); - BOOST_CHECK_EQUAL(queriesWithoutEDNS, 0); - BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 26); - BOOST_CHECK_EQUAL(usedServers.size(), 26); + int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(ret.size(), 1); + BOOST_CHECK_EQUAL(queriesWithEDNS, 1); + BOOST_CHECK_EQUAL(queriesWithoutEDNS, 1); + BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 1); + BOOST_CHECK_EQUAL(usedServers.size(), 1); for (const auto& server : usedServers) { - BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(server), SyncRes::EDNSStatus::EDNSOK); + BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(server), SyncRes::EDNSStatus::NOEDNS); + } +} + +BOOST_AUTO_TEST_CASE(test_meta_types) { + std::unique_ptr<SyncRes> sr; + initSR(sr); + + static const std::set<uint16_t> invalidTypes = { 128, QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB, 65535 }; + + for (const auto qtype : invalidTypes) { + size_t queriesCount = 0; + + sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res, bool* chained) { + + queriesCount++; + return 0; + }); + + primeHints(); + + vector<DNSRecord> ret; + int res = sr->beginResolve(DNSName("powerdns.com."), QType(qtype), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, -1); + BOOST_CHECK_EQUAL(ret.size(), 0); + BOOST_CHECK_EQUAL(queriesCount, 0); } }