CVS commit: pkgsrc/security/opendnssec

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/opendnssec
From: "Havard Eidnes" <he%netbsd.org@localhost>
Date: Sat, 16 Jul 2016 19:49:07 +0000

Module Name:    pkgsrc
Committed By:   he
Date:           Sat Jul 16 19:49:07 UTC 2016

Modified Files:
        pkgsrc/security/opendnssec: Makefile distinfo
Added Files:
        pkgsrc/security/opendnssec/patches: patch-signer_src_signer_ixfr.c
            patch-signer_src_signer_zone.c patch-signer_src_wire_query.c

Log Message:
Add a couple of patches I have been using with opendnssec in our
installation:
 * Log the zone before triggering the "part->soamin" assert.
   We've seen this fire with older versions, but it's a while
   since I saw it happen.  This is to provide more debugging info
   should it fire.
 * If an .ixfr journal file is detected as "corrupted", rename it
   to <zone>.ixfr-bad instead of unlinking it, which would leave
   no trace of OpenDNSSEC's own wrongdoing.
 * If the signer is exposed, avoid a potential DoS vector with a
   crafted message.
Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 pkgsrc/security/opendnssec/Makefile
cvs rdiff -u -r1.33 -r1.34 pkgsrc/security/opendnssec/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/opendnssec/patches/patch-signer_src_signer_ixfr.c \
    pkgsrc/security/opendnssec/patches/patch-signer_src_signer_zone.c \
    pkgsrc/security/opendnssec/patches/patch-signer_src_wire_query.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/opendnssec/Makefile
diff -u pkgsrc/security/opendnssec/Makefile:1.57 pkgsrc/security/opendnssec/Makefile:1.58
--- pkgsrc/security/opendnssec/Makefile:1.57    Wed Jun  8 08:35:10 2016
+++ pkgsrc/security/opendnssec/Makefile Sat Jul 16 19:49:07 2016
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.57 2016/06/08 08:35:10 he Exp $
+# $NetBSD: Makefile,v 1.58 2016/07/16 19:49:07 he Exp $
 #
 
 DISTNAME=      opendnssec-1.4.10
+PKGREVISION=   1
 CATEGORIES=    security net
 MASTER_SITES=  http://www.opendnssec.org/files/source/
 

Index: pkgsrc/security/opendnssec/distinfo
diff -u pkgsrc/security/opendnssec/distinfo:1.33 pkgsrc/security/opendnssec/distinfo:1.34
--- pkgsrc/security/opendnssec/distinfo:1.33    Wed Jun  8 08:35:10 2016
+++ pkgsrc/security/opendnssec/distinfo Sat Jul 16 19:49:07 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.33 2016/06/08 08:35:10 he Exp $
+$NetBSD: distinfo,v 1.34 2016/07/16 19:49:07 he Exp $
 
 SHA1 (opendnssec-1.4.10.tar.gz) = c83c452b9951df8dd784d7c39aae90363f1a1213
 RMD160 (opendnssec-1.4.10.tar.gz) = 0ee7e1b282da6839be919b18faf9fbe567bfc130
@@ -7,3 +7,6 @@ Size (opendnssec-1.4.10.tar.gz) = 103606
 SHA1 (patch-aa) = 104e077af6c368cbb5fc3034d58b2f2249fcf991
 SHA1 (patch-enforcer_utils_Makefile.am) = 80915dee723535e5854e62bc18f00ba2d5d7496c
 SHA1 (patch-enforcer_utils_Makefile.in) = 6c1b4ad25956bfcc8b410a8ca22f2581e64198d1
+SHA1 (patch-signer_src_signer_ixfr.c) = 74c2c320080e585a6126e146c453998f44c164f7
+SHA1 (patch-signer_src_signer_zone.c) = 0330236f11ccab7ed83b73bc83d851f932124318
+SHA1 (patch-signer_src_wire_query.c) = ab60e229687be910be9acd0a43d47987498de070

Added files:

Index: pkgsrc/security/opendnssec/patches/patch-signer_src_signer_ixfr.c
diff -u /dev/null pkgsrc/security/opendnssec/patches/patch-signer_src_signer_ixfr.c:1.1
--- /dev/null   Sat Jul 16 19:49:07 2016
+++ pkgsrc/security/opendnssec/patches/patch-signer_src_signer_ixfr.c   Sat Jul 16 19:49:07 2016
@@ -0,0 +1,17 @@
+$NetBSD: patch-signer_src_signer_ixfr.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+The part->soamin assertion seems to trigger.
+Be helpful and log the zone name before the assert.
+
+--- signer/src/signer/ixfr.c.orig      2016-01-21 14:31:54.000000000 +0000
++++ signer/src/signer/ixfr.c
+@@ -227,6 +227,9 @@ part_print(FILE* fd, ixfr_type* ixfr, si
+     }
+     ods_log_assert(part->min);
+     ods_log_assert(part->plus);
++    if (!part->soamin) {
++      ods_log_error("[%s] zone %s no part->soamin", ixfr_str, zone->name);
++    }
+     ods_log_assert(part->soamin);
+     ods_log_assert(part->soaplus);
+     if (util_rr_print(fd, part->soamin) != ODS_STATUS_OK) {
Index: pkgsrc/security/opendnssec/patches/patch-signer_src_signer_zone.c
diff -u /dev/null pkgsrc/security/opendnssec/patches/patch-signer_src_signer_zone.c:1.1
--- /dev/null   Sat Jul 16 19:49:07 2016
+++ pkgsrc/security/opendnssec/patches/patch-signer_src_signer_zone.c   Sat Jul 16 19:49:07 2016
@@ -0,0 +1,30 @@
+$NetBSD: patch-signer_src_signer_zone.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+For debugging, save any corrupted ixfr journal files as <zone>.ixfr-bad.
+
+--- signer/src/signer/zone.c.orig      2016-05-02 10:40:02.000000000 +0000
++++ signer/src/signer/zone.c
+@@ -1028,12 +1028,22 @@ zone_recover2(zone_type* zone)
+             fd = ods_fopen(filename, NULL, "r");
+         }
+         if (fd) {
++          char *badfn = NULL;
++
+             status = backup_read_ixfr(fd, zone);
+             if (status != ODS_STATUS_OK) {
+                 ods_log_warning("[%s] corrupted journal file zone %s, "
+                     "skipping (%s)", zone_str, zone->name,
+                     ods_status2str(status));
+-                (void)unlink(filename);
++              badfn = ods_build_path(zone->name, ".ixfr-bad", 0, 1);
++              if (badfn) {
++                  (void)rename(filename, badfn);
++                  ods_log_warning("[%s] corrupted journal for zone %s "
++                      "saved as %s", zone_str, zone->name, badfn);
++                  free(badfn);
++              } else {
++                    (void)unlink(filename);
++              }
+                 ixfr_cleanup(zone->ixfr);
+                 zone->ixfr = ixfr_create((void*)zone);
+             }
Index: pkgsrc/security/opendnssec/patches/patch-signer_src_wire_query.c
diff -u /dev/null pkgsrc/security/opendnssec/patches/patch-signer_src_wire_query.c:1.1
--- /dev/null   Sat Jul 16 19:49:07 2016
+++ pkgsrc/security/opendnssec/patches/patch-signer_src_wire_query.c    Sat Jul 16 19:49:07 2016
@@ -0,0 +1,18 @@
+$NetBSD: patch-signer_src_wire_query.c,v 1.1 2016/07/16 19:49:07 he Exp $
+
+Add a check for whether we have an RRset in the query,
+to side-step DoS via crafted packet.
+
+--- signer/src/wire/query.c.orig       2016-05-02 10:40:02.000000000 +0000
++++ signer/src/wire/query.c
+@@ -869,6 +869,10 @@ query_process(query_type* q, void* engin
+         return query_formerr(q);
+     }
+     rr = ldns_rr_list_rr(ldns_pkt_question(pkt), 0);
++    if (rr == NULL) {
++      ods_log_debug("[%s] no RRset in query, ignoring", query_str);
++      return QUERY_DISCARDED; /* no RRset in query */
++    }
+     lock_basic_lock(&e->zonelist->zl_lock);
+     /* we can just lookup the zone, because we will only handle SOA queries,
+        zone transfers, updates and notifies */

Prev by Date: Re: CVS commit: pkgsrc/lang/clisp
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc/guide/files
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index